[hybi] About authentication mechanism

Iñaki Baz Castillo <ibc@aliax.net> Mon, 20 June 2011 12:01 UTC

Return-Path: <ibc@aliax.net>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 02D8D11E808A for <hybi@ietfa.amsl.com>; Mon, 20 Jun 2011 05:01:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.66
X-Spam-Status: No, score=-2.66 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 9Sb7ke3aX8nj for <hybi@ietfa.amsl.com>; Mon, 20 Jun 2011 05:01:38 -0700 (PDT)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com []) by ietfa.amsl.com (Postfix) with ESMTP id 2331E11E807A for <hybi@ietf.org>; Mon, 20 Jun 2011 05:01:38 -0700 (PDT)
Received: by qwc23 with SMTP id 23so1289907qwc.31 for <hybi@ietf.org>; Mon, 20 Jun 2011 05:01:37 -0700 (PDT)
MIME-Version: 1.0
Received: by with SMTP id q17mr3905071qca.154.1308571296587; Mon, 20 Jun 2011 05:01:36 -0700 (PDT)
Received: by with HTTP; Mon, 20 Jun 2011 05:01:36 -0700 (PDT)
Date: Mon, 20 Jun 2011 14:01:36 +0200
Message-ID: <BANLkTinerv=Ua4d-ma+uPVJjF95U1U5iXg@mail.gmail.com>
From: =?UTF-8?Q?I=C3=B1aki_Baz_Castillo?= <ibc@aliax.net>
To: hybi@ietf.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: [hybi] About authentication mechanism
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jun 2011 12:01:39 -0000

Hi, I would like to start a new thread for this topic as it seems that
the draft does not cover it at all (just suggests that an HTTP
response code other than 101 should be threated as RFC 2616 states:

  "1.  If the status code received from the server is not 101, the
        client handles the response per HTTP procedures." (p. 30)

The question is: should the browser prompt the human user for
user/pass as when a 401 is received in the WS handshake attemp?

Imagine this case:

- www.domain.org =>

- ws.domain.org =>

- I open http://www.domain.org in my browser, fill some login form and
retrieve websocket connection data, including an user and pass (for

- My JavaScript is then provisioned (via JavaScript WebSocket API
????) with ws connection data: server ip, port, Digest user/passwd.

- My web browser starts the ws connection with ws.domain.org:443. It
receives 401 with Digest (so I need a nonce from the server before
using my user/passwd).

- JavaScript code automatically accepts the Digest chanllenge,
generates a Digest response with the provided user/passwd and the
retrieved Digest nonce, and re-send the HTTP GET request (all of this
without prompting the user) with the Authorization header.

- If the JavaScript code would not be proviosioned with user/pass,
then upon receipt of the 401 it should prompt the user (like a
JavaScript alert?).

So, if all this stuff is not clearly specified (and I think passing
user/pass to the JavaScript WebSocket connection API does not exist)
then using HTTP Digest (or Basic) will be not useful or feasible, and
I expect than using cookies and all that "pure just-web stuff" will be
the only way. Please, take into account that a websocket server could
run in a separate server, so using cookies mechanism is not so
feasible (it could or not depending the case). Neither I think that
cookies (a workaround to simulate
sessions in HTTP protocol) are the best way to go.

IMHO the draft should do much more effort in authentication process.
Please don't let the door open to ugly and/or propietary
authentication solutions.

My proposal is that the JavaScript WebSocket API should include a
method to pass authentication 'user' and 'password' (and optionally
'realm' so it would ignore the realm para in the 401 response when
using Digest rather than Basic auth).

In this way, I could open a webpage, perform usual login (maybe via a
HTML form as commonly extended) and then retrieve WS connection data
(WS URI), including user/pass/[realm].
So my JavaScript client would open a WS connection with the given
destination and in case of receiving a 401 it would re-send the HTTP
GET request with the appropriate Authorization header without
prompting the user.

This wouldn't be the only authentication mechanism, of course, but
IMHO it should be documented (and covered by the JS WebSocket API).


Iñaki Baz Castillo