IETF Logo Mail Archive

Re: [hybi] WebSocket handshake (HTTP and SSO)

John Tamplin <jat@google.com> Mon, 30 August 2010 03:41 UTC

Return-Path: <jat@google.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C28AB3A6908 for <hybi@core3.amsl.com>; Sun, 29 Aug 2010 20:41:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.59
X-Spam-Level:
X-Spam-Status: No, score=-105.59 tagged_above=-999 required=5 tests=[AWL=0.387, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3VxBnbUeBavT for <hybi@core3.amsl.com>; Sun, 29 Aug 2010 20:41:10 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id 8F5223A6918 for <hybi@ietf.org>; Sun, 29 Aug 2010 20:41:10 -0700 (PDT)
Received: from wpaz17.hot.corp.google.com (wpaz17.hot.corp.google.com [172.24.198.81]) by smtp-out.google.com with ESMTP id o7U3feVN022878 for <hybi@ietf.org>; Sun, 29 Aug 2010 20:41:41 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1283139701; bh=VPhCPYi9shPVU+MoaGXNm5WYK9o=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=f1K7eUwIfloEcygpBV/yJttqj7mvfHWJhJ4YQ99eNbynojHii7mbFiHJniWBXjxr9 yKt2sSg9XszfXQmLkwKiw==
Received: from gwb1 (gwb1.prod.google.com [10.200.2.1]) by wpaz17.hot.corp.google.com with ESMTP id o7U3fdm4020150 for <hybi@ietf.org>; Sun, 29 Aug 2010 20:41:39 -0700
Received: by gwb1 with SMTP id 1so2078323gwb.20 for <hybi@ietf.org>; Sun, 29 Aug 2010 20:41:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type; bh=elPKF5RnBlUBGrQqin+CYT4Z/kn6uNOa3eEGIsGJLFc=; b=x7FL8Hz0I0MAcg/wfB4ULH9m6M/HQWOk8Ti0VLCpB9EOV0/5biuLPxTC+PGQGEXWri UldIMVmRyEFzmrgMlK4w==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=xxIcjWoT7DBNbT5iSZw8KeIJMEha/vDHAPl4WB8CBz0Io36QJrEw/+u/5CEYN59Chd zPi3p5XYhdCr7MV9+xRg==
Received: by 10.151.1.4 with SMTP id d4mr186005ybi.433.1283139699183; Sun, 29 Aug 2010 20:41:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.151.103.4 with HTTP; Sun, 29 Aug 2010 20:41:19 -0700 (PDT)
In-Reply-To: <AANLkTik3Jo4rG8cTcHerpwPumT_X77bn9y5rDkZ8ZD33@mail.gmail.com>
References: <4C7A269F.8020306@gmail.com> <AANLkTinqJ+K-pqm7p7S+aviWVY==S0mJ9RBvNfpnTa02@mail.gmail.com> <AANLkTikCVNoJnKXTOTJadYJWYR356u1wZdVNdBwEh6cg@mail.gmail.com> <AANLkTik3Jo4rG8cTcHerpwPumT_X77bn9y5rDkZ8ZD33@mail.gmail.com>
From: John Tamplin <jat@google.com>
Date: Sun, 29 Aug 2010 23:41:19 -0400
Message-ID: <AANLkTimabr-0gVy1Jpr0=i-Wfv6u-AnD+ReNvb0eajYO@mail.gmail.com>
To: Greg Wilkins <gregw@webtide.com>
Content-Type: text/plain; charset="UTF-8"
X-System-Of-Record: true
Cc: hybi <hybi@ietf.org>, Brodie Thiesfield <brodie@jellycan.com>
Subject: Re: [hybi] WebSocket handshake (HTTP and SSO)
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Aug 2010 03:41:11 -0000

On Sun, Aug 29, 2010 at 11:01 PM, Greg Wilkins <gregw@webtide.com> wrote:
> From the point of view of a combined HTTP/websocket server, it would
> be simplest if we can just use existing mechanisms for things like
> BASIC, DIGEST, OAUTH, OpenID, acegi, NTML etc. etc.
> So while there may be better security mechanism that could be applied
> to websocket only client and servers, it would be unproductive to
> prohibit the use of existing security mechanism if a way can be found
> to use them.

How many websites actually use HTTP Auth to protect the data?  In my
experience, not many, because they want to control how the user logs
in and of limitations like not supporting logout.  If you let the WS
server return a 401 so the browser asks for credentials, I don't see
how you support SSO, OpenID, OAUTH, etc.  Since I would expect
virtually all WebSocket client apps to have been loaded from a normal
web server, they already have their own authentication for RPC/etc
requests back to that server for protected resources.  In that case,
what you want is to just pass those credentials to the server, whether
by some first-class WebSocket facility, passing HTTP cookies over
WebSocket, or letting the app send them in a WebSocket message.

Anyway, this strikes me as something to go over in detail when we are
further down the road from where we are.  I think we need to finish up
the framing and get basic agreement on how the handshake should look,
and then we can take up how to get credentials to a WebSocket server.

-- 
John A. Tamplin
Software Engineer (GWT), Google

v2.23.0 | Report a Bug | By Email