IETF Logo Mail Archive

Re: [hybi] Supporting OAUTH-like authentication?

Iñaki Baz Castillo <ibc@aliax.net> Fri, 12 August 2011 22:27 UTC

Return-Path: <ibc@aliax.net>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FDAE21F874A for <hybi@ietfa.amsl.com>; Fri, 12 Aug 2011 15:27:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.652
X-Spam-Level:
X-Spam-Status: No, score=-2.652 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sF83u+6uuF-5 for <hybi@ietfa.amsl.com>; Fri, 12 Aug 2011 15:27:40 -0700 (PDT)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com [209.85.216.179]) by ietfa.amsl.com (Postfix) with ESMTP id D626721F86DC for <hybi@ietf.org>; Fri, 12 Aug 2011 15:27:39 -0700 (PDT)
Received: by qyk35 with SMTP id 35so2005239qyk.10 for <hybi@ietf.org>; Fri, 12 Aug 2011 15:28:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.24.133 with SMTP id v5mr1023511qcb.178.1313188097843; Fri, 12 Aug 2011 15:28:17 -0700 (PDT)
Received: by 10.229.234.65 with HTTP; Fri, 12 Aug 2011 15:28:17 -0700 (PDT)
In-Reply-To: <CAE8AN_V2ADVOsRyHuWCnPX5FOCCBSkjgNx33P8TKYYiFTw5b7Q@mail.gmail.com>
References: <CAH_y2NHZuYTbpMnrHU65JtZzRE-pbiXnRRh=rOTknTbc_+8gow@mail.gmail.com> <4E320640.2080408@gmail.com> <CAH_y2NGf44v770VX8+bsFppokJb0_jtTvAA0zrM89uoJ1v6UJQ@mail.gmail.com> <CAE8AN_V2ADVOsRyHuWCnPX5FOCCBSkjgNx33P8TKYYiFTw5b7Q@mail.gmail.com>
Date: Sat, 13 Aug 2011 00:28:17 +0200
Message-ID: <CALiegf=etXVfTjx-Ff_39F6GQMUKvyzAxH53Kai97O-yUnG1cQ@mail.gmail.com>
From: Iñaki Baz Castillo <ibc@aliax.net>
To: Brian <theturtle32@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: Hybi <hybi@ietf.org>, Greg Wilkins <gregw@intalio.com>
Subject: Re: [hybi] Supporting OAUTH-like authentication?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2011 22:27:40 -0000

2011/8/12 Brian <theturtle32@gmail.com>:
> This seems like a discussion for the JS API to me.  The protocol spec
> already explicitly allows arbitrary HTTP headers to be both sent and
> received by the WebSocket server and client, if I recall correctly.  The
> only thing preventing usage of this feature is a limitation in the
> JavaScript API.  I don't think there's any reason to disallow arbitrary
> headers being set on the WS handshake using exactly the same
> mechanism/restrictions as we do today for XHR.

> But what does that have to do with HyBi?

This is like asking "what does Digest authentication have to do with
SIP protocol?", or "what does _XMPP_authentication_mechanism_ have to
do with XMPP protocol?".

Maybe you prefer to see WebSocket as a "transport" protocol, but it's
an application protocol, and it's not crazy *at all* to expect that an
application protocol implements an authentication mechanism. But
probably, given the ugly HTTP jungle, many people from HTTP world
assume that authentication must exist in user layer, based on ugly
HTML forms which require rendering a web page in the client.

-- 
Iñaki Baz Castillo
<ibc@aliax.net>

v2.23.0 | Report a Bug | By Email