IETF Logo Mail Archive

Re: [hybi] Supporting OAUTH-like authentication?

Brian <theturtle32@gmail.com> Fri, 12 August 2011 20:29 UTC

Return-Path: <theturtle32@gmail.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47B27228309 for <hybi@ietfa.amsl.com>; Fri, 12 Aug 2011 13:29:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.39
X-Spam-Level:
X-Spam-Status: No, score=-3.39 tagged_above=-999 required=5 tests=[AWL=0.208, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oKNQiUZbcA-o for <hybi@ietfa.amsl.com>; Fri, 12 Aug 2011 13:29:30 -0700 (PDT)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id D8C38228307 for <hybi@ietf.org>; Fri, 12 Aug 2011 13:29:29 -0700 (PDT)
Received: by bkar4 with SMTP id r4so2304131bka.31 for <hybi@ietf.org>; Fri, 12 Aug 2011 13:30:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=G4qRbWY+aIKgSF3FCoWem132kNbh6ucQtwoYnR/RbKM=; b=VnPFhcfpxcPaIUaOMEphv3veJIAgDrEjJueAdUsRzNKyq95Ed2wtLOvD5xx5xg2gtu mcyX/eOCMD539h3iiO18BhNsOPCDYzy/dKfC09h6/yxay3B8kBJxZwKNWn8rTjXc93EY tABCH/B6FjY4KkFEwwYchGqYoul62sJlnwGrE=
MIME-Version: 1.0
Received: by 10.204.5.83 with SMTP id 19mr513535bku.361.1313181007001; Fri, 12 Aug 2011 13:30:07 -0700 (PDT)
Received: by 10.204.65.210 with HTTP; Fri, 12 Aug 2011 13:30:06 -0700 (PDT)
In-Reply-To: <CAH_y2NGf44v770VX8+bsFppokJb0_jtTvAA0zrM89uoJ1v6UJQ@mail.gmail.com>
References: <CAH_y2NHZuYTbpMnrHU65JtZzRE-pbiXnRRh=rOTknTbc_+8gow@mail.gmail.com> <4E320640.2080408@gmail.com> <CAH_y2NGf44v770VX8+bsFppokJb0_jtTvAA0zrM89uoJ1v6UJQ@mail.gmail.com>
Date: Fri, 12 Aug 2011 13:30:06 -0700
Message-ID: <CAE8AN_V2ADVOsRyHuWCnPX5FOCCBSkjgNx33P8TKYYiFTw5b7Q@mail.gmail.com>
From: Brian <theturtle32@gmail.com>
To: Greg Wilkins <gregw@intalio.com>
Content-Type: multipart/alternative; boundary="00151758b03472b9b604aa54c7e5"
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Supporting OAUTH-like authentication?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2011 20:29:31 -0000

This seems like a discussion for the JS API to me.  The protocol spec
already explicitly allows arbitrary HTTP headers to be both sent and
received by the WebSocket server and client, if I recall correctly.  The
only thing preventing usage of this feature is a limitation in the
JavaScript API.  I don't think there's any reason to disallow arbitrary
headers being set on the WS handshake using exactly the same
mechanism/restrictions as we do today for XHR.  But what does that have to
do with HyBi?

Brian

On Thu, Jul 28, 2011 at 6:34 PM, Greg Wilkins <gregw@intalio.com> wrote:

> Philipp,
>
> Doing the auth within the connection is certainly possible, maybe even
> desirable.  However, I think that there could be a concern about not
> wanting to accept connections from non-authenticated sources, as to do
> so already represents an allocation of resources.    There are also
> extra RTT's involved in token exchange after the handshake.
>
> So failing giving access to HTTP headers, doing oauth the "normal" way
> in headers in the handshake will not be possible.    Those wanting
> authentication in the handshake can probably kludge it now using the
> protocol string.      So do we want to better facilitate auth in the
> handshake.
>
> Note also, that with your counter example, there are probably things
> we could do to make it more elegant.  For instance, perhaps we want to
> allow multiple sub-protocols so we don't have to come up with
> "foo+oauth", "bar+oauth" etc and instead just negotiate "oauth,foo"
>
> Eitherway, I think we need to step through (probably implement), some
> common authentication mechanisms to see how they work with the current
> protocol and to see how we can improve support for them.
>
> cheers
>
>
>
>
> On 29 July 2011 11:00, Philipp Serafin <phil127@gmail.com> wrote:
> > Wouldn't it be better to move the token exchange into the actual WS
> > connection where we have efficient two-way communication available?
> >
> > 1.: Client connects to server using subprotocol "foo", which is known to
> > use OAuth as authentication (or e.g. "foo+oauth", if this should be
> > decided on per-connection basis)
> > 2.: Client and server perform successful WS handshake
> > 3.: Server sends token and authority URL in a WS message.
> > 4.: Client gets token authorized
> > 5.: Client sends authorized token back in a WS message.
> > 6.: Server confirms that authorisation was successful.
> > 7.: Client and server exchange messages as specified by "foo".
> >
> > Am 29.07.2011 02:44, schrieb Greg Wilkins:
> >> All,
> >>
> >> Currently the protocol allows arbitrary headers, so in theory an
> >> authentication mechanism like OAUTH could be implemented by exchanging
> >> tokens in the headers of the handshake.    But the js API does not
> >> allow an application to set or see HTTP header from the handshake (nor
> >> should it), so that is not available as a general mechanism for token
> >> passing auth like OAUTH.
> >>
> >> So what other options do we have to pass tokens in the handshake?
> >>
> >> Cookies - this is possible, but kind of defeats the purpose of  token
> >> passing auth if tokens are to be sent/set in a way that facilitates
> >> wider access to them.
> >>
> >> Extensions - we could say that an OAUTH extensions is required to
> >> manipulate the headers of the handshake with OAUTH tokens, but I
> >> expect that there will be a very high barrier for an extension to be
> >> included in browsers, so I think that is probably a non starter (at
> >> least until a defacto-standard auth mechanism emerges).
> >>
> >> Subprotocol/CloseEvents - Subprotocol is a user controlled field sent
> >> by the handshake and closeEvents contain a reason string that could
> >> originate from the server application/framework.     Thus I would not
> >> be surprised to see these fields used (misused?) to send challenges
> >> and pass tokens eg.
> >>
> >>  1. Client connects to server with oauth subprotocol.
> >>  2. Server accepts connection but immediately closes with a reason
> >> string containing a token and/or authority URL. ( might be able to be
> >> done with a 403 HTTP response if the HTTP reason string is passed to
> >> the onerror call back ?? ]
> >>  3. Client gets the token signed by an/the authority
> >>  4. Client connections to server with oauth;token=value subprotocol
> >>  5. Server validates authorisation of token and accepts connection.
> >>
> >> [ forgive me if that is not exactly how oauth works or correct
> >> terminology ... but it is something like that ]
> >>
> >> Is this a good usage of the subprotocol field/reason fields?
> >>
> >> Is there a better way to integrate such authentication into the
> handshake?
> >>
> >>
> >> cheers
> >> _______________________________________________
> >> hybi mailing list
> >> hybi@ietf.org
> >> https://www.ietf.org/mailman/listinfo/hybi
> >
> >
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi
>

v2.23.0 | Report a Bug | By Email