Re: [hybi] Supporting OAUTH-like authentication?
Brian <theturtle32@gmail.com> Fri, 12 August 2011 20:29 UTC
Return-Path: <theturtle32@gmail.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47B27228309 for <hybi@ietfa.amsl.com>; Fri, 12 Aug 2011 13:29:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.39
X-Spam-Level:
X-Spam-Status: No, score=-3.39 tagged_above=-999 required=5 tests=[AWL=0.208, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oKNQiUZbcA-o for <hybi@ietfa.amsl.com>; Fri, 12 Aug 2011 13:29:30 -0700 (PDT)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by ietfa.amsl.com (Postfix) with ESMTP id D8C38228307 for <hybi@ietf.org>; Fri, 12 Aug 2011 13:29:29 -0700 (PDT)
Received: by bkar4 with SMTP id r4so2304131bka.31 for <hybi@ietf.org>; Fri, 12 Aug 2011 13:30:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=G4qRbWY+aIKgSF3FCoWem132kNbh6ucQtwoYnR/RbKM=; b=VnPFhcfpxcPaIUaOMEphv3veJIAgDrEjJueAdUsRzNKyq95Ed2wtLOvD5xx5xg2gtu mcyX/eOCMD539h3iiO18BhNsOPCDYzy/dKfC09h6/yxay3B8kBJxZwKNWn8rTjXc93EY tABCH/B6FjY4KkFEwwYchGqYoul62sJlnwGrE=
MIME-Version: 1.0
Received: by 10.204.5.83 with SMTP id 19mr513535bku.361.1313181007001; Fri, 12 Aug 2011 13:30:07 -0700 (PDT)
Received: by 10.204.65.210 with HTTP; Fri, 12 Aug 2011 13:30:06 -0700 (PDT)
In-Reply-To: <CAH_y2NGf44v770VX8+bsFppokJb0_jtTvAA0zrM89uoJ1v6UJQ@mail.gmail.com>
References: <CAH_y2NHZuYTbpMnrHU65JtZzRE-pbiXnRRh=rOTknTbc_+8gow@mail.gmail.com> <4E320640.2080408@gmail.com> <CAH_y2NGf44v770VX8+bsFppokJb0_jtTvAA0zrM89uoJ1v6UJQ@mail.gmail.com>
Date: Fri, 12 Aug 2011 13:30:06 -0700
Message-ID: <CAE8AN_V2ADVOsRyHuWCnPX5FOCCBSkjgNx33P8TKYYiFTw5b7Q@mail.gmail.com>
From: Brian <theturtle32@gmail.com>
To: Greg Wilkins <gregw@intalio.com>
Content-Type: multipart/alternative; boundary="00151758b03472b9b604aa54c7e5"
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Supporting OAUTH-like authentication?
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2011 20:29:31 -0000
This seems like a discussion for the JS API to me. The protocol spec already explicitly allows arbitrary HTTP headers to be both sent and received by the WebSocket server and client, if I recall correctly. The only thing preventing usage of this feature is a limitation in the JavaScript API. I don't think there's any reason to disallow arbitrary headers being set on the WS handshake using exactly the same mechanism/restrictions as we do today for XHR. But what does that have to do with HyBi? Brian On Thu, Jul 28, 2011 at 6:34 PM, Greg Wilkins <gregw@intalio.com> wrote: > Philipp, > > Doing the auth within the connection is certainly possible, maybe even > desirable. However, I think that there could be a concern about not > wanting to accept connections from non-authenticated sources, as to do > so already represents an allocation of resources. There are also > extra RTT's involved in token exchange after the handshake. > > So failing giving access to HTTP headers, doing oauth the "normal" way > in headers in the handshake will not be possible. Those wanting > authentication in the handshake can probably kludge it now using the > protocol string. So do we want to better facilitate auth in the > handshake. > > Note also, that with your counter example, there are probably things > we could do to make it more elegant. For instance, perhaps we want to > allow multiple sub-protocols so we don't have to come up with > "foo+oauth", "bar+oauth" etc and instead just negotiate "oauth,foo" > > Eitherway, I think we need to step through (probably implement), some > common authentication mechanisms to see how they work with the current > protocol and to see how we can improve support for them. > > cheers > > > > > On 29 July 2011 11:00, Philipp Serafin <phil127@gmail.com> wrote: > > Wouldn't it be better to move the token exchange into the actual WS > > connection where we have efficient two-way communication available? > > > > 1.: Client connects to server using subprotocol "foo", which is known to > > use OAuth as authentication (or e.g. "foo+oauth", if this should be > > decided on per-connection basis) > > 2.: Client and server perform successful WS handshake > > 3.: Server sends token and authority URL in a WS message. > > 4.: Client gets token authorized > > 5.: Client sends authorized token back in a WS message. > > 6.: Server confirms that authorisation was successful. > > 7.: Client and server exchange messages as specified by "foo". > > > > Am 29.07.2011 02:44, schrieb Greg Wilkins: > >> All, > >> > >> Currently the protocol allows arbitrary headers, so in theory an > >> authentication mechanism like OAUTH could be implemented by exchanging > >> tokens in the headers of the handshake. But the js API does not > >> allow an application to set or see HTTP header from the handshake (nor > >> should it), so that is not available as a general mechanism for token > >> passing auth like OAUTH. > >> > >> So what other options do we have to pass tokens in the handshake? > >> > >> Cookies - this is possible, but kind of defeats the purpose of token > >> passing auth if tokens are to be sent/set in a way that facilitates > >> wider access to them. > >> > >> Extensions - we could say that an OAUTH extensions is required to > >> manipulate the headers of the handshake with OAUTH tokens, but I > >> expect that there will be a very high barrier for an extension to be > >> included in browsers, so I think that is probably a non starter (at > >> least until a defacto-standard auth mechanism emerges). > >> > >> Subprotocol/CloseEvents - Subprotocol is a user controlled field sent > >> by the handshake and closeEvents contain a reason string that could > >> originate from the server application/framework. Thus I would not > >> be surprised to see these fields used (misused?) to send challenges > >> and pass tokens eg. > >> > >> 1. Client connects to server with oauth subprotocol. > >> 2. Server accepts connection but immediately closes with a reason > >> string containing a token and/or authority URL. ( might be able to be > >> done with a 403 HTTP response if the HTTP reason string is passed to > >> the onerror call back ?? ] > >> 3. Client gets the token signed by an/the authority > >> 4. Client connections to server with oauth;token=value subprotocol > >> 5. Server validates authorisation of token and accepts connection. > >> > >> [ forgive me if that is not exactly how oauth works or correct > >> terminology ... but it is something like that ] > >> > >> Is this a good usage of the subprotocol field/reason fields? > >> > >> Is there a better way to integrate such authentication into the > handshake? > >> > >> > >> cheers > >> _______________________________________________ > >> hybi mailing list > >> hybi@ietf.org > >> https://www.ietf.org/mailman/listinfo/hybi > > > > > _______________________________________________ > hybi mailing list > hybi@ietf.org > https://www.ietf.org/mailman/listinfo/hybi >
- [hybi] Supporting OAUTH-like authentication? Greg Wilkins
- Re: [hybi] Supporting OAUTH-like authentication? Philipp Serafin
- Re: [hybi] Supporting OAUTH-like authentication? Greg Wilkins
- Re: [hybi] Supporting OAUTH-like authentication? Brian
- Re: [hybi] Supporting OAUTH-like authentication? Iñaki Baz Castillo
- Re: [hybi] Supporting OAUTH-like authentication? Iñaki Baz Castillo