Re: [hybi] About authentication mechanism

Iñaki Baz Castillo <> Wed, 29 June 2011 08:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 44010228018 for <>; Wed, 29 Jun 2011 01:41:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.677
X-Spam-Status: No, score=-2.677 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sgtTSyDwSjLf for <>; Wed, 29 Jun 2011 01:41:44 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 937F6228016 for <>; Wed, 29 Jun 2011 01:41:44 -0700 (PDT)
Received: by qwc23 with SMTP id 23so825529qwc.31 for <>; Wed, 29 Jun 2011 01:41:44 -0700 (PDT)
MIME-Version: 1.0
Received: by with SMTP id u19mr348401qct.173.1309336903931; Wed, 29 Jun 2011 01:41:43 -0700 (PDT)
Received: by with HTTP; Wed, 29 Jun 2011 01:41:43 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
Date: Wed, 29 Jun 2011 10:41:43 +0200
Message-ID: <>
From: =?UTF-8?Q?I=C3=B1aki_Baz_Castillo?= <>
To: John Tamplin <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc:, Greg Wilkins <>
Subject: Re: [hybi] About authentication mechanism
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 29 Jun 2011 08:41:45 -0000

2011/6/29 John Tamplin <>om>:
> How many sites use HTTP auth instead of rolling their own?  I can't think of
> a single one that I use regularly that does.

Hi John. Thanks for your response. Anyhow it seems I must repeat many
times the same in this same thread:

A web server returns an HTML page in which the user can fill his credentials and
so (a form). But in WebSocket, how to do that? when you connect to a WebSocket
server you don't receive a custom HTML or a form to login, instead you
recibe from the server some WS message containing a subprotocol
request (which is supposed to be custom in each subprotocol). How to
render that to the user?

> Therefore, standardizing on something that nobody uses seems hardly a good
> idea.

And since WWW is a jungle you are making a new jungle. There are many
protocols in which authentication is not a jungle, why not copy from
them instead of copying from WWW?

>  It also seems unlikely that everyone would agree on a the One True
> Auth mechanism to be included in WS.

IMHO the draft should specify at least one. Others could come into new
extensions to the draft (as in many other protocols as SIP or XMPP).

> Personally, I would expect one or more
> extensions to be created that specifies how credentials are sent in the
> handshake,

But again, IMHO the core draft should already specify one.

> assuming there is sufficient interest

Interest in secure authentication? such interesnt should be mandatory.

> and that a common standard
> emerges, such as perhaps OAuth.

There are already enough authentication mechanism not to need waiting
for a new one (IMHO).

> Make a proposal and see if you can get sufficient support behind it.  I am
> pretty sure HTTP Auth is not going to achieve such support, and given how
> long WS has taken to achieve consensus, I suspect any such mechanism will be
> done via an extension.

I don't say that HTTP Auth is the best, it's just an option. WWW
people don't like it because, indeed, it's ugly implemented (the popup
alert, difficult to logout, etc). It does not mean that it could be
properly implemented in WebSocket if its done well from the beginning.


Iñaki Baz Castillo