Re: [hybi] WebSocket handshake (HTTP and SSO)

[Scott Ferguson <ferg@caucho.com>]

John Tamplin wrote:
> On Sun, Aug 29, 2010 at 11:01 PM, Greg Wilkins <gregw@webtide.com> wrote:
>   
>> From the point of view of a combined HTTP/websocket server, it would
>> be simplest if we can just use existing mechanisms for things like
>> BASIC, DIGEST, OAUTH, OpenID, acegi, NTML etc. etc.
>> So while there may be better security mechanism that could be applied
>> to websocket only client and servers, it would be unproductive to
>> prohibit the use of existing security mechanism if a way can be found
>> to use them.
>>     
>
> How many websites actually use HTTP Auth to protect the data?  

Non-browser clients do. With Hessian (binary RPC over HTTP), HTTP auth 
is very typical.

I'd prefer to build in WebSocket support to allow for a piggy-backed 
DIGEST-style authentication, allowing the server response to send its 
challenge and replace the clients first random bytes with an 
authentication/hello frame, which would be the DIGEST credentials.


> Since I would expect virtually all WebSocket client apps to have been loaded from a normal
> web server, they already have their own authentication for RPC/etc
> requests back to that server for protected resources.  

Non-browser clients exist and are important. You can't assume all 
interactions are from a browser.

> Anyway, this strikes me as something to go over in detail when we are
> further down the road from where we are.  I think we need to finish up
> the framing and get basic agreement on how the handshake should look,
> and then we can take up how to get credentials to a WebSocket server

We do need to make one change in the handshake, because the first client 
data (the random bytes) is the logical place to put authentication 
credentials.

If we just punt and make applications write their own authentication 
instead of piggybacking on the handshake, it would cost an extra round trip.

-- Scott