Autobahn Websocket and Twisted Cred (a question)

#1

Twisted as a whole gives me lots of pieces to put together in new and interesting ways. One of the most helpful pieces is the Cred (credential checking) system.

Autobahn WS can fit into a Twisted Resource hierarchy, which I like. I am now wondering how or if AutobahnWS interoperates with the Twisted Cred system? For instance, is there a notion of an authenticated (username/password) websocket? I don’t think browsers do anything like Basic or Digest authentication for websockets. I also don’t think its specified that a websocket should inherit the cookies of its enclosing page. This would mean things like authentication cookies are not part of the spec.

I have not researched this topic very much, so pointers are appreciated. From what I’ve read, the most common practice is to SSL/TLS the Websocket connection, and send an authentication challenge as the first message. That makes sense, but it makes the process unrelated to the Twisted Cred system.

I’m really just wondering, so thanks for any information!

Regards

Tom

0 Likes

#2

Tom,

Twisted as a whole gives me lots of pieces to put together in new and
interesting ways. One of the most helpful pieces is the Cred
(credential checking) system.

Autobahn WS can fit into a Twisted Resource hierarchy, which I like. I
am now wondering how or if AutobahnWS interoperates with the Twisted
Cred system? For instance, is there a notion of an authenticated
(username/password) websocket? I don't think browsers do anything like
Basic or Digest authentication for websockets. I also don't think its
specified that a websocket should inherit the cookies of its enclosing
page. This would mean things like authentication cookies are not part
of the spec.

From a browser point of view, a WebSocket connection is a _subresource_ within the HTML that contained the JS that opened the WebSocket.

Subresources are things like images and so.

Browser won't render special dialogs like HTTP auth dialogs for subresources.

However browsers will send cookies also during the initial opening handshake when opening a WS connection.

So you can use a cookie based auth scheme.

Standalone AutobahnPython provides any cookies sent in onConnect().

You can also run AutobahnPython on a URL within Twisted Web and you should be able to use Twisted cred then (with cookies). I haven't tried that though, there might be issues ..

I have not researched this topic very much, so pointers are appreciated.
  From what I've read, the most common practice is to SSL/TLS the
Websocket connection, and send an authentication challenge as the first
message. That makes sense, but it makes the process unrelated to the
Twisted Cred system.

AutobahnPython implements WAMP, and WAMP has a challenge-response based auth scheme (WAMP-CRA) that is secure even when running non-TLS.

https://github.com/tavendo/AutobahnPython/tree/master/examples/wamp/authentication

This (WAMP-CRA) is what we use for our own stuff for authenticating .. since we have all our apps as single-page web apps which exclusively talk WAMP to backend. This won't fit every situation, sure.

Autobahn with WAMP is very flexible however. Here is another scheme:

https://github.com/tavendo/WebMQConnectPython/tree/master/examples/auth

I'm really just wondering, so thanks for any information!

Obviously, above won't answer all questions around authentication and authorization with WS, e.g. what about client cert based auth, OpenID, ... but its a start .. hopefully.

/Tobias

···

Am 10.06.2013 18:43, schrieb Tom Sheffler:

Regards
Tom

--
You received this message because you are subscribed to the Google
Groups "Autobahn" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to autobahnws+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

0 Likes

#3

This was all very helpful. Thanks.

···

On Monday, June 10, 2013 9:43:38 AM UTC-7, Tom Sheffler wrote:

Twisted as a whole gives me lots of pieces to put together in new and interesting ways. One of the most helpful pieces is the Cred (credential checking) system.

Autobahn WS can fit into a Twisted Resource hierarchy, which I like. I am now wondering how or if AutobahnWS interoperates with the Twisted Cred system? For instance, is there a notion of an authenticated (username/password) websocket? I don’t think browsers do anything like Basic or Digest authentication for websockets. I also don’t think its specified that a websocket should inherit the cookies of its enclosing page. This would mean things like authentication cookies are not part of the spec.

I have not researched this topic very much, so pointers are appreciated. From what I’ve read, the most common practice is to SSL/TLS the Websocket connection, and send an authentication challenge as the first message. That makes sense, but it makes the process unrelated to the Twisted Cred system.

I’m really just wondering, so thanks for any information!

Regards

Tom

0 Likes