Since I am new to Autobahn but so super excited, this is my second post on a single day - but I hope no one does mind!?
In the last post I gave some details on my project in which I am using Autobahn WebSockets to connect multiple clients to a server. Since the application stays within Python on both client and server I am trying to figure out what is best in terms of authentication and came up with the following idea:
First of all the WebSocket accepts connections via SSL/TLS enabled server. With having the communication encrypted, I am feeling very comfortable with using Challenge / Response Authentication - over WebSocket in combination with a very short timeout mechanism. I have seen this kind of authentication in the Loxone Smart-Home system - but they aren’t using SSL/TLS encryption anymore. The whole process would look like the following:
- Client is successfully connecting to the WebSocket.
- Server is sending back a randomized and maybe encrypted random number.
- Client is sending Username / Password - or - Key / Secret within a given timeout.
- Server is evaluating the response and grants access.
- If client has not managed to response back within timeout, the connection will be closed.
I am not pretty sure if this is one way to go - and if this is a good idea at all. I know that this involves storing some information on the server / client in plain text - but I currently can’t think of a different authentication (especially when using WebSockets only and staying web-less in the python domain all the time).
So I am asking for some help / advices on this topic!