No problem. Thanks for getting to this. In the meantime, I have been
experimenting with how to add OTP functionality in the minimally
invasive way. Here are my ideas so far:
1. By agreement, both the server and the client use
pbkdf2(original_hash, otp) as the new password hash. This is a
horrible hack, however it requires no changes to the current
2. Piggyback the OTP inside the WAMP-CRA authentication using the
'extra' field. This is not very elegant, but would be the easiest to
implement router side. It would require the client to return something
like types.Signature(signature, otp) from onChallange. This would be
serialized to message.Authenticate(signature, otp), sent across the
wire, and made available to the authenticator. This would be backwards
compatible with the current onChallenge API provided the return type
Yes, this isn't that bad. It's a pragmatic approach that does the job and is minimally invasive.
3. Allow several authentication-challenge steps. I think this is the
ideal solution, but it is more difficult to implement. When the router
receives HELLO, it sends out several challenges. It would send out a
WAMP-CRA challenge, and an OTP challenge, for example. These can be
distinguished by having an 'authmethod' field set inside 'extra'. The
client would respond to both challenges preserving the 'authmethod'
part of 'extra'. The router would then collect the responses, decide
on an authrole and authid, and welcome or deny the client. You can
even allow elaborate chains (sort of like PAM) where one
authentication method may be sufficient (cookie or ticket), or another
may be required (IP filter).
Having the analog of PAM chains mapped to WAMP using multiple CHALLENGE/AUTHENTICATE message exchanges sounds very powerful.
But the design might be tricky (thoug we can steal from PAM), and it is intrusive for implementations (their protocol state machines).
I don't have a final opinion yet .. 2) or 3). Not 1).
I think we should give this more thought first:
and collect community opinion.
In any case, I support the goal of having state-of-the-art authentication for WAMP.
"SCRAM + TOTP + Cookies" is my current candidate ...
Am 15.03.2015 um 18:49 schrieb Yury Sobolev:
Looking forward to hearing from you.
On Sun, Mar 15, 2015 at 10:02 AM, Tobias Oberstein > <tobias.o...@gmail.com> wrote:
sorry, this got lost on me. Catching up now.
We want to support what I think is your actual goal:
Maybe we should first discuss the details there, as code-wise, this will
have multiple implications (incl. router).
Am Samstag, 31. Januar 2015 05:03:54 UTC+1 schrieb Yury Sobolev:
I would like to authenticate users with multi factor authentication. In
particular, I would like to use WAMPCRA and OTP. Now, each by itself works
fine. However, I am not sure how to make them both be required. I was
thinking of passing in the OTP code inside the 'extra' parameter inside
message.Authenticate. However, at the moment this is impossible as
onChallenge only returns a signature.
Am I missing something?
You received this message because you are subscribed to a topic in the
Google Groups "Autobahn" group.
To unsubscribe from this topic, visit
To unsubscribe from this group and all its topics, send an email to
To post to this group, send email to autob...@googlegroups.com.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.