Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it possible to use bearer authentication for websocket upgrade requests?

Tags:

authentication

websocket

authorization

The upgrade request for opening a websocket connection is a standard HTTP request. On the server side, I can authenticate the request like any other. In my case, I would like to use Bearer authentication. Unfortunately, there is no way to specify headers when opening a websocket connection in the browser, which would lead me to believe that it's impossible to use bearer authentication to authenticate a web socket upgrade request. So -- Am I missing something, or is it really impossible? If it is impossible, is this by design, or is this a blatant oversight in the browser implementation of the websocket API?

like image 334
w.brian Avatar asked Mar 13 '14 15:03

w.brian

People also ask

How do I authenticate WebSocket requests?

Authentication FlowThe client makes a WebSocket handshake request with the external authentication token passed as a query-string parameter in the handshake endpoint URL. The server checks the cache to see if the external authentication token is valid.

How do I add Bearer Token in HTTP request?

The token is a text string, included in the request header. In the request Authorization tab, select Bearer Token from the Type dropdown list. In the Token field, enter your API key value. For added security, store it in a variable and reference the variable by name.

How does bearer authentication work?

The Bearer Token is created for you by the Authentication server. When a user authenticates your application (client) the authentication server then goes and generates for you a Token. Bearer Tokens are the predominant type of access token used with OAuth 2.0.

What is bearer authentication in REST API?

The name “Bearer authentication” can be understood as “give access to the bearer of this token.” The bearer token allowing access to a certain resource or URL and most likely is a cryptic string, usually generated by the server in response to a login request.

1 Answers

The API allows you to set exactly one header, namely Sec-WebSocket-Protocol, i.e. the application specific subprotocol. You could use this header for passing the bearer token. For example:

new WebSocket("ws://www.example.com/socketserver", ["access_token", "3gn11Ft0Me8lkqqW2/5uFQ="]);

The server is expected to accept one of the protocols, so for the example above, you can just validate the token and respond with header Sec-WebSocket-Protocol=access_token.

like image 89
Kalle Avatar answered Sep 26 '22 05:09

Kalle
Sign in to Comment

Related questions

How can I programmatically authenticate a user in Django?
LDAP Authentication using Java
Gitolite One User - Many Keys - Different usernames
How to disable elasticsearch 5.0 authentication?
Android: Authenticating with NXP MiFare Ultralight C
Authentication for users on a Single Page App?
Token Authenticatable module in Devise
Which authentication and authorization schemes are you using - and why?
OWIN - Authentication.SignOut() doesn't seem to remove the cookie
How to set _auth for a scoped registry in .npmrc?
Authentication issues with WWW-Authenticate: Negotiate
How to get the list of the authenticated users?
"No provider for AuthGuard!" using CanActivate in Angular 2
Base64 Authentication Python
Swift: What does backslash dot "\." mean?
User authentication on a Jersey REST service
How secure is my PHP login system?
Getting NetworkCredential for current user (C#)
Android: Is it a good idea to store Authentication Token in Shared Preferences?
Uniquely identifying an iOS user

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!