OAuth2 Authentication for Websockets: Pass Bearer Token via Subprotocols?

Question

I am trying to figure out what the best way is to pass an oauth bearer token to a websocket endpoint.

This SO answer suggests to send the token in the URL, however this approach has all the drawbacks of authenticating via the URL. Security implications discussed here

Thus i was wondering what would be the drawbacks to use the subprotocols to pass the token to the server ? i.e. instead of treating the requested subprotocols as a list of constants. Send at least one subprotocol that follows a syntax like for example: authorization-bearer-<token>

The token would end up in a request header. The server while processing the subprotocols would be able to find and treat the token easily with a bit of custom code. Since passing subprotocols should be supported by a lot of websocket implementations, this should work for a lot of clients.

Answer 1

This worked for me, I used this WebSocket client library.

You need to send OAUTH token via the Websocket Header, Below is the code, hope this is helpful.

ws = factory.createSocket("wss://yourcompleteendpointURL/");
ws.addHeader("Authorization", "Bearer <yourOAUTHtoken>");
ws.addHeader("Upgrade", "websocket");
ws.addHeader("Connection", "Upgrade");
ws.addHeader("Host", "<YourhostURLasabovegiveupto.com>");
ws.addHeader("Sec-WebSocket-Key", "<Somerandomkey>");
ws.addHeader("Sec-WebSocket-Version", "13");
ws.connect();