search

atomicdata-dev / atomic-data-docs

Atomic Data is a specification to make it easier to exchange data.
https://docs.atomicdata.dev
MIT License
17 stars 7 forks source link

Authentication over websockets #133

Closed joepio closed 1 year ago

joepio commented 1 year ago

The Websockets protocol currently does not support authentication.

I assumed we could use HTTP headers in the initial request, and although the WebSockets spec allows it, browsers don't have it implemented. We can't use HTTP headers in the initial request.

Some companies use tokens in query parameters in the request URL. Others use a custom websocket message. Not sure what is preferable.

In any case, Atomic Data authentication assumes that there is no shared state / token between client and server. Clients have a private key, and can sign things. Typically they sign the URL of the requested resource + some timestamp.

That's why we need:

We could encode these 4 fields either in a custom WebSocket message, or in 4 query parameters.

I don't really like either approach, to be honest, especially since we're already using HTTP headers. This feels like another way to encode the same data.

Using a JSON-AD object

Let's say we define some JSON object, that looks like this:

{
   "https://atomicdata.dev/properties/auth/agent "some-agent-url",
   "https://atomicdata.dev/properties/auth/requestedSubject: "some-subject-url",
   "https://atomicdata.dev/properties/auth/publicKey": "aefaeaefeaaeffeafeaeaffeaaef",
   "https://atomicdata.dev/properties/auth/timestamp": "160124097124",
   "https://atomicdata.dev/properties/auth/secret: "160124097124",
}

And we use re-use this JSON object in various cases. We would include it as a Base64 object in HTTP requests. We could send it over WebSockets. We could post it to some /token endpoint and get a JWT.

And the best is: it's still atomic data!

Relates to #49