Implement authentication: one-time token

[oberstet]

See: https://github.com/tavendo/WAMP/issues/70

[tatiana]

I'm not sure if this is a related issue, but: is it possible to:

use the current implementation of AutobahnJS to connect to a WAMP Proxy using the HELLO - CHALLENGE - AUTHENTICATE - WELCOME flow described at the link below? https://github.com/tavendo/WAMP/blob/master/spec/advanced.md#session-management

[oberstet]

@tatiana not sure what "WAMP proxy" refers to in this context .. do you mean proxying WAMP-over-WebSocket via some reverse WebSocket proxy like Nginx or HAproxy? If so, this is completely transparent regarding WAMP, since the former runs on top of WebSocket (at least, that is one transport for WAMP).

[tatiana]

Hi @oberstet ! Not really. I used the word proxy incorrectly, sorry. I meant router.

My question is related to authentication: does the JS Autobahn client support the authentication flow when client and server exchange the following messages: HELLO, CHALLENGE, AUTHENTICATE and WELCOME?

This flow is illustrated in the image: https://github.com/tavendo/WAMP/raw/master/spec/figure/hello_authenticated.png

I couldn't find any example of clients using this WAMP authentication flow.

[oberstet]

@tatiana Ah, ok. Yes, AutobahnJS supports WAMP authentication. You can find examples (which work together with AutobahnPython on the server side) here: https://github.com/tavendo/AutobahnPython/tree/master/examples/twisted/wamp/authentication - which kind of authentication method is of interest to you?

[tatiana]

Thanks a lot @oberstet, that totally attends my needs

BTW: do you see a better way of sharing some session cookie stored at the front-end side?

RFC 6455 describes it is optional to send headers such as cookies during the WebSocket connection handshake. From my tests, Chrome (38.0.2125.104) and Firefox (32.0.2) don't current pass cookies forward when they open a Websocket connection. Does Autobahn/WAMP provide alternative ways to pass such kind of information to the server?

[oberstet]

@tatiana Modern browsers, including Chrome and Firefox do pass cookies on initial WebSocket opening handshake. The cookies sent will be those associated with the origin of the WebSocket connection. E.g. you can have a "classical" Web login/form page that sets an authentication cookie, and if the origin of the Web page is the same as the WebSocket is connecting to, the former cookies will be sent and you could then verify the cookie to authenticate the WebSocket connection. Cookies can also be set on the WebSocket connection from server side, and will then be sent the next time the browser connects.

If you want to play around with this stuff at the pure WebSocket level, here are 2 examples:

https://github.com/tavendo/AutobahnPython/tree/master/examples/twisted/websocket/echo_httpheaders https://github.com/tavendo/AutobahnPython/tree/master/examples/twisted/websocket/auth_persona

[tatiana]

thanks a lot, @oberstet! I was trying to get it working in a small example and just now - based on your examples - I realized what I was doing wrong: it was the origin (JavaScript was calling 'localhost' and not '0.0.0.0' as was being set on the cookie's origin: https://gist.github.com/tatiana/0abbd3eeabf314d21605

thank you very much! I' starting to use WAMP in a new project - what is the best way to talk to you? do you use any IRC channel?

[oberstet]

WAMP-Ticket authentication is implemented: https://github.com/crossbario/crossbarexamples/tree/master/authentication/ticket/static

[aaerofeev]

Hello, where is information about authorization in documentation in autobahn js

[goeddea]

@beerteam - This is an issue tracker, not a support forum (https://groups.google.com/forum/#!forum/autobahnws)

Authorization is covered in the Crossbar.io documentation - http://crossbar.io/docs/Authorization/