Better documentation for WAMP Authentication

[eranimo]

I'm having a lot of trouble getting WAMP authentication working. It would be great if someone could provide some examples of passing client cookies (and therefore session info) into an ApplicationSession so that a RPC or a pub/sub call can access the session information.

I think the docs in this area could be improved

[oberstet]

Yes, it needs more docs. In the meantime, probably this already helps.

To receive caller details (including authid etc) at a procedure that is exposed for remote calling, you need to provide options while registering the procedure:

def myproc1(a, b, details = None):
   return a + b

yield self.register(myproc1, "com.myapp1.myproc1",
   options = RegisterOptions(details_arg = 'details', discloseCaller = True))

Later, when the myproc1 is invoked, the Router will forward caller information in details which will be of type autobahn.wamp.types.CallDetails (https://github.com/tavendo/AutobahnPython/blob/master/autobahn/autobahn/wamp/types.py#L256)

Two related examples are:

• https://github.com/tavendo/AutobahnPython/tree/master/examples/twisted/wamp/basic/rpc/options
• https://github.com/tavendo/AutobahnPython/tree/master/examples/twisted/wamp/auth/persona

[eranimo]

Thank you. I have another related question. How can I access a list of all connected clients in an ApplicationSession onJoin method (where pub/sub and rpc happens)? I'm trying to publish to all connected clients except a few that have a specific authid.

[oberstet]

You can't, since that information (who is subscribed on what) is only available at the WAMP Broker. The broker might run in the same process as the app, in another process or on another machine.

That being said, the "WAMP Advanced Profile" provides features for this, e.g. Crossbar will allow you to subscribe to wamp.metaevent.session.on_join which will fire whenever (another) session joins. And the information provided will contain the authid as well as the WAMP session IDs. You can then use those in exclude when doing your publish.

The "WAMP Advanced Profile" (https://github.com/tavendo/WAMP/blob/master/spec/advanced.md) is still in flux. And WAMP implementations are not required to implement features from that.

Also probably of interest:

• https://github.com/tavendo/WAMP/blob/master/spec/advanced.md#subscriber-meta-events
• https://github.com/tavendo/WAMP/blob/master/spec/advanced.md#subscriber-list

[eranimo]

I can access all connected clients in a normal WebSocketServerFactory, why can't I do the same with WAMP? Do I have to rewrite my app in Crossbar in order to get this?

[oberstet]

No, a normal WebSocketServerFactory doesn't track it's connected clients. E.g. if you want to do it on top of WebSocketServerFactory, here is one option: https://github.com/tavendo/AutobahnPython/blob/master/examples/twisted/websocket/broadcast/server.py#L34

And with WampServerFactory in the old WAMP v1 implementation, the list of connected clients was considered "private" already. So the bad news is unfortunately: if you depend on direct access to the list of WAMP clients connected, this is kinda wrong ..

[eranimo]

How can one set the authid? I'm overriding RouterSession.onHello to return a Accept or Deny, but that happens on the registered RPCs, the authid is null on the onJoin details. Some examples on the docs how to implement basic session-based authentication would help.