Closed rashi-jaiswal-007 closed 2 years ago
Websocket doesn’t have support for native Authorisation, therefore this is implemented by the Developer on top of the Websocket protocol. Most of Websocket libraries add this layer already.
In my opinion this is concern of the micro itself and not the API Gateway, which over Websocket acts purely as proxy.
On Sun, 4 Sep 2022 at 09:12, Rashi Jaiswal @.***> wrote:
Websocket protocol does not allow to add headers like Authorization. Can we add support to checking for access_token even in query params? Something on below lines:
function M.has_bearer_access_token() local header = ngx.req.get_headers()['Authorization'] if header and header:find(" ") then local divider = header:find(' ') if string.lower(header:sub(0, divider-1)) == string.lower("Bearer") then return true end end local args = ngx.req.get_uri_args() for key, val in pairs(args) do if key == "access_token" then local token = formatAsBearerToken(val) ngx.req.set_header('Authorization', token) return true end end return false end
— Reply to this email directly, view it on GitHub https://github.com/revomatico/kong-oidc/issues/18, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACUVDT2UYA26C4YDTN4IB33V4RKYBANCNFSM6AAAAAAQEHFMMA . You are receiving this because you are subscribed to this thread.Message ID: @.***>
Most of Websocket libraries add this layer already
You mean something like auth or extraHeaders of socket.io? If yes, then are you suggesting that socket server should instead be responsible for introspecting the token passed via these (and kong-oidc plugin should be bypassed essentially) ?
Yes. You shouldn’t be applying REST fundamentals with Websockets. They are utterly different. Only thing they actually share is the HTTP as the transport layer.
REST is about avoid sessions by leveraging authorisation in stateless calls. With websocket you actually create a duplex session via the websocket.
On Sun, 4 Sep 2022 at 11:59, Rashi Jaiswal @.***> wrote:
Most of Websocket libraries add this layer already
You mean something like auth https://socket.io/docs/v3/client-initialization/#auth or extraHeaders https://socket.io/docs/v3/client-initialization/#extraHeaders of socket.io? If yes, then are you suggesting that socket server should instead be responsible for introspecting the token passed via these (and kong-oidc plugin should be bypassed essentially) ?
— Reply to this email directly, view it on GitHub https://github.com/revomatico/kong-oidc/issues/18#issuecomment-1236311762, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACUVDT74BU656J5QH47YBNDV4R6J3ANCNFSM6AAAAAAQEHFMMA . You are receiving this because you commented.Message ID: @.***>
Cool... sounds good
Websocket protocol does not allow to add headers like
Authorization
. Can we support checking for access_token even in query params? Something on below lines: