WebSocket authentication/authorization

[acoburn]

The 0.8 Solid spec describes a WebSocket subscription protocol, but that protocol does not include any mention of authentication or authorization. If WebSockets are to be part of the 1.0 Specification, there should be some formalization of the authentication protocol as well as a description of how these notifications intersect with WebAC rules.

It should be noted that WebSockets are raw TCP sockets. HTTP headers are not relevant, and so reliance on an Authorization header will be insufficient.

[pmcb55]

Just pinging Davi: @d-a-v-i--

[kjetilk]

I kinda gave up understanding WebSocket Authentication, but I noted the Sec-WebSocket-Key header, but I don't understand how it is intended. Is that intended as a shared secret that is created when the connection is set up with HTTP, and so can be relied on for the rest of the interaction?

[acoburn]

@kjetilk the Sec-WebSocket-Key header relates to the opening handshake, when a client upgrades the connection from regular HTTP/1.1 to the websocket protocol. From the perspective of a JavaScript client, one does not have access to that information, and there is no way to connect it to an agent (e.g. WebID) or an agent's session. At least not in any regular browser.

[timbl]

In a comment on another issue, https://github.com/solid/specification/issues/52#issuecomment-535942650, @RubenVerborgh said,

@timbl I would argue that authentication is more than a bug fix.

It's not just authentication that was forgotten, there are some other essential decisions in the protocol that are problematic. The fact that such basic things were overlooked, indicates to me that the WebSockets draft was not designed with sustainability in mind. I have strong doubts about the design quality of the WebSockets draft in general, and think it is unwise to spec it as is. I don't see it pass quality assessments.

I do acknowledge that the current draft was a quick way to address a real and important need. And I think we should just see it as that: an experiment to show that it works. Now that we know it does, we should actually design a protocol.

[timbl]

By "the WebSockets draft" do you mean the part of solid which invokes Web Sockets https://github.com/solid/solid-spec/blob/master/api-websockets.md , or the WebSocket bit of HTML5 https://html.spec.whatwg.org/multipage/web-sockets.html, or the web socket spec https://tools.ietf.org/html/rfc6455 ? I assume the former.

[timbl]

Lets' look at ways of adding authentication to the web socket as soon as possible as it is a showstopper security problem. It can't wait for a new live update protocol.

[michielbdejong]

See also https://github.com/solid/specification/issues/52#issuecomment-682491952