Open mmccool opened 4 years ago
mmccool
commented
4 years ago Needs to work through firewalls. SSEs do. Webhooks not. Conexxus uses SSE for this use case, as well as websockets (using SSE streams). So SSE seems like the best option. But... AWS does not support SSE in lambdas. The SSE over websockets is interesting but not currently a supported subprotocol.
mmccool
commented
4 years ago Conclusion: let's use SSE. Need to implement a prototype, however.
farshidtz
commented
4 years ago Relevant issue to discuss the functional requirements: https://github.com/w3c/wot-discovery/issues/28
farshidtz
commented
4 years ago Added a draft PR to describe the interaction on top of SSE.
One technical limitation is that early SSE implementations (including HTML5 EventSource) do not allow setting custom headers in the initial HTTP request.
Authorization header is required in few Oauth2 flows and passing it as a query parameter is not advised: https://tools.ietf.org/html/rfc6750#section-2.3
Because of the security weaknesses associated with the URI method (see Section 5), including the high likelihood that the URL containing the access token will be logged, it SHOULD NOT be used unless it is impossible to transport the access token in the "Authorization" request header field or the HTTP request entity-body. Resource servers MAY support this method.
There are of course polyfills for browsers and modern libraries which allow setting Authorization header.
If we do native HTTP approaches, there might be a problem with sleeping devices. Polling is not efficient. So a scheme like MQTT would make more sense, but we need to use a secure variant. We could also support a scheme where the device could explicitly ask for updates (eg get a history of notifications it might have missed). The devices that don't use an HTTP-native notification would be expected to check in.