7

I am trying to figure out what the best way is to pass an oauth bearer token to a websocket endpoint.

This SO answer suggests to send the token in the URL, however this approach has all the drawbacks of authenticating via the URL. Security implications discussed here

Thus i was wondering what would be the drawbacks to use the subprotocols to pass the token to the server ? i.e. instead of treating the requested subprotocols as a list of constants. Send at least one subprotocol that follows a syntax like for example: authorization-bearer-<token>

The token would end up in a request header. The server while processing the subprotocols would be able to find and treat the token easily with a bit of custom code. Since passing subprotocols should be supported by a lot of websocket implementations, this should work for a lot of clients.

Community
  • 1
  • 1
JE42
  • 4,881
  • 6
  • 41
  • 51
  • Very interesting idea this. Could anyone comment that is more deeply involved in that? – Javali Oct 07 '16 at 16:53
  • I found one other approach in this project: https://github.com/tmc/grpc-websocket-proxy syntax is slightly different: `Sec-Websocket-Protocol: Bearer, foobar` means `Authorization: Bearer foobar` – JE42 Apr 21 '17 at 05:56

1 Answers1

1

This worked for me, I used this WebSocket client library.

You need to send OAUTH token via the Websocket Header, Below is the code, hope this is helpful.

ws = factory.createSocket("wss://yourcompleteendpointURL/");
ws.addHeader("Authorization", "Bearer <yourOAUTHtoken>");
ws.addHeader("Upgrade", "websocket");
ws.addHeader("Connection", "Upgrade");
ws.addHeader("Host", "<YourhostURLasabovegiveupto.com>");
ws.addHeader("Sec-WebSocket-Key", "<Somerandomkey>");
ws.addHeader("Sec-WebSocket-Version", "13");
ws.connect();
Martin Evans
  • 45,791
  • 17
  • 81
  • 97
Muiz Ahmed
  • 11
  • 1