7

I am trying to figure out what the best way is to pass an oauth bearer token to a websocket endpoint.

This SO answer suggests to send the token in the URL, however this approach has all the drawbacks of authenticating via the URL. Security implications discussed here

Thus i was wondering what would be the drawbacks to use the subprotocols to pass the token to the server ? i.e. instead of treating the requested subprotocols as a list of constants. Send at least one subprotocol that follows a syntax like for example: authorization-bearer-<token>

The token would end up in a request header. The server while processing the subprotocols would be able to find and treat the token easily with a bit of custom code. Since passing subprotocols should be supported by a lot of websocket implementations, this should work for a lot of clients.

Improve this question
2
  • Very interesting idea this. Could anyone comment that is more deeply involved in that? Commented Oct 7, 2016 at 16:53
  • I found one other approach in this project: github.com/tmc/grpc-websocket-proxy syntax is slightly different: Sec-Websocket-Protocol: Bearer, foobar means Authorization: Bearer foobar Commented Apr 21, 2017 at 5:56

1 Answer 1

Reset to default
1

This worked for me, I used this WebSocket client library.

You need to send OAUTH token via the Websocket Header, Below is the code, hope this is helpful.

ws = factory.createSocket("wss://yourcompleteendpointURL/");
ws.addHeader("Authorization", "Bearer <yourOAUTHtoken>");
ws.addHeader("Upgrade", "websocket");
ws.addHeader("Connection", "Upgrade");
ws.addHeader("Host", "<YourhostURLasabovegiveupto.com>");
ws.addHeader("Sec-WebSocket-Key", "<Somerandomkey>");
ws.addHeader("Sec-WebSocket-Version", "13");
ws.connect();
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.