angular-websocket icon indicating copy to clipboard operation
angular-websocket copied to clipboard

Published 20 hours ago verified publisher icon PatrickJS

WebSocket with Token

Open storrisi opened this issue 10 years ago • 11 comments

How to connect to a WS with auth token?

storrisi avatar Jan 26 '15 16:01 storrisi

I'll have to update the documents and create examples with auth tokens. Here are some resources for you to look into.

https://auth0.com/blog/2014/01/15/auth-with-socket-io/ http://socket.io/docs/migrating-from-0-9/ https://github.com/Automattic/socket.io/wiki/authorizing http://www.christian-schneider.net/CrossSiteWebSocketHijacking.html http://lucumr.pocoo.org/2012/9/24/websockets-101/

PatrickJS avatar Jan 27 '15 20:01 PatrickJS

I'm also interested in this functionality. From those links are you saying that right now we need to access the socket.io library directly to set the Authorization header of the initial http setup request? I'm guessing the existing $http angular interceptor I have right now won't work?

alexcreasy avatar Jul 02 '15 15:07 alexcreasy

I am interested in this functionality as well. Any updates or pointers help with this?

SamyuktaPatil avatar Jul 29 '15 19:07 SamyuktaPatil

+1

rochapablo avatar Jan 29 '16 15:01 rochapablo

I am interested too. I thought that the initial request was an HTTP upgrade request, so I'd be able to do auth with a header token. However I can't see how to send a header from the client. Is the workaround to send it as a querystring? this doesn't feel quite right.

tamslinn avatar Mar 07 '16 12:03 tamslinn

+1 It's been a year - any updates to the documentation?

BatteryAcid avatar Apr 09 '17 21:04 BatteryAcid

@gdi2290 +1. Specifically I'm looking to do bearer Authentication with a Token provided by Keycloak. @alexcreasy did you ever get this to work?

manuelgchacon avatar Dec 14 '17 19:12 manuelgchacon

Any hints how to handle this properly?

ataraxus avatar Feb 05 '18 16:02 ataraxus

Hey everyone. I hope this helps some people down the road. If the back end WebSocket endpoint is protected by bearer only authentication the following should work. Then access_token query parameter is a standard thing in bearer only authentication

$websocket('https://myhost:8080/mywebsocket' + '?access_token=' + TOKEN);

manuelgchacon avatar Feb 06 '18 00:02 manuelgchacon

@manuelgchacon i have also settled for this solution, but its not nice:

  • Since the token in the url could be easily copied and passed around by a uneducated user.
  • Also get token tends to get logged by SSL terminating proxies, web and application servers.
  • Another, rather unlikely case would be, that such a token would end up as a referer and be passed to 3rd party servers with its token.

So one has to create one time tokens for accessing the websocket, which definitely increases effort and complexity of backend and client.

Its such a pitty, that there is apparently no common solution from simple HTTP for it, makes me wonder how such a crucial part didn't get much attention while its design.

FYI. I've checked how Slack does handle this and they also use a token in the url :( I guess thats the way to go.

ataraxus avatar Feb 07 '18 11:02 ataraxus

I sent the user data from frontend to socket but still searching for accessing it through token

kullapareddypranay avatar Jul 28 '20 06:07 kullapareddypranay