websockets icon indicating copy to clipboard operation
websockets copied to clipboard
verified publisher icon python-websockets

HTTP Digest authentication

Open wom-bat opened this issue 5 years ago • 4 comments

Hi folks, How can I create a websocket client where the server requires digest authentication?

wom-bat avatar Jun 18 '20 01:06 wom-bat

If I remember correctly Digest Authentication requires two HTTP requests: one to get the challenge from the server, one to send the response and open the websocket connection.

If I had to do this, here's what I'd try:

  1. make the first HTTP request and get the challenge from the response; this will likely easier to do with another library than websockets, as websockets.connect raises an exception if it fails to establish a WebSocket connection;
  2. calculate the proper authentication header and send it with the extra_headers argument of websockets.connect.

It would be interesting to build this into websockets. Since we already handle basic auth and http redirects, I think we have all the pieces we need.

aaugustin avatar Jun 19 '20 08:06 aaugustin

It's a little more complex than that. The Authorization: header to be sent changes on each request, so it can't be calculated just once. What's more the server can issue a new challenge at any time.

I don't know how that fits into websockets. It may be that we can do it just once and then after the upgrade there's no need. I'll do some experiments on Monday.

wom-bat avatar Jun 19 '20 23:06 wom-bat

In a WebSocket connection you send HTTP headers only once. After you've upgraded from a HTTP to a HTTP connection you're fine.

aaugustin avatar Jun 20 '20 07:06 aaugustin

Two options have been discussed for adding digest authentication support:

  1. Using a separate library for the digest authentication.
  2. Implementing digest authentication within this library.

Option 1 is disfavored by the maintainer because it adds a dependency to websockets which currently has none. @Nicolas-Feude has done some great work in #1111 toward option 2. However, looking at the code in #1111, it would seem to add a lot of complexity to this package, and duplicates code from requests which may diverge over time. It also seems fraught to re-implement security-related code.

I'm wondering if another option would be to use a library for the digest authentication but as an optional dependency. When digest authentication is required, websockets could output a message saying that the dependency needs to be installed. Digest authentication is an uncommon need, so it may be reasonable for the user to have to install an extra package to support it. (Not an experienced Python developer so unsure whether this is a good idea, but wanted to suggest it just in case.)

apteronal avatar Apr 13 '23 03:04 apteronal