Skip to content

Cookie and Request Auth Authz

Jump to bottom
Andrew J. Gillis edited this page Mar 25, 2018 · 1 revision

Cookie and WebSocket Request Authentication and Authorization

The nexus router can be configured to supply client tracking cookies and to expose these and the websocket HTTP request to authentication and authorization logic.

Client Tracking Cookies

The WebSockerServer can be configured to enable client tracking cookies. This works by telling the server to send a random-value cookie to each websocket client. This tracking cookie is included in the client's HELLO details, as Details.transport.auth.nextcookie, and can be saved by the router implementation to identify a returning client.

The returning websocket client may identify itself by sending a previously issued tracking cookie in a websocket request. If a request header received by the server contains the tracking cookie, then the cookie is included in the HELLO details as Details.transport.auth.cookie. This is useful for identifying clients that have already been authenticated, so that the returning client may skip re-authenticating itself.

This functionality is available in the CRAuthenticator implementation included with the nexus router auth package, when enabled for the router. This is typically used by providing a BypassKeyStore implementation, where the AlreadyAuth function returns true if a client is recognized as already authenticated, allowing the challenge-response authentication to be bypassed.

Cookie and Request Authentication

In addition to WebSocket tracking cookies, the WebSocket HTTP Request can also be included with the HELLO details, as Details.transport.auth.request, when enabled in the router. This allows Authenticator implementations to use any cookie values, or other data present in the HTTP request, to make authentication decisions.

Cookie and Request Authorization

Once a client is authenticated, THe Details.transport.auth information is included in the session details. This allows Authorizer implementations to inspect this data for making authorization decisions.

Note: session.Details.trasnport.auth information is not available in the session meta information for the following reasons:

  1. It is not serializable (stored as go http objects)
  2. To prevent exposure of authentication material

Enabling Cookie and Request Data

To enable and use tracking cookies and request capture, see WebsocketConfig for the values to configure, and WebsocketServer.SetConfig to apply this configuration to the router.

Clone this wiki locally