Is it possible to secure WebSocket APIs with OAuth 2.0?

Solution 1

Yes you can secure your WebSocket connections using OAuth. Kaazing WebSocket Gateway has an elegant architecture for authentication and authorization using a variety of methods (token-based, HTTP-based, or cookie-based).

Moreover it is done in a way that is secure over the Web where you may be dealing with untrusted clients. (Or at least, you should always assume you are dealing with untrusted clients.)

When a client attempts a WebSocket connection, the Gateway receives the request. If the particular service (i.e. URL) has been configured to be protected, the client will be challenged.

Upon receiving the challenge the client needs to then supply a token (assuming that's what has been configured in this case). If the client already has the token -- because they've previously signed on to some other system or web page -- then great. If not then it must be obtain one. This depends entirely on your choice of security. In this case it contacts the OAuth token provider to obtain a token. That may mean the user having to provide credentials.

Once the client has a token it sends it to the Gateway as a response to the challenge. The Gateway supports the standard JAAS architecture so you can plug in login modules to perform the necessary authentication. In this case it may send the token to the token provider in order to determine if it's a valid token.

If it is, the WebSocket connection is opened and can continue. If not, the request is rejected and the connection is closed.

This has the benefit of protecting your back-end applications -- only valid users will pass through the Gateway. Furthermore, because Kaazing WebSocket Gateway can live in the DMZ, un-authenticated users never even enter the trusted network within your main firewall. They fail fast on the outside.

This architecture is powerful because it doesn't matter what security framework you have chosen, Kaazing's Gateway will plug in to it, rather than imposing its own security mechanism on you. Also, in the case of OAUth or OAuth2, it does not need to understand or decode the token. The token provider is the only one that needs to understand it. But if your token provider wants to specify a duration for the session, that can be included along with the token and the Gateway will honor it.

If browser-based applications are unsafe, I could live with that, but I want to make sure that at least the web-based applications have a secure way to access the websocket.

Web-based and browser-based applications can be made safe with the right architecture and implementation. At Kaazing we always operate under the assumption that you are dealing with untrusted clients on the Web and construct our architecture accordingly.

Here are couple sections of the documentation that have a high-level description:

• What Happens During Authentication
• How Authentication and Authorization Work with the Gateway

Regards, Robin Product Manager, Kaazing

Solution 2

A credentials grant is only as secure as the authentication performed before handing out the access token. That's outside the specification they say. So that depends on whatever authentication regime you decide to put in front of giving out tokens in response to credential grants.

Now, let's assume you've set up a nice secure way to get your credentials grant, or get an access token into your browser via a regular OAuth2 request.

Under the OAuth2 specification you are free to MAC-digest portions, encrypt portions or protect the data within that token in any number of ways. The security of the access token in the browser depends on what information it contains - often times people design it to contain minimal information (userid, expiration-time, version, digest) and make it self-verifiable by your server (hence the digest). The contents of the token are virtually arbitrary. Some systems even give out access "codes" as proxies for the token.

Now let's assume you have a protected "secure format" access token, with a time restriction. Lets consider a real-world example: Facebook and their OAuth2 implementation. Be it a full access token or an access code for server-side credential retrieval (each with time restrictions) you can send the token (or code) from the browser to secure access to a WebSocket, using the Kaazing Gateway.

One of the things I've taken away from working with Kaazing's gateway is that OAUth2 really doesn't secure anything - you are free to hand out access tokens of arbitrary form. It's a good idea to make sure your credential-authentication scheme, the access_token format and the access_token lifetime are all good policy decisions - then you get security.

The Kaazing Gateway will let you send arbitrary tokens into the Gateway and validate them with a JAAS login module that you write to verify them. The security of the regime is up to you and policy decisions.

Regards,

Steven Atkinson

Gateway Server Developer, Kaazing

Related videos on Youtube

06 : 34

OAuth 2.0: An Overview

InterSystems Learning Services

921

03 : 07

OAuth 2.0 access tokens explained

OktaDev

114

31 : 36

Securing Your APIs with OAuth 2.0 - API Days

OktaDev

52

07 : 03

How to Secure APIs Using OAuth in API Connect

IBM Technology

15

59 : 25

Protecting Your APIs with OAuth

OktaDev

9

16 : 21

Web API Security | Basic Auth, OAuth, OpenID Connect, Scopes & Refresh Tokens

Ambient Coder

6

01 : 15 : 47

Protect Your APIs with OAuth | Developer Day 2021 Labs

OktaDev

3

30 : 58

Secure Web APIs using JAX-RS and OAuth2

Liferay

2

Author by

JustGoscha

Currently interested in: My passion is delivering awesome products with an intuitive UX in fast-paced environments with a team of motivated people by my side, where everybody can learn from each other. Building them with stable and scaleable architectures in mind is the goal and a challenge which gets my heart racing. What delights me is working on Audio-Visual Interactive Programming & Animation preferably in JavaScript/TypeScript Hey, if you are further interested in me, here a resumé of my life: Right now I'm working at FreightHub as a Team Lead of a 5 people team withing the Engineering department. I started there as a Front-End and UX Developer, helped to launch it in the very beginning, where we were just 2 developers. I like it very much. If you're in Berlin, you probably should join, too. You can influence the world on a global scale through logistics. If that doesn't sound awesome, I don't know what does. I've worked 2 years as Front End Developer for Oximity. Shipping several features, admin tools, e2e tests and other things. Previously I worked for 3 years at Fraunhofer FOKUS in the Next Generation Network Infrasctructure (NGNI) department on things like WebRTC, video/audio communication inside web browsers. Made my first front-end JavaScript, GUI (HTML/CSS) steps there. But also back-end with OSGi, JSP, Servers (Jetty/Tomcat), SIP/HTTP/WebSocket servlets etc. Besides that I'm currently studying at the Technische Universität Berlin in the master course "audio communication and technology", which is a cross between music theory, social sciences and physics (mostly acoustics) and digital signal processing. And this is also the field where I have the most fun currently. I like experimenting with sound, programming, interactive designs and visuals. On previous episodes of my life: I have acquired my bachelors degree in computer science at the Freie Universität Berlin (Free University of Berlin) with my bachelor thesis on "Enabling Browser-Based Real Time Communcations for Future Internet Services: WebRTC and OAuth capabilities for FOKUS Broker". Heavy title, with lots of buzz words, but basically I developed an WebRTC client for 2 persons with capabilities like effects, audio/video communication, messaging, photo-upload to DropBox, SMS, SIP call to SIP clients and some others.

Updated on June 08, 2022