Unable to use authentication

Question

Unable to use authentication

janandries opened this issue 4 years ago · comments

I'm trying to use some sort of user authenticatoin for the SOSS websocket. I want to only allow certain users to be able to connect.

I use a python websocket client to test. This all works perfectly fine, until I try to use JWT tokens.

I have added a authentication part to my soss configuration YAML:

systems:
  ws_server: {
    type: websocket_server,
    port: 12345,
    cert: cery_file.cert,
    key: key_file.key,
    authentication:
    {
      policies:
      [
        {
          secret: soss-websocket-test,
          algo: HS256
        }
      ]
    } 

  }

Then, using python, i try to connect to the secure websocket, using the websocket_client and pyjwt packages

    encoded_jwt = jwt.encode({}, 'soss-websocket-test', algorithm='HS256')
    ws = websocket.WebSocketApp(f"wss://127.0.0.1:12345?token={encoded_jwt}")

No matter what I try, I don't get a connection (always a 401 unauthorized). I have also used a pre-generated token I found in the websocket__roundtrip_client.yaml example, but even when I configure the server and client exactly as that example, I can't connect.

I tried to debug the soss websocket server, and when the request comes in, I see that it always fails because requested_sub_protos.size() is empty.

https://github.com/osrf/soss/blob/9ddb723862dda83a060ce996c0f56bae813c56e2/packages/websocket/src/Server.cpp#L396-L402

Can anyone point me in the right direction of how to create a working example with authentication, preferably using a python client example?

Teo Koon Peng · Answer 1 · Mon Jul 13 2020 12:21:16 GMT+0800 (China Standard Time)

The websocket server does not support the rosbridge auth opcodes yet so it uses a hacky way to authenticate users base on the Sec-WebSocket-Protocol header in the websocket handshake. You need to set the header to the jwt token in the client.