WebSocket Token-Based Authentication

Curious we ponder how to combine this websocket authentication flow with capabilities-based useage tokens...ToDo

Authentication Flow - Nuvalence

Authentication in the WebSocket protocol is not as straightforward as some other communication protocols. When creating a connection from JavaScript, customizing the headers in the WebSocket handshake request is not an option. This leaves us unable to send authentication/authorization information securely in the headers of the request. However, we can still pass the information via a query-string parameter. Since URLs can be logged and captured even when securing communication with SSL, it would be unwise to pass internal authentication tokens that may contain sensitive information. What we will demonstrate here is an implementation of a pattern that can hurdle these obstacles by utilizing an HTTP endpoint for authentication/authorization using Java and Spring Boot. Note: This blog does not go into detail on securing communications via SSL. To ensure proper security, SSL communication should be enabled between the client and server. page