github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
e22215d38ec020ac6e033b1af188648e7e2defbb
kubernetes/staging
History
Kubernetes Submit Queue 714f97d7ba Merge pull request #47740 from liggitt/websocket-protocol 
Automatic merge from submit-queue

Add token authentication method for websocket browser clients

Closes #47967

Browser clients do not have the ability to set an `Authorization` header programatically on websocket requests. All they have control over is the URL and the websocket subprotocols sent (see https://developer.mozilla.org/en-US/docs/Web/API/WebSocket)

This PR adds support for specifying a bearer token via a websocket subprotocol, with the format `base64url.bearer.authorization.k8s.io.<encoded-token>`

1. The client must specify at least one other subprotocol, since the server must echo a selected subprotocol back
2. `<encoded-token>` is `base64url-without-padding(token)`

This enables web consoles to use websocket-based APIs (like watch, exec, logs, etc) using bearer token authentication.

For example, to authenticate with the bearer token `mytoken`, the client could do:
```js
var ws = new WebSocket(
  "wss://<server>/api/v1/namespaces/myns/pods/mypod/logs?follow=true",
  [
    "base64url.bearer.authorization.k8s.io.bXl0b2tlbg",
    "base64.binary.k8s.io"
  ]
);
```

This results in the following headers:
```
Sec-WebSocket-Protocol: base64url.bearer.authorization.k8s.io.bXl0b2tlbg, base64.binary.k8s.io
```

Which this authenticator would recognize as the token `mytoken`, and if authentication succeeded, hand off to the rest of the API server with the headers
```
Sec-WebSocket-Protocol: base64.binary.k8s.io
```

Base64-encoding the token is required, since bearer tokens can contain characters a websocket protocol may not (`/` and `=`)

```release-note
Websocket requests may now authenticate to the API server by passing a bearer token in a websocket subprotocol of the form `base64url.bearer.authorization.k8s.io.<base64url-encoded-bearer-token>`
```
2017-06-24 00:34:41 -07:00
..
src/k8s.io
Merge pull request #47740 from liggitt/websocket-protocol
2017-06-24 00:34:41 -07:00
copy.sh
some copy.sh changes
2017-06-22 11:30:58 -07:00
godeps-json-updater.go
Clean up staging/godeps-json-updater.go
2017-04-06 09:32:57 +02:00
OWNERS
Add OWNERS for staging and api
2017-04-19 15:58:09 -04:00
prime-apimachinery.sh
k8s.io/apimachinery scripts
2017-01-11 08:15:34 -05:00
README.md
Update staging README to reflect multiple repos
2017-05-12 13:19:50 -07:00

README.md

This directory is the staging area for packages that have been split to their own repository. The content here will be periodically published to respective top-level k8s.io repositories.

Most code in the staging/ directory is authoritative, i.e. the only copy of the code. You can directly modify such code. However the packages in staging/src/k8s.io/client-go/pkg are copied from pkg/. If you modify the original code in pkg/, you need to run hack/godep-restore.sh from the k8s root directory, followed by hack/update-staging-client-go.sh. We are working towards making all code in staging/ authoritative.

The vendor/k8s.io directory contains symlinks pointing to this staging area, so to use a package in the staging area, you can import it as k8s.io/<package-name>, as if the package were vendored. Packages will be vendored from k8s.io/<package-name> for real after the test matrix is converted to vendor k8s components.

Reference in New Issue View Git Blame Copy Permalink