Merge pull request #47740 from liggitt/websocket-protocol
Automatic merge from submit-queue
Add token authentication method for websocket browser clients
Closes #47967
Browser clients do not have the ability to set an `Authorization` header programatically on websocket requests. All they have control over is the URL and the websocket subprotocols sent (see https://developer.mozilla.org/en-US/docs/Web/API/WebSocket)
This PR adds support for specifying a bearer token via a websocket subprotocol, with the format `base64url.bearer.authorization.k8s.io.<encoded-token>`
1. The client must specify at least one other subprotocol, since the server must echo a selected subprotocol back
2. `<encoded-token>` is `base64url-without-padding(token)`
This enables web consoles to use websocket-based APIs (like watch, exec, logs, etc) using bearer token authentication.
For example, to authenticate with the bearer token `mytoken`, the client could do:
```js
var ws = new WebSocket(
"wss://<server>/api/v1/namespaces/myns/pods/mypod/logs?follow=true",
[
"base64url.bearer.authorization.k8s.io.bXl0b2tlbg",
"base64.binary.k8s.io"
]
);
```
This results in the following headers:
```
Sec-WebSocket-Protocol: base64url.bearer.authorization.k8s.io.bXl0b2tlbg, base64.binary.k8s.io
```
Which this authenticator would recognize as the token `mytoken`, and if authentication succeeded, hand off to the rest of the API server with the headers
```
Sec-WebSocket-Protocol: base64.binary.k8s.io
```
Base64-encoding the token is required, since bearer tokens can contain characters a websocket protocol may not (`/` and `=`)
```release-note
Websocket requests may now authenticate to the API server by passing a bearer token in a websocket subprotocol of the form `base64url.bearer.authorization.k8s.io.<base64url-encoded-bearer-token>`
```
Showing
Please
register
or
sign in
to comment