Add Authentication Metadata Extension

[rwinch]

Fixes gh-272

[spencergibb]

Password Length?

[linux-china]

How about tagging for username and password? https://github.com/rsocket/rsocket/blob/master/Extensions/Routing.md . The first tag is user name, and the second is password?

[rwinch]

Password Length?

Isn't that just the remaining bytes?

[rwinch]

How about tagging for username and password? /Extensions/Routing.md@master . The first tag is user name, and the second is password?

I don't know that tags really make sense here.

First, the description you linked to seems like the tags are used for routing. Credentials (at least primary use) is not for routing. Perhaps routing is just one use of tags? If so, can you point me to where I can learn about general tags vs just in the context of routing?

Second, I don't know that tags really make sense for credentials. The username and password belong together and don't really make sense as separate entities.

Finally, I believe that something as widely used as credentials should likely have first class support.

[OlegDokuka]

@rwinch, I'm thinking will not be it simpler to having something similar to what there is in HTTP, e.g having a type of auth as a part of metadata, which limits the number of possible metadata types to a minimum and does not require further extending to the extension.

for example:

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |Auth ID/Length |         Auth Type                            ...
    +---------------+-----------------------------------------------+
	|   					Encoded Credentials					   ...
    +---------------------------------------------------------------+

where Auth ID could be additionally listed (as for WellKnown MimeTypes) or it could be any Auth Type encoded as a string.

Then, it leads to a single additional MimeType for Auth, like message/x.rsocket.authentication.v0 which simplify the further extension of the spect

Then, for Basic, it could be Base64 encoded colons separated content/string where for Bearer it would be just a token.

Just my thoughts on the topic. Feel free to ignore it :D

[OlegDokuka]

Hey, @rwinch @spencergibb

Do you have any updates?

Regards,
Oleh

[rwinch]

@OlegDokuka and I spoke about the changes offline. The goal is to avoid having a metadata extension for each type of authentication. However, I believe we should avoid using constructs that work around limitations in HTTP (i.e. base64(username:password) in RSocket.

We have defined something similar to Composite Metadata Extension. However, it is specific to Authentication. This allows for custom encoding of the credentials without the need for a custom mime type.

I have pushed the changes for review.

[OlegDokuka]

Yeah! I like it!

[OlegDokuka]

@linux-china @spencergibb @rdegnan @robertroeser @nebhale @stevegury, @yschimke folks, do you have any comments/objections?

[yschimke]

No strong objections. Happy for those using it to prove it in v0 and burn a version if there are mistakes.

General concerns: doesn’t cover challenges from HTTP and not sure the optimisation is worth having to invent our own non standard encodings.

[stevegury]

Ditto, no strong objections.

[stevegury]

It's not clear which bit value does what.
Maybe we should be more explicit, i.e. 0 means Auth Length, 1 means Auth Id.

[rwinch]

@stevegury Thanks for the feedback. I tried to follow the conventions I found in the existing specs. The clarification is on the next line just as it is done in Composite Metadata:

If A flag is set, indicates a [Well-known Auth Type ID][wk]. If A flag is not set, indicates the Authentication Type Length in bytes.

I pushed a fix in de71eaa I kept the commit separate, so it was easier to see the changes. I can clean up the commits later if desired.

If we decide to stick with these changes, I'd suggest we also update Composite Metadata.

[rwinch]

@yschimke

doesn’t cover challenges from HTTP

I'm sorry. I don't understand. Can you please expand on what you mean by this?

not sure the optimisation is worth having to invent our own non standard encodings.

How would you encode it then?

The way a username/password is encoded when using HTTP are based on context. HTTP Basic is base64 encoded because it makes sense for HTTP headers. When a username/password is passed in the body of the request as form parameters (I'd argue this is the most common way username/password is submitted with HTTP), they are URL encoded because that is what makes sense for a form submission. If credentials are submitted as JSON, then they are encoded yet another way.

In short, the way a username/password is encoded when using HTTP is based upon the context. In the same manner, when using RSocket a username/password should be encoded in a way that makes sense for RSocket.

[linux-china]

Agree. Now we use custom metadata type for JWT, and it should be a standard for authentication metadata.

[yschimke]

I'm sorry. I don't understand. Can you please expand on what you mean by this?

This spec is obviously inspired by existing HTTP standards but doesn't consider the full flow of challenge response.

Instead its focus on prior knowledge usage.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication

[yschimke]

In short, the way a username/password is encoded when using HTTP is based upon the context.

That's not true for basic auth. There is a spec for basic auth including an encoding.

https://en.m.wikipedia.org/wiki/Basic_access_authentication

Maybe just rename it to username and password instead of basic.

[yschimke]

Why is payload listed here? Payload doesn't start a stream (interaction?) or connection.

Do we talk about interactions elsewhere?

[OlegDokuka]

Looks like it is a common part of every extension definition -> for instance https://github.com/rsocket/rsocket/blob/master/Extensions/Routing.md#metadata-payload

[rwinch]

@yschimke You are right that we should not list PAYLOAD here because it is not a start of a stream or connection. I pushed fa1a80b to address this.

I kept the commit separate, so it was easier to see the changes. I can clean up the commits later if desired.

[rwinch]

This spec is obviously inspired by existing HTTP standards but doesn't consider the full flow of challenge response.

Are you pointing out that RSocket does not define how to request a user provide credentials? If so, I agree.

@OlegDokuka and I discussed this offline and I believe he was planning on adding a separate ticket to discuss how to handle errors for authentication required, invalid authentication, and not authorized.

I personally felt that including credentials and credential error handling would be separate specifications that eventually link to one another. This would allow for reusing the error handling when including the credentials in a different way. If we want to combine this into a single specification or flushing that out before we proceed here, I'd be open to discussing that. Just let me know.

That's not true at all for basic auth. There is a spec for basic auth including an encoding.

HTTP Basic Auth defines an encoding, but it also defines the context - an HTTP header field. Username/password included in a form post, JSON, etc do not use the same encoding as HTTP Basic Auth because they are not included in the header. Instead, they use the appropriate encoding for their contexts. Just as a form submission does not use HTTP basic encoding, RSocket should use an encoding that makes sense for the context of metadata.

Maybe just rename it to username and password instead of basic.

I agree the name basic is not a good choice due to the fact that many will confuse it with HTTP Basic. My hope is that this is differentiated by HTTP Basic Auth vs RSocket basic, but this is still not as clear as I'd prefer.

I'm personally not a fan of username and password as it seems pretty verbose. Perhaps I am alone with this though. Perhaps we could use simple? If anyone has thoughts on naming, I'd like to hear it.

[OlegDokuka]

@OlegDokuka and I discussed this offline and I believe he was planning on adding a separate ticket to discuss how to handle errors for authentication required, invalid authentication, and not authorized.

yes, I’m planning to rise another ticket for that

I'm personally not a fan of username and password as it seems pretty verbose. Perhaps I am alone with this though. Perhaps we could use simple? If anyone has thoughts on naming, I'd like to hear it.

Yeah, I like simple for that purpose

[rwinch]

Yeah, I like simple for that purpose

I pushed a change for this 732ad71 I kept the commit separate, so it was easier to see the changes. I can clean up the commits later if desired.

[yschimke]

To be clear. No intention from me to block forward progress. Just feedback to consider. Happy to ship this. Usage trumps drive by opinions :)