how do you currently use authentication with json-rpc, or how would you
like to use it?
in my opinion, authentication normally consists of 3 parts:
1. login / create an auth-token
2. "authenticated" communication
3. logout / invalidate the auth-token
(1) and (3) can be done by using a simple json-rpc-method (e.g. 2
functions called "login" and "logout"), maybe in addition to timeouts
etc.
so, the main question is: where to put the authentication-token in (2)?
I can think of several ways:
a) authentication on function-level:
add an auth-token as e.g. 1st parameter to every function, like
proxy.myfunc(auth, parameter1, parameter2, ...)
this works great, especially if the functions need to know who called
them for a more detailed rights-management.
b) authentication on json-rpc-level:
add an (optional) field directly to json-rpc (this would be a json-rpc
extension), like:
'{"jsonrpc": "2.0", "method": "foo", "params": ..., "id": 1, "auth": "..."}'
I think that something like this would be quite useful.
c) authentication on transport-level:
e.g. BasicAuth with HTTP, but this only works if the transport
supports some authentication-scheme, and so it of course does
not work e.g. with pure socket-communication.
what do you think?
should we define an (optional) "authentication-field" for json-rpc?
regards,
Roland
hi,
how do you currently use authentication with json-rpc, or how would you
like to use it?
> I would do it at the Transport-Level, using Basic Auth
but basic auth only works for http.
> or TLS for HTTP and TLS for TCP.
no, that doesn't work. you can't use TLS for (user-)authentication or
session-management. TLS-authentication is based on certificates, and you
can't replace logins/sessionids/etc. with certificates.
so, "doing it on the transport-level" doesn't work for "pure" TCP.
regards,
Roland
> If we truly feel that JSON-RPC simply must work on some transports
> (real, used transports, theorizing about possible ones isn't helpful)
> that can't provide authentication,
yes, JSON-RPC must work on transports which don't provide
authentication, e.g. unix domain sockets or TCP sockets.
and yes, they are really used.
regards,
Roland
> If the
> general consensus is that 'C' (or 'C'-like mechanisms) will always
> work for real transports, then 'B' really wouldn't be needed.
no, 'C' doesn't work on e.g. TCP.
> My feeling is still that 'A' is kind of ugly and muddies the concepts.
that depends.
sometimes, 'A' can be quite useful and clean, e.g. if the called
functions need to know who called them. the functions then anyway
need some kind of user/role/auth-parameter, and then it's probably
the cleanest way to use 'A', since that doesn't change the syntax
of these functions. I'm currently using this, and it works great.
(but in other cases, using 'A' may be cumbersome, and that was
reason why I asked for 'B'.)
regards,
Roland