Hi Tobias,
No problem. Thanks for getting to this. In the meantime, I have been
experimenting with how to add OTP functionality in the minimally
invasive way. Here are my ideas so far:
1. By agreement, both the server and the client use
pbkdf2(original_hash, otp) as the new password hash. This is a
horrible hack, however it requires no changes to the current
infrastructure.
2. Piggyback the OTP inside the WAMP-CRA authentication using the
'extra' field. This is not very elegant, but would be the easiest to
implement router side. It would require the client to return something
like types.Signature(signature, otp) from onChallange. This would be
serialized to message.Authenticate(signature, otp), sent across the
wire, and made available to the authenticator. This would be backwards
compatible with the current onChallenge API provided the return type
is checked.
3. Allow several authentication-challenge steps. I think this is the
ideal solution, but it is more difficult to implement. When the router
receives HELLO, it sends out several challenges. It would send out a
WAMP-CRA challenge, and an OTP challenge, for example. These can be
distinguished by having an 'authmethod' field set inside 'extra'. The
client would respond to both challenges preserving the 'authmethod'
part of 'extra'. The router would then collect the responses, decide
on an authrole and authid, and welcome or deny the client. You can
even allow elaborate chains (sort of like PAM) where one
authentication method may be sufficient (cookie or ticket), or another
may be required (IP filter).
Looking forward to hearing from you.
-Yury
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Autobahn" group.
> To unsubscribe from this topic, visit
>
https://groups.google.com/d/topic/autobahnws/R2ZL3sIlQ0Q/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
>
autobahnws+...@googlegroups.com.
> To post to this group, send email to
autob...@googlegroups.com.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/autobahnws/fbd0e5c9-966e-43f7-a2c0-80df98a49206%40googlegroups.com.
>
> For more options, visit
https://groups.google.com/d/optout.