I want to use websocket to access Kubernetes API, and so it is more convenient to send token like wss://example.com" + url + "&access_token=blahblahblah. The official API doc sends token in header. Where can I find such a token and send it with url?
What I want to do is to exec pods via a web page through websocket:
Container-Terminal via Websocket
Support exec and pod logging over WebSockets
Bearer token authentication in the URL is not supported in Kubernetes currently, only as an Authorization header.
After searching over the Internet and reading many discussion on Kubernetes, I post my own answer about accessing kubernetes API with password in url, not header:
wss://username:myPassword#Address.To.Kubernetes/api/v1/namespaces/default/pods/YourPodName/exec?stdout=1&stdin=1&stderr=1&tty=1&command=%2Fbin%2Fsh
The username and password is in ~/.kube/config
Welcome answers for sending bearer token.
There is currently no way to send Authorization headers using native javascript WebSockets.
All third-party websocket libraries depend on the in-browser WebSocket class, which currently does not support custom headers. I tried a bunch of different libraries, but no luck :(
See Stack Overflow thread here: https://stackoverflow.com/a/4361358
The reason that this is not implemented is that Chromium/Chrome implementors are opposed to it. See the full discussion here: https://github.com/whatwg/websockets/issues/16#issuecomment-332065542
My workaround
Currently I'm working around this by using the #kubernetes/client-node in NodeJS to open a WebSocket connection.
The ws WebSocket library in NodeJS does support Authorization headers.
Then forwarding the NodeJS WebSocket messages to the front-end using Socket.io: https://stackoverflow.com/a/62547135.
Related
I`m wondering if it is possible to implement following:
I have some service in GO (used for Firebase Cloud Messaging) it uses go package from firebase (firebase.google.com/go/v4) to send messages. This packge sends https requests. And One of them is to https://oauth2.googleapis.com/token to get token.
I can't change code in Firebase go-package, but I need to use proxy, that is why before sending message I need to set HTTPS_PROXY environment variable to my proxy address. It works fine.
Now I need to do some automatic tests and I have an emulator that has /token endpoint and return a valid token as response. Is it possible to use some kind of proxy that can redirect https requests to my emulators endpoint so that all requests to https://oauth2.googleapis.com/token should be redirected to my emulators endpoint /token?
And another question is there are any possible problems because of HTTPS ?
Is it possible to get rid of https and use only http after the proxy?
Found following solution:
Firebase Cloud Messaging package uses clone default transport to create http.client under the hood.
So we can configure http.DefaultTransport before calling app.Messaging(ctx) and set up any parameters we need (proxy, insecureSkipVerify ...).
So no problems at all.
I am working on an Elixir Phoenix web project where I want to interact with Google's Indexing API.
Google uses OAuth2 to authenticate api requests and actually has a decent documentation on this.
But it only explains the process using one of the supported libraries in Python, Java, PHP or JS.
I would like to make the HTTP requests by myself to retrieve that access token. But the request format (including headers or parameters) is nowhere documented and I cannot even figure out from the libraries' source code.
I have tried requesting https://accounts.google.com/o/oauth2/token (also other eligible URLs) in Postman with the "OAuth 2.0" request type.
But it was all just guessing and trying. All the research did not help.
There are useful instructions including HTTP/Rest examples at Using OAuth 2.0 for Web Server Applications. Each step has the individual parameters fully documented. Here are some useful excerpts.
Send user to Google's OAuth 2.0 server. Example URL:
https://accounts.google.com/o/oauth2/v2/auth?
scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fdrive.metadata.readonly&
access_type=offline&
include_granted_scopes=true&
state=state_parameter_passthrough_value&
redirect_uri=http%3A%2F%2Foauth2.example.com%2Fcallback&
response_type=code&
client_id=client_id
Retreive authorization code (your domain). Example:
https://oauth2.example.com/auth?code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7
Request access token. Example:
POST /oauth2/v4/token HTTP/1.1
Host: www.googleapis.com
Content-Type: application/x-www-form-urlencoded
code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7&
client_id=your_client_id&
client_secret=your_client_secret&
redirect_uri=https://oauth2.example.com/code&
grant_type=authorization_code
Use API. Example:
GET /drive/v2/files HTTP/1.1
Authorization: Bearer <access_token>
Host: www.googleapis.com/
I am trying to figure out what the best way is to pass an oauth bearer token to a websocket endpoint.
This SO answer suggests to send the token in the URL,
however this approach has all the drawbacks of authenticating via the URL. Security implications discussed here
Thus i was wondering what would be the drawbacks to use the subprotocols to pass the token to the server ? i.e. instead of treating the requested subprotocols as a list of constants. Send at least one subprotocol that follows a syntax like for example: authorization-bearer-<token>
The token would end up in a request header.
The server while processing the subprotocols would be able to find and treat the token easily with a bit of custom code.
Since passing subprotocols should be supported by a lot of websocket implementations, this should work for a lot of clients.
This worked for me, I used this WebSocket client library.
You need to send OAUTH token via the Websocket Header, Below is the code, hope this is helpful.
ws = factory.createSocket("wss://yourcompleteendpointURL/");
ws.addHeader("Authorization", "Bearer <yourOAUTHtoken>");
ws.addHeader("Upgrade", "websocket");
ws.addHeader("Connection", "Upgrade");
ws.addHeader("Host", "<YourhostURLasabovegiveupto.com>");
ws.addHeader("Sec-WebSocket-Key", "<Somerandomkey>");
ws.addHeader("Sec-WebSocket-Version", "13");
ws.connect();
I want to do place on server application which can be called by Go APP and Java app both.
for some reason ,there's a cookie authentication and oAuth mechanism ,so I want to set one Go app as Auth Micro-service for the authentication purpose.
As GRPC is built on the HTTP2 ,so The headers and cookies are on the protocol.but I did not find out how to carry on header and cookie when the rpc occurs,implemented by Go, on GitHub I only found the JAVA-Implementation for headers at :
https://github.com/grpc/grpc-java/tree/master/examples/src/main/java/io/grpc/examples/header
Can anybody give me some direction of Go implementation for this purpose?
Headers in gRPC are called "Metadata." Clients can only send "headers". Servers can send both "headers" and "trailers."
You want to:
Use the google.golang.org/grpc/metadata package and metadata.NewContext() to send metadata from the client-side.
Use grpc.SendHeader() and grpc.SetTrailer() to send metadata from the server-side.
Use the grpc.Header() and grpc.Trailer() CallOptions for receiving the Metadata on the client-side.
Use metadata.FromContext() for receiving metadata on the server-side.
Building an app using a calendar on a Google Apps domain that has SSL enforced domain-wide. I initially found the problem when building a Rails app using the GCal4Ruby library, which used the allcalendars feed URL with a non-SSL protocol (GCal4Ruby debug output snippet [sic]):
…
url = http://www.google.com/calendar/feeds/default/allcalendars/full
Starting post
Header: AuthorizationGoogleLogin auth=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxGData-Version2.1
Redirect recieved, resending get to https://www.google.com/calendar/feeds/default/allcalendars/full?gsessionid=xxxxxxxxxxxxxxxxxxxxxx
Redirect recieved, resending get to https://www.google.com/calendar/feeds/default/allcalendars/full?gsessionid=xxxxxxxxxxxxxxxxxxxxxx
Redirect recieved, resending get to https://www.google.com/calendar/feeds/default/allcalendars/full?gsessionid=xxxxxxxxxxxxxxxxxxxxxx
…
This was interesting because it seemed to continue forever. I think I've fixed this in GCal4Ruby locally by creating the ability to use the allcalendars feed with the HTTPS protocol (i.e: https://www.google.com/calendar/feeds/default/allcalendars/full).
The thing that worries me is that I see no mention of the allcalendars feed needing to specify the HTTPS protocol in the Google documentation. That, and the fact that when I access the same domain using the Zend GData library in PHP, it works fine accessing the non-SSL private feed (i.e. http://www.google.com/calendar/feeds/r-calendar.com_xxxxxxxxxxxxxxxxxxxxxxxxxxx%40group.calendar.google.com/private/full).
So, the question: What am I misunderstanding? Is it just the allcalendars feed that needs to be accessed with SSL and the rest of the private feeds can safely use the authentication token?
Anyone have any insight, or pointers to some good docs?
So, it looks like perhaps redirect to the normal URL is normal for authentication, but that the library is not handling the redirect correctly because of some differences between the way Google Apps and Accounts work on the backend. This is in contrast to the Zend library, which seems to handle this more robustly. That's my current guess, anyway.