[winswitch] HTML5 authentication

Sat Dec 31 04:31:41 GMT 2016

On 31/12/16 02:17, Mukul Agrawal wrote:
> Thanks Antoine!
> I am just starting to look into this aspect and trying to understand
> what the risks are.
> I understand that risks are very use case dependent. So please excuse me
> for vague question.
> 
> Do you think that once I setup TLS transport for the HTML5 client, it
> will make client reasonably secured against most common security concerns?
TLS can be quite complicated and the handling within websockets varies
with each browser.
That said, the URL which contains the authentication tokens are
* safe from sniffing: not sent in the clear
* safe from referers: there aren't any external links
but the tokens may still show in your browser's history cache.

> If I plan to take up a project for myself, would it be super hard to try
> to integrate the HTML5 client with some sort of single-sign-on using
> Auth0 or something similar?
Looks reasonably easy to implement at first glance.
You will need to define a new authentication module for the server and
modify the HTML5 connect page.

> Do you have any recommendations or thoughts?
Make sure that the library you choose for implementing single-sign-on
does not hide the complexity behind generic interfaces.
SSO has a number of security issues associated with it..

Cheers
Antoine


> 
>  
> Regards,
> Mukul
> 
> 
> On Thursday, December 29, 2016 8:29 PM, Antoine Martin via shifter-users
> <shifter-users at lists.devloop.org.uk> wrote:
> 
> 
> On 24/12/16 04:47, Mukul Agrawal via shifter-users wrote:
>> Do you have some documentation/link that provides some insight on the
> authentication is being used with HTML5 client?
> The (optional) authentication credentials are sent in the http request.
> Those are processed by the HTML5 client javascript code.
> 
>> Is there any cookie, token or session ID included in communication
> with XPRA server?
> No.
> The HTML5 client only uses a single websocket connection to the server.
> 
>> Does the server check for state or session existence on every request? 
> There are no HTTP requests after downloading the HTML5 client.
> 
>> Does an authenticated session expire?
> What "session"? (as per above, there is no HTTP session)
> The HTML5 websocket connection to the xpra server does not expire.
> 
> Cheers
> Antoine
> 
>>
>>  Regards,
>> Mukul
>> 
>>
>>    On Sunday, December 11, 2016 4:14 AM, Antoine Martin via
> shifter-users <shifter-users at lists.devloop.org.uk
> <mailto:shifter-users at lists.devloop.org.uk>> wrote:
>> 
>>
>>  On 11/12/16 07:43, Philip Loewen via shifter-users wrote:
>>> Thanks for Xpra, excellent software. I use it on both Ubuntu and CentOS.
>>> Right now only CentOS is willing to upgrade to version 1.0.
>>>
>>> I see deb files named xpra_1.0... in
>>>  xpra.org/dists/yakkety/main/binary-amd64,
>>> but in the corresponding directory for xenial the latest is xpra_17.6.
>> Thanks for reminding me, I had forgotten to push those. Done now.
>>
>>> Is there some easy way to upgrade Xpra on my xenial systems?
>> apt-get update && apt-get upgrade
>> Should work this time.
>>
>> Cheers
>> Antoine
>>
>>>
>>> Thanks, Philip
>>>
>>>
>>> _______________________________________________
>>> shifter-users mailing list
>>> shifter-users at lists.devloop.org.uk
> <mailto:shifter-users at lists.devloop.org.uk>
>>> http://lists.devloop.org.uk/mailman/listinfo/shifter-users
> 
>>
>> _______________________________________________
>> shifter-users mailing list
>> shifter-users at lists.devloop.org.uk
> <mailto:shifter-users at lists.devloop.org.uk>
>> http://lists.devloop.org.uk/mailman/listinfo/shifter-users
>>
>>
>>   
>> _______________________________________________
>> shifter-users mailing list
>> shifter-users at lists.devloop.org.uk
> <mailto:shifter-users at lists.devloop.org.uk>
>> http://lists.devloop.org.uk/mailman/listinfo/shifter-users
>>
> 
> _______________________________________________
> shifter-users mailing list
> shifter-users at lists.devloop.org.uk
> <mailto:shifter-users at lists.devloop.org.uk>
> http://lists.devloop.org.uk/mailman/listinfo/shifter-users
> 
>