Managing authorization for a specific use-case

Creating a topic for this since it’s kind of specific and don’t know how to search for it.

We have a backend server in Java (specifically Play Framework) which handles everything for our program, except a websocket server that is handled by Phoenix. I need to keep the WS service as dependency-free and decoupled as I can, so I don’t have access to the database nor plan to create one for that service. This means that I need to ask the Java backend for authorization when connecting to the socket connection. From what I’ve read, JWT could be used here since it’d be used once (to connect) and then it can be discarded.

How would I practically implement this? As in which server would generate the JWTs and which one would validate? I feel like I’m missing something here…

I would suggest something like open id connect or oauth instead of building a custom solution here.

1 Like

Seems to me like a good use case for use of JWT. OpenID Connect is more suited for web-portal to web-portal SSO, but not much for websocket authentication.

The architecture would be quite simple:

  • User authentication happens on your Java service as of today, probably using an authentication cookie
  • On your java service, you have one new REST web service that take an authenticated session as the input (for instance using the cookie) and returns a signed JWT. If your cookie is HTTPOnly, you probably can’t use an AJAX WS and therefore probably need to find another trick to get the JWT
  • This JWT is sent upon initialization of the web socket
  • The JWT is verified by Phoenix (somewhere in lib/your_app_web/channels/user_socket.ex) and additional attributes (such as user id) are assigned to the socket at this point. By verifying, I mean:
    • verifying the JWT’s signature (using the JOSE library for instance)
    • verifying the audience of the JWT is the web socket service, and verifying the issuer is the java service
    • verifying the JWT is not expired
    • optionally, verifying the JWT was not reused using the jti attribute (which is a unique ID)
1 Like

I’m not sure that really applies here since it’s server-to-server authorization, basically. I want to use an existing library, though. Not looking to do something custom.

This was what I was picturing but couldn’t really map it out. Thank you!