Issue by jrudolph
_Wednesday Feb 11, 2015 at 13:59 GMT_
_Originally opened as https://github.com/akka/akka/issues/16857_
See spray/spray#1007 and the previous unmerged PR spray/spray#372.
/cc @sirthias
Comment by briantopping
_Friday Jun 05, 2015 at 18:43 GMT_
I've been poking at this a little. It seems like https://github.com/akka/akka/blob/f71dfbaeccf08f08b8fcef3d1cfd46c6875c26a9/akka-http-core/src/main/java/akka/http/javadsl/model/headers/HttpCredentials.java#L26-28 might be a good idea in some regards and a bad idea in others. For instance, what about OAuth1? 1a? JWT? Where does the list end? What happens when someone wants Kerberos? Does Akka rev for that?
Apologies if this sounds too direct. I think it would be great if HTTP supported all this good stuff, just not sure if it's possible (there's always another protocol) and then how to best manage it when there is another one. I'm becoming a bigger fan of kerberized services by the day -- there's always a low-intensity password attack going on against my IMAP services, for instance -- but the model is quite a bit different than other authentication schemes.
Comment by jrudolph
_Saturday Jun 06, 2015 at 06:57 GMT_
My current take is to keep functionality as much out of akka-http as possible but provide reasonable infrastructure to make third-party addons simple. Concretely, I would rather accept parsers/renderers for well-known and well-spec'd headers (a cookie anyone?) than potentially security relevant code implementing semantics for an authentication scheme that needs to be maintained inside of akka.
Comment by briantopping
_Saturday Jun 06, 2015 at 08:33 GMT_
That's more or less what I was thinking, I just wonder if it might make more sense to have per-pool or per-connection transform hooks that security providers could loop in through. So for instance, once a security provider was specified for a connection, all requests over that connection would automatically use that provider.
For their part, providers might insert stream elements to indicate their actions and otherwise abstract the low level details. In doing so, Akka can stay out of the business of "well known headers" (where does the toolkit draw the line?) and leave them as CustomHeader. The app, knowing that the provider is inserting events, can pattern match against them when it needs to know.
Thoughts?
Comment by briantopping
_Saturday Jun 06, 2015 at 10:04 GMT_
Hmm, http://doc.akka.io/docs/akka-stream-and-http-experimental/1.0-RC3/scala/stream-customize.html seems to indicate that a Stage can't generate multiple messages and I'm guessing it applies here. I do think it's a nice pattern though, that a configured provider (security or otherwise) can report context changes occurring in a pipeline by inserting messages in the stream like that.
Comment by drewhk
_Sunday Jun 07, 2015 at 09:25 GMT_
seems to indicate that a Stage can't generate multiple messages and I'm guessing it applies here
This is not true, the "Duplicator" example shows how to generate multiple messages. Most of the built-in Akka combinators use stages, see: https://github.com/akka/akka/blob/release-2.3-dev/akka-stream/src/main/scala/akka/stream/impl/fusing/Ops.scala
Or you meant something different?
Comment by briantopping
_Sunday Jun 07, 2015 at 11:27 GMT_
Thanks for the correction, I got distracted with the warning at the top of the page.
Comment by ktoso
_Monday Apr 04, 2016 at 12:42 GMT_
Linked as stretch goal of high level client, help here is certainly welcome as we won't work on it for now.
Comment by briantopping
_Monday Apr 04, 2016 at 13:09 GMT_
I built a PushPull that does it, works great. I had hoped to clean it up and submit it, just forgot since there's now a project out that contains some of this. Maybe could be closed on account of that project?
Comment by ktoso
_Monday Apr 04, 2016 at 13:11 GMT_
Which project specifically? OAuth is one of the few things that a bit more built-in support would be good to hare in Akka HTTP I think, as it's so "everywhere".
Comment by briantopping
_Monday Apr 04, 2016 at 13:14 GMT_
Yes agreed. It's 7am here, just laying in bed typing from phone. I'll look for it later and update accordingly. Maybe it makes sense to contribute what I have after all.
Most helpful comment
_Monday Apr 04, 2016 at 13:11 GMT_
Which project specifically? OAuth is one of the few things that a bit more built-in support would be good to hare in Akka HTTP I think, as it's so "everywhere".