Flask-socketio: Flask Socketio Token Authentication for External Apps
Hi,
I am trying to set up flask-socketIO for use in creating websockets sessions with mobile applications. I have had a lot of trouble figuring out the authentication part of this as this is essential for the app. I have followed the flask megatutorial as a general outline for my application, and implemented a structure for API authentication using Bearer tokens. The authentication process works on my iOS app with the API.
What I am trying to do is figure out a way for the iOS app to submit a request to connect to a websocket with a token so that it can properly authenticate. I have spent hours reading and have not been able to find a solution on the Flask platform. On NodeJS or ASP.NET I have noticed it is possible to pass the token in as part of the wss:// url. Is there a way for me to do token based authentication with websockets for this purpose? I can't do session based authentication all the time which seems to be the only supported way of doing things.
therealpaulgg
All 2 comments
interesting
On Fri, 5 Apr 2019, 00:35 Paul, notifications@github.com wrote:
Hi,
I am trying to set up flask-socketIO for use in creating websockets
sessions with mobile applications. I have had a lot of trouble figuring out
the authentication part of this as this is essential for the app. I have
followed the flask megatutorial as a general outline for my application,
and implemented a structure for API authentication using Bearer tokens. The
authentication process works on my iOS app with the API.What I am trying to do is figure out a way for the iOS app to submit a
request to connect to a websocket with a token so that it can properly
authenticate. I have spent hours reading and have not been able to find a
solution on the Flask platform. On NodeJS or ASP.NET I have noticed it is
possible to pass the token in as part of the wss:// url. Is there a way for
me to do token based authentication with websockets for this purpose? I
can't do session based authentication all the time which seems to be the
only supported way of doing things.—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/miguelgrinberg/Flask-SocketIO/issues/941, or mute
the thread
https://github.com/notifications/unsubscribe-auth/AlNx8HX0QxeymE9x1HfVVnm7ylT50B44ks5vdowjgaJpZM4cd5w6
.
hextrim
on 5 Apr 2019
This is really more a question for the Socket.IO client that you are using, I think. Socket.IO clients offer a couple of ways to pass authentication credentials when setting up a connection. The simplest form is to add your token to the query string. So for example, if your Socket.IO server is at wss://example.com, you can connect to wss://example.com?token=TOKEN-HERE. On your Flask-SocketIO connect handler you can use request.args['token'] to retrieve the token and validate it.
An alternative that I prefer is to send the token in the same way API calls do, as a header. Some Socket.IO clients do not offer this option, but I believe the iOS one does. For example, you can add a Authorization: Bearer TOKEN-HERE custom header in your connection call, and then from the server you can use request.headers['Authorization'] to retrieve it (you will then need to split the value on the space character, verify that the left component is Bearer and the right component is a valid token).
miguelgrinberg
on 5 Apr 2019
Related issues
blstdmi
·
3Comments
hrmon
·
5Comments
novice79
·
3Comments
dlernz
·
4Comments
ypperlig
·
5Comments
Most helpful comment
This is really more a question for the Socket.IO client that you are using, I think. Socket.IO clients offer a couple of ways to pass authentication credentials when setting up a connection. The simplest form is to add your token to the query string. So for example, if your Socket.IO server is at
wss://example.com, you can connect towss://example.com?token=TOKEN-HERE. On your Flask-SocketIO connect handler you can userequest.args['token']to retrieve the token and validate it.An alternative that I prefer is to send the token in the same way API calls do, as a header. Some Socket.IO clients do not offer this option, but I believe the iOS one does. For example, you can add a
Authorization: Bearer TOKEN-HEREcustom header in your connection call, and then from the server you can userequest.headers['Authorization']to retrieve it (you will then need to split the value on the space character, verify that the left component isBearerand the right component is a valid token).