Skip to content

Auth Library

Jump to bottom
Victor Dudochkin edited this page Jul 9, 2018 · 3 revisions

Router-side Authenticators

The wampire router implementation provides an authentication package that allows implementors to supply authenticator implementations.
Included in this package is a challenge-response authenticator and ticket authenticator, which only need a KeyStore implementation for looking up authentication keys.

The authenticators have access to HTTP request and tracking/auth cookies when these are enabled in the router configuration. This allowing a router implementation to use cookie-based authentication, client tracking (generally for remembering previously authenticated clients), and information from websocket requests for making authentication decisions.

To enable the use of websocket request data and client tracking cookies, see the documentation for Cookie and Request Auth/Authz.

Authenticator Interface

By supplying an implementation of the Authenticator interface, any authentication logic can be defined for a router.

Wampire provides two implementations: CRAuthenticator for challenge-response authentication and TicketAuthenticator for ticket authentication.

CRAuthenticator

To implement a wampcra authenticator, the biggest part is to define a KeyStore.
Here is a simple example that holds key information for one user:



Then configure the router:




The new authenticator takes care of all the rest: Creates challenge string,
composes CHALLENGE message and sends to client, gets key from KeyStore,
computes HMAC-SH265 over challenge string with user's key, compares computed sig to sig sent in challenge response.


A ticket authenticator is basically the same, and can use the same KeyStore instance.

The KeyStore.AuthKey() can look at the authid and authmethod to determine what key to return.

So that same method can return CR keys or tickets depending on authmethod.


Client-side Challenge-Response Authenticator


The wampire client library contains logic for working with challenge-response authentication.

This includes any challenge-response authentication, and is not limited to the particular implementation
that is included with the router auth package.


To implement a wampire client that uses WAMP CR authentication, define a function that is called when a CHALLENGE is received:




The function crsign.RespondChallenge
is used by clients to sign the challenge string contained in the CHALLENGE message using the given password.

This handles computing a derived key from the password using PBKDF2.


After defining the auth handler function, configure a client to use it:




              


          



  
          

            

              

                

                  

                    

                  

                

              


            
Clone this wiki locally