Authentication
[RemoteViz]
Summary
Services developed with RemoteViz can be used to display sensitive datasets and you might want to limit the access to those datasets to a specific list of users. In order to be sure that your user is who he says he is, you will need an authentication process. This process can be very different depending on your environment, but will normally use a token to prove the user's identity. Different platforms, for example Okta (https://www.okta.com/) and Auth0 (https://auth0.com/) provide authentication as a service and can be used as Authentication Providers for your application. You can also create your custom authentication service based on protocols like OAuth for example.
Authentication with RemoteViz
In a token based authentication process, the client application first sends a request containing the user credentials to the Authentication Provider. The Authentication Provider returns a corresponding token if the credentials are valid. The client then sends this token to the service with each request. The service can use the token to validate the authenticity of the request.
RemoteViz is compatible with the WebSocket Secure protocol (wss), allowing you to securely send an authentication token from the client to the service. This token can then be used by the service to authenticate the user.
Please note that when using the non-secured WebSocket protocol (ws), the token might be intercepted by a third-person when establishing the connection. It is mandatory to use the WebSocket Secure protocol.
Client example
Javascript client:
theRenderArea.connectTo("wss://yourdomain.com/PrivateData?token="+token);
SoRef<SoRemoteVizClient> client = new SoRemoteVizClient(); client->ipAddress = "yourdomain.com"; client->port = 443; client->enableSecureConnection( "public.crt", "private.key" ); const SbString parameters[2] = { "token", "my_jwt_token" }; client->connectionParameters.setValue( parameters ); client->connect = TRUE;
Service example
The service can then decide to either accept the token or refuse it based on your token provider API.
/* Returns true if the token can be decoded and validated. */ bool AuthenticatedServiceListener::accept(RemoteViz::Rendering::ConnectionParameters *parameters) { const std::string token = parameters->getValue("token"); return tokenapi::decodeAndValidate(token); } /* Triggered when a connection is pending and the requested renderArea doesn't exist. */ bool AuthenticatedServiceListener::onPendingCreateRenderArea(const std::string& renderAreaId, unsigned int& width, unsigned int& height, RemoteViz::Rendering::RenderAreaHardware* renderAreaHardware, RemoteViz::Rendering::Client* client, RemoteViz::Rendering::ConnectionParameters *parameters) { return accept(parameters); } /* Triggered when a connection is pending and the requested renderArea exists. */ bool AuthenticatedServiceListener::onPendingShareRenderArea(RemoteViz::Rendering::RenderArea* renderArea, RemoteViz::Rendering::Client* client, RemoteViz::Rendering::ConnectionParameters *parameters) { return accept(parameters); }
If refused, the RenderArea will not be created or shared and the connection will be closed with the message REFUSED.