Back in 2012, I wrote about my concerns with the proliferation of WebSockets. Since WebSockets is basically just a mechanism to establish a raw socket connection and a simple protocol to send packets, potentially every application has a different communication protocol.
We recently ran into the problem of, how can we secure WebSockets in a token based architecture. While we can write helper libs on the client and server side that exchange the token on WebSocket setup, there’s a problem with token expiration. Each application (or WebSocket framework) would have to build in a way to notify the client that the token has expired, and provide a way for the client to retransmit a new refreshed token. It is already a maintenance nightmare to support basic web security and client adapter support for the various servlet engines. We would now have to multiple that by the number of WebSocket frameworks.
Basically, it is hard to impossible for projects like Keycloak to provide out of the box support for securing WebSockets. Anybody know if HTTP/2 could replace WebSockets? I haven’t dived into the protocol yet and my understanding is that its biggest advantage is pipelining HTTP requests.