etcd-io/etcd

websocket token report etcdserver: invalid auth token

Open

#19752 opened on Apr 16, 2025

View on GitHub
 (14 comments) (0 reactions) (2 assignees)Go (51,701 stars) (10,352 forks)batch import
help wantedtype/bug

Description

Bug report criteria

What happened?

when i use etcd api for kotlin ktot non grpc. I find problem,I use websocket for watch key update.anything is hard.I was commit a discussion for help.but,i do not have time.i download etcd source from github,and use github Copilot help me read code source.wow, it help me for how use token by websocket in etcd api.but , it use one problem,the websocket proxy add 'bearer' scheme for token in Authorization header,but grpc not have,so it report rpc error: "cancel_reason":"rpc error: code = Unauthenticated desc = etcdserver: invalid auth token" and token take code is:

httpClient.ws(method = HttpMethod.Get, host = "localhost", port = 2379, path = "/v3/watch",request = {
        // 添加认证 header
        header(HttpHeaders.SecWebSocketProtocol,"Bearer, $token")
    })

What did you expect to happen?

I want the etcd authentication to work properly regardless of what HTTP Authorization header scheme I use.

How can we reproduce it (as minimally and precisely as possible)?

etcd enable auth, use websocket client call etcd watch endpoint for ws, first auth for get token , and take token for ws by etcd code source example Sec-Websocket-Protocol: Bearer, ${token}

Anything else we need to know?

No response

Etcd version (please run commands below)

$ etcd --version
# 3.5.17

$ etcdctl version
# paste output here

Etcd configuration (command line flags or environment variables)

paste your configuration here

Etcd debug information (please run commands below, feel free to obfuscate the IP address or FQDN in the output)

$ etcdctl member list -w table
# paste output here

$ etcdctl --endpoints=<member list> endpoint status -w table
# paste output here

Relevant log output

Contributor guide

Tech stack
go
Domain
authentication
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
half day
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
active
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
knowledge of etcd authenticationwebsocket protocol basics
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
Investigate the websocket proxy in etcd that handles the Sec WebSocket Protocol header for token extraction. The issue is in the authentication middleware or handler when upgrading to websocket. Look at the code around the watch endpoint and how tokens are parsed from the header. Ensure that tokens with or without 'Bearer ' prefix are accepted consistently. Related files: server/etcdserver/api/v3rpc/watch.go and authentication utilities.