The problem with authentication of web sockets is that you can only authenticate a http request once against a authentication scheme. After that the authentication is cached and will always yield the same result.
A web socket connection starts over HTTP. A HTTP request with the Upgrade header is send to the back end. This request is then "upgraded" into a web socket that runs over the web socket pipeline. The main issue with web sockets is that you cannot set additional headers with this initial HTTP header. Therefore the authentication will fail and the request will be unauthenticated. The HTTP context of the initial request will last as long as the web socket connection is running.
The trick we do is that we add a stub authentication scheme: