IETF Logo Mail Archive

Re: [Wish] Authentication for resource url

Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> Mon, 13 September 2021 18:09 UTC

Return-Path: <sergio.garcia.murillo@gmail.com>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95A0B3A11B6 for <wish@ietfa.amsl.com>; Mon, 13 Sep 2021 11:09:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ADXwKYSMxGlQ for <wish@ietfa.amsl.com>; Mon, 13 Sep 2021 11:09:26 -0700 (PDT)
Received: from mail-pj1-x1034.google.com (mail-pj1-x1034.google.com [IPv6:2607:f8b0:4864:20::1034]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 836EE3A11A8 for <wish@ietf.org>; Mon, 13 Sep 2021 11:09:26 -0700 (PDT)
Received: by mail-pj1-x1034.google.com with SMTP id on12-20020a17090b1d0c00b001997c60aa29so430965pjb.1 for <wish@ietf.org>; Mon, 13 Sep 2021 11:09:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=S2uFcQFdR6QtpLBdV7jQorgLoGaLDsq8rWyu7fP2Sa0=; b=PUwdmNfyeho44J459ygMz8sEnUQldrA8uIbkjWTHp31ioAHzFDPx2NweJf1K+STxwL d61I+gQe3JZuS7AJtXYoQDk0iY5Ox9n1XAFsUp51/lvid9JqRaQfkU0Tvcju/ifRK4xY 3UX3C0XM4G8TNAuFg5Hfis9nu/bD+iRx3hbev7E3r/irqpWoJDgQg1lANeAAkYeGszG6 DupZBeCCjmIQn2sFeCpUtpD310JbEuvc/rSWKrpkCj9mI7Y3C0fshZGgprFb7xE/TqDI eIbyiEno1539OfQnewI/nLFHbeRtmGsJyWdTx8tf6b/LU6c0rzRvthwtqE0fOoPouaxp A9xw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=S2uFcQFdR6QtpLBdV7jQorgLoGaLDsq8rWyu7fP2Sa0=; b=0g2HfvJCUr4PLUIlMwEOLbNRed3u0/vjaO20kmSNM7FSTBEMsNJGXvYoy5MahZI39a jzjoRuOBmCH5+XhDlsq15d/FDOo0XIO3o31bZHCyk8sStOjCEzSkqpk/bxVeKGC6TIIt XXNfL0g7bB0AcDB3jUbIaIhfsgeSXc0BoNE3VNJWxqjg0pCz9aDFRutbjaw3RZCH3T6M 0M9evDwe2fsIh2OXGL1Z76waXjFLy/XYEN4439loCVZNQTuFcsdRfUay4Bb3n9FzTZDU HAxFb3sNynKaXCur6SJ/pAYXhJck3p5F81u2pMToq1/FnL/EMDRsWhJi/+zKEdcoWQll ZfSA==
X-Gm-Message-State: AOAM531weavcy8Yh0UmU6XD0bSbDA+gCabE7UHBScSdzGy04vxHgTtH7 U3JDXh+nY9u2jEDZkVzoTIvmtvpeXQmP0NHnReI=
X-Google-Smtp-Source: ABdhPJxg5JhTyUf7UDYyH2wOXNOXvbHo2rKySOCTHc/jyNS9nZ1jP0n2RSnzJwiclsyG0kvFG12TvWZJWm7hJySuR0U=
X-Received: by 2002:a17:90b:1488:: with SMTP id js8mr811899pjb.41.1631556564271; Mon, 13 Sep 2021 11:09:24 -0700 (PDT)
MIME-Version: 1.0
References: <CA+ag07bjtS1Ucw1BZ5qQ_jJFfXbfQ3-hzDgxfkV1APhV1JZMnQ@mail.gmail.com> <87o893vuz4.wl-jch@irif.fr> <CA+ag07Y41bg_K-60=d5yyODj+bN442enQn-Grb-NkX7zQ8vVBQ@mail.gmail.com> <1e55c847-6a6c-5fca-d7c0-cd3a822855a7@nostrum.com> <CA+ag07YZdQooVBLtn=R=Lj0XpojCmVzd51P6=ExFUqwhvqYNdA@mail.gmail.com> <28d39165-3d08-257e-4736-1c8449e99034@nostrum.com> <CAABnt0NxfyTBQmGkh3gU69bf0zDok_pm5+Lun62EABha0gEATQ@mail.gmail.com> <66b34dab-7a67-656e-d619-c5109ca99bbb@nostrum.com> <87ee9sfo63.wl-jch@irif.fr> <CA+ag07Y5Lduu=923bLpp_PC_NLiwpLCiEdfbCN-H3tDD8LnT3A@mail.gmail.com> <CAABnt0M2Vg-9=SwX=O1mFbyYTS4b7ewmevW2qzMf17fsagoc2Q@mail.gmail.com> <CA+ag07aJKFy2s_UD0L-PaGHNwA9XH6Khz+0tReOMMcweJ0Q0hQ@mail.gmail.com> <CAABnt0MSUuxYK1CvOQUmC-a4b_U9m7YQ+vhXfjaaDxFZE+_JOQ@mail.gmail.com>
In-Reply-To: <CAABnt0MSUuxYK1CvOQUmC-a4b_U9m7YQ+vhXfjaaDxFZE+_JOQ@mail.gmail.com>
From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Date: Mon, 13 Sep 2021 20:09:12 +0200
Message-ID: <CA+ag07bb5WfoUJRkQt37nYtkmtEi=Kpp44ihVNGRd=OytakADg@mail.gmail.com>
To: Matt Ward <mattward@mux.com>
Cc: Juliusz Chroboczek <jch@irif.fr>, Adam Roach <adam@nostrum.com>, WISH List <wish@ietf.org>
Content-Type: multipart/related; boundary="00000000000071dc8205cbe45d9a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/A_WqDswMURLeh3mO5JC5FR3b7DY>
Subject: Re: [Wish] Authentication for resource url
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Sep 2021 18:09:32 -0000

FWIW, I did implement the initial whip draft in OBS and doing the UX for
configuring the oauth token is trivial. The problem with ffmpeg is not
going to be the bearer token authentication neither.. ;)


El lun, 13 sept 2021 a las 19:56, Matt Ward (<mattward@mux.com>) escribió:

> AFAIK today, there's no "Auth token" input for any of the other services?
> Have you found an ffmpeg output that supports bearer
> authentication? Usually, more UI/params/config => more state => more
> complex clients => longer time to integrate.
>
> I want every single box that supports RTMP today to add WHIP tomorrow with
> minimal friction!  :)
>
> On Mon, Sep 13, 2021 at 10:55 AM Sergio Garcia Murillo <
> sergio.garcia.murillo@gmail.com> wrote:
>
>> Not sure how an RTMP implementation may affect how OBS or ffmpeg
>> implements WHIP, should be as simple as this:
>>
>> [image: image.png]
>>
>> El lun, 13 sept 2021 a las 19:29, Matt Ward (<mattward@mux.com>)
>> escribió:
>>
>>> In the current abstract for WHIP, the spec comes out stating "Currently
>>> there is no standard protocol (like SIP or RTSP) designed for ingesting
>>> media in a streaming service, and content providers still rely heavily on
>>> protocols like RTMP for it."
>>>
>>> Why do content providers rely on RTMP and possibly more interestingly,
>>> why do publishers/broadcasters/end-users love RTMP?
>>>
>>> It is dead simple.
>>>
>>> If our goal is to replace RTMP, I think we need to allow clients to be
>>> as dead simple as RTMP is today. In order to do this, we must allow clients
>>> to ship with support for only path based authentication as in RTMP. This
>>> will require a minimal amount of UI/UX changes and speed time to support in
>>> many broadcasting software/appliances.
>>>
>>> As for MAY support beyond that, I'd look at how custom RTMP is
>>> configured in OBS. To that end, it only supports authentication via basic
>>> auth. I imagine adding support for bearer authentication that's only
>>> supported for WHIP in OBS adds complexity to that client. I imagine this
>>> additional burden would not be uncommon across the space of existing
>>> broadcasting software/appliances. As for one more example, I have seen
>>> approximately 0 ffmpeg example commands outputting with bearer
>>> authentication.
>>>
>>> [image: Screenshot from 2021-09-13 10-16-54.png]
>>>
>>>
>>> On Mon, Sep 13, 2021 at 9:30 AM Sergio Garcia Murillo <
>>> sergio.garcia.murillo@gmail.com> wrote:
>>>
>>>> I disagree with the approach.
>>>>
>>>> IMHO, using username/password authentication in http rest apis is
>>>> insecure as it forces the user to store it's password into several "low
>>>> security" applications and most service providers have deprecated it in
>>>> favor of a token based authentication.
>>>>
>>>> My proposal would be that it is a MUST for clients to support
>>>> authentication via the bearer token and it would be optional for the server
>>>> to implement it or not. In case the user does not provision the token on
>>>> the whip client, an unauthenticated request would be sent to the server.
>>>>
>>>> Best regards
>>>> Sergio
>>>>
>>>> El lun, 13 sept 2021 a las 18:14, Juliusz Chroboczek (<jch@irif.fr>)
>>>> escribió:
>>>>
>>>>> > I understand the motivation, but this doesn't get us to
>>>>> > interoperability. We need a baseline, mandatory-to-implement
>>>>> > authentication method for both client and server; otherwise, we'll
>>>>> end up
>>>>> > in a situation where your client implements mechanism A, my network
>>>>> > implements mechanism B, and your users can't use my network.
>>>>>
>>>>> Yes, and that is why I suggested HTTP Basic instead of bearer token.
>>>>>
>>>>> Most servers today implement authentication using a username/password
>>>>> pair.  While this is certainly not the most secure solution, it is well
>>>>> understood by users, and is therefore likely to remain the main mode of
>>>>> authentication for the foreseeable future.
>>>>>
>>>>> With HTTP Basic, it is perfectly clear how to map a username/password
>>>>> pair
>>>>> to the protocol.  With bearer token, the client and the server need to
>>>>> both agree on how to map the username/password pair to a token, and
>>>>> I expect different implementations to use different mappings, with all
>>>>> the
>>>>> fun that this entails.
>>>>>
>>>>> So I suggest that for clients:
>>>>>
>>>>>   - support for unauthenticated WISH over HTTPS is MUST;
>>>>>   - support for HTTP Basic over HTTPS is MUST;
>>>>>   - other authentication methods is MAY.
>>>>>
>>>>> If that is not what Sergio has in mind, then the draft needs to
>>>>> mandate an
>>>>> unambiguous and deterministic way of mapping a username/password pair
>>>>> to
>>>>> an authentication method.
>>>>>
>>>>> -- Juliusz
>>>>>
>>>>

v2.8.7 | Report a Bug | By Email