IETF Logo Mail Archive

Re: [Wish] Authentication for resource url

Matt Ward <mattward@mux.com> Mon, 13 September 2021 17:56 UTC

Return-Path: <mattward@mux.com>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C5243A10EB for <wish@ietfa.amsl.com>; Mon, 13 Sep 2021 10:56:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mux.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0frswz1tkWdl for <wish@ietfa.amsl.com>; Mon, 13 Sep 2021 10:56:30 -0700 (PDT)
Received: from mail-oi1-x229.google.com (mail-oi1-x229.google.com [IPv6:2607:f8b0:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8089C3A10E6 for <wish@ietf.org>; Mon, 13 Sep 2021 10:56:30 -0700 (PDT)
Received: by mail-oi1-x229.google.com with SMTP id w144so15116195oie.13 for <wish@ietf.org>; Mon, 13 Sep 2021 10:56:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mux.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eZB30VrKwDq70VlsnzHrPJ6To90lKX7xjy4Kjh8fVgM=; b=ly7umpyjiuta0/rcqnrFGirO7k7drK7NBlHr4vRVoLnKZmBFaGcWwSMuvO+Z6IRO9+ Df0JFO2Q0VecK0oubOyqzHhKSQ5bWJ2Fhlv3pwZal6hsRoZi5phWUvcL5R22s0mc3rVP vlycJA+KiC1S4Z/9ftqbG9Up/5kqcUepxM3ks=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eZB30VrKwDq70VlsnzHrPJ6To90lKX7xjy4Kjh8fVgM=; b=fjMYFuZfD3OwwfWotycWVbbIb3flpz++iwHEJgGh0SNBW/tod6K12KUlC8sOif/4CH t/wApGQPbpWRkCDECImZYOlk1i2Q7cmPmYeGdTXxkFvg3lF5LJPwJaJwx5hdoeFucw8g D1mwo260SCEnsZciS0kTHvkPnydrtCRzONkpzUNwi9ZIT2DruuLY4FR5RwLAmtSg7odI pupQ40jM7TXeJK44QiDwIfYHHXF0Pr7r5TLlGx1659Di5whR4RzNvEk1t7+JMGzm6Ti3 Z9SnV6l9MOnPVAYSRbLeGTo+SCVaZG+ExxSWgJh7LpTQj5K6jDxf2dyTjiR898IZaYwK tGaw==
X-Gm-Message-State: AOAM533tJLh9aTNKzBGalDwPpfjVqKghQoZBlgiGjCOdnAa5LpCT5Hvj 0hfEmkxOiNXNc18HJMGvjCu8+QCsIrhumrErDSaaeJjluyI7wUGI
X-Google-Smtp-Source: ABdhPJzDxY8U1ei0EIS+LVuiysusoCr2z+CZvuLGFbjiHeGvmcm8Fd/5S96ndjN4WzmzWVqV65r9jXL90NVGdWQsQ70=
X-Received: by 2002:aca:f386:: with SMTP id r128mr8774831oih.168.1631555788443; Mon, 13 Sep 2021 10:56:28 -0700 (PDT)
MIME-Version: 1.0
References: <CA+ag07bjtS1Ucw1BZ5qQ_jJFfXbfQ3-hzDgxfkV1APhV1JZMnQ@mail.gmail.com> <87o893vuz4.wl-jch@irif.fr> <CA+ag07Y41bg_K-60=d5yyODj+bN442enQn-Grb-NkX7zQ8vVBQ@mail.gmail.com> <1e55c847-6a6c-5fca-d7c0-cd3a822855a7@nostrum.com> <CA+ag07YZdQooVBLtn=R=Lj0XpojCmVzd51P6=ExFUqwhvqYNdA@mail.gmail.com> <28d39165-3d08-257e-4736-1c8449e99034@nostrum.com> <CAABnt0NxfyTBQmGkh3gU69bf0zDok_pm5+Lun62EABha0gEATQ@mail.gmail.com> <66b34dab-7a67-656e-d619-c5109ca99bbb@nostrum.com> <87ee9sfo63.wl-jch@irif.fr> <CA+ag07Y5Lduu=923bLpp_PC_NLiwpLCiEdfbCN-H3tDD8LnT3A@mail.gmail.com> <CAABnt0M2Vg-9=SwX=O1mFbyYTS4b7ewmevW2qzMf17fsagoc2Q@mail.gmail.com> <CA+ag07aJKFy2s_UD0L-PaGHNwA9XH6Khz+0tReOMMcweJ0Q0hQ@mail.gmail.com>
In-Reply-To: <CA+ag07aJKFy2s_UD0L-PaGHNwA9XH6Khz+0tReOMMcweJ0Q0hQ@mail.gmail.com>
From: Matt Ward <mattward@mux.com>
Date: Mon, 13 Sep 2021 10:56:17 -0700
Message-ID: <CAABnt0MSUuxYK1CvOQUmC-a4b_U9m7YQ+vhXfjaaDxFZE+_JOQ@mail.gmail.com>
To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Cc: Juliusz Chroboczek <jch@irif.fr>, Adam Roach <adam@nostrum.com>, WISH List <wish@ietf.org>
Content-Type: multipart/related; boundary="00000000000033df7305cbe42f08"
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/Bd_t2bj3Tw-Uzcf223s9wHwnNvg>
Subject: Re: [Wish] Authentication for resource url
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Sep 2021 17:56:36 -0000

AFAIK today, there's no "Auth token" input for any of the other services?
Have you found an ffmpeg output that supports bearer
authentication? Usually, more UI/params/config => more state => more
complex clients => longer time to integrate.

I want every single box that supports RTMP today to add WHIP tomorrow with
minimal friction!  :)

On Mon, Sep 13, 2021 at 10:55 AM Sergio Garcia Murillo <
sergio.garcia.murillo@gmail.com> wrote:

> Not sure how an RTMP implementation may affect how OBS or ffmpeg
> implements WHIP, should be as simple as this:
>
> [image: image.png]
>
> El lun, 13 sept 2021 a las 19:29, Matt Ward (<mattward@mux.com>) escribió:
>
>> In the current abstract for WHIP, the spec comes out stating "Currently
>> there is no standard protocol (like SIP or RTSP) designed for ingesting
>> media in a streaming service, and content providers still rely heavily on
>> protocols like RTMP for it."
>>
>> Why do content providers rely on RTMP and possibly more interestingly,
>> why do publishers/broadcasters/end-users love RTMP?
>>
>> It is dead simple.
>>
>> If our goal is to replace RTMP, I think we need to allow clients to be as
>> dead simple as RTMP is today. In order to do this, we must allow clients to
>> ship with support for only path based authentication as in RTMP. This will
>> require a minimal amount of UI/UX changes and speed time to support in many
>> broadcasting software/appliances.
>>
>> As for MAY support beyond that, I'd look at how custom RTMP is configured
>> in OBS. To that end, it only supports authentication via basic auth. I
>> imagine adding support for bearer authentication that's only supported for
>> WHIP in OBS adds complexity to that client. I imagine this additional
>> burden would not be uncommon across the space of existing broadcasting
>> software/appliances. As for one more example, I have seen approximately 0
>> ffmpeg example commands outputting with bearer authentication.
>>
>> [image: Screenshot from 2021-09-13 10-16-54.png]
>>
>>
>> On Mon, Sep 13, 2021 at 9:30 AM Sergio Garcia Murillo <
>> sergio.garcia.murillo@gmail.com> wrote:
>>
>>> I disagree with the approach.
>>>
>>> IMHO, using username/password authentication in http rest apis is
>>> insecure as it forces the user to store it's password into several "low
>>> security" applications and most service providers have deprecated it in
>>> favor of a token based authentication.
>>>
>>> My proposal would be that it is a MUST for clients to support
>>> authentication via the bearer token and it would be optional for the server
>>> to implement it or not. In case the user does not provision the token on
>>> the whip client, an unauthenticated request would be sent to the server.
>>>
>>> Best regards
>>> Sergio
>>>
>>> El lun, 13 sept 2021 a las 18:14, Juliusz Chroboczek (<jch@irif.fr>)
>>> escribió:
>>>
>>>> > I understand the motivation, but this doesn't get us to
>>>> > interoperability. We need a baseline, mandatory-to-implement
>>>> > authentication method for both client and server; otherwise, we'll
>>>> end up
>>>> > in a situation where your client implements mechanism A, my network
>>>> > implements mechanism B, and your users can't use my network.
>>>>
>>>> Yes, and that is why I suggested HTTP Basic instead of bearer token.
>>>>
>>>> Most servers today implement authentication using a username/password
>>>> pair.  While this is certainly not the most secure solution, it is well
>>>> understood by users, and is therefore likely to remain the main mode of
>>>> authentication for the foreseeable future.
>>>>
>>>> With HTTP Basic, it is perfectly clear how to map a username/password
>>>> pair
>>>> to the protocol.  With bearer token, the client and the server need to
>>>> both agree on how to map the username/password pair to a token, and
>>>> I expect different implementations to use different mappings, with all
>>>> the
>>>> fun that this entails.
>>>>
>>>> So I suggest that for clients:
>>>>
>>>>   - support for unauthenticated WISH over HTTPS is MUST;
>>>>   - support for HTTP Basic over HTTPS is MUST;
>>>>   - other authentication methods is MAY.
>>>>
>>>> If that is not what Sergio has in mind, then the draft needs to mandate
>>>> an
>>>> unambiguous and deterministic way of mapping a username/password pair to
>>>> an authentication method.
>>>>
>>>> -- Juliusz
>>>>
>>>

v2.8.7 | Report a Bug | By Email