IETF Logo Mail Archive

Re: [Wish] Authentication for resource url

Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> Tue, 14 September 2021 12:45 UTC

Return-Path: <sergio.garcia.murillo@gmail.com>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0BE63A1A24 for <wish@ietfa.amsl.com>; Tue, 14 Sep 2021 05:45:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3cdafZhdfpJi for <wish@ietfa.amsl.com>; Tue, 14 Sep 2021 05:45:13 -0700 (PDT)
Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3017C3A1A20 for <wish@ietf.org>; Tue, 14 Sep 2021 05:45:13 -0700 (PDT)
Received: by mail-pj1-x102b.google.com with SMTP id t20so8773161pju.5 for <wish@ietf.org>; Tue, 14 Sep 2021 05:45:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MUqgej8QdaIjzC8MP70HEZ+iMnklAg8jzPhkdtPLTnU=; b=UNtIfulW7X1k2rcFtKPLvS893YksnX1WGt9Li1UuU2u9qCMomH0N0uak24nal7XZOW 664f8K7AjktkVTRNJfcxrvwmkEbFD4wFEBVJqaFpp9x4Sy36z9Ah+pz+9SFeGzkiPVWX dNrTQPp7ztF9jlpsQD/RpMIIBcmmLluSou8SbdpE9sjkg4hE86HS9hITdgMLPNVT7mIQ qZ3WFuHoErC8N2wIvmtO6mJVwWbnpVKgIe8qRT77QIynMITL7Au8ep/dcgBCrWa10eq9 EP+RG/UpUJP5Zem8qV6tX9BB0WPgwIxLePV1jb03TcFtWg1r/ydc0F5ukn9VoSsUBLdc m0DA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MUqgej8QdaIjzC8MP70HEZ+iMnklAg8jzPhkdtPLTnU=; b=OQJ9MJrnmSVwziUkVjjS+ifDCvOOeBjDa0DHJcrHCKfBIRb4bM7Wi2cbsbDtoj05xv xG1LHJ0fRoYnVHE8vqhH8DxzkuIpl2CVKlNobEXH+u97hrlzbUQgPmsEayQvZBBZ7AUd R4o5vd4SaIQRvMrQnOdl8XEnDYCVISU1M6GGRUIbxsO2GXqrFIHTqrQDXIInC77YOGSq WfeCU0uResVrppCn4DynoJzrWr0O9DbuIYWy26BygqIyUYsuzNpKK5ez+sxzKjISzlaQ VW+SNIIQIctst6ze873I7yr72U0IcLK2+P43oskKq5+wGd3jvJ++DqnXzw4BSbwqhPrK Q9fw==
X-Gm-Message-State: AOAM5337oCnQx1VqU1yvEqJ8MC+hpjH8CmUHg/S/+HscuJVyXz7Io+rl 54F/iiwLTtJrENUBGGHIYY45xv47SqA06iNmpW0=
X-Google-Smtp-Source: ABdhPJzZUO9jCc9RsNH743dqeddFf9kAqbM/EWgE2NOGmNwuMJnMCbcx6SCcrahfsGstaQj/Yi9ptj5Kq+lw4doC9OY=
X-Received: by 2002:a17:90b:1488:: with SMTP id js8mr1930814pjb.41.1631623510920; Tue, 14 Sep 2021 05:45:10 -0700 (PDT)
MIME-Version: 1.0
References: <CA+ag07bjtS1Ucw1BZ5qQ_jJFfXbfQ3-hzDgxfkV1APhV1JZMnQ@mail.gmail.com> <87o893vuz4.wl-jch@irif.fr> <CA+ag07Y41bg_K-60=d5yyODj+bN442enQn-Grb-NkX7zQ8vVBQ@mail.gmail.com> <1e55c847-6a6c-5fca-d7c0-cd3a822855a7@nostrum.com> <CA+ag07YZdQooVBLtn=R=Lj0XpojCmVzd51P6=ExFUqwhvqYNdA@mail.gmail.com> <28d39165-3d08-257e-4736-1c8449e99034@nostrum.com> <CAABnt0NxfyTBQmGkh3gU69bf0zDok_pm5+Lun62EABha0gEATQ@mail.gmail.com> <66b34dab-7a67-656e-d619-c5109ca99bbb@nostrum.com> <87ee9sfo63.wl-jch@irif.fr> <CA+ag07Y5Lduu=923bLpp_PC_NLiwpLCiEdfbCN-H3tDD8LnT3A@mail.gmail.com> <CAABnt0M2Vg-9=SwX=O1mFbyYTS4b7ewmevW2qzMf17fsagoc2Q@mail.gmail.com> <CA+ag07aJKFy2s_UD0L-PaGHNwA9XH6Khz+0tReOMMcweJ0Q0hQ@mail.gmail.com> <CAABnt0MSUuxYK1CvOQUmC-a4b_U9m7YQ+vhXfjaaDxFZE+_JOQ@mail.gmail.com> <CA+ag07bb5WfoUJRkQt37nYtkmtEi=Kpp44ihVNGRd=OytakADg@mail.gmail.com> <CAABnt0PXKPejtywBDizx_Og0d0qPp6qa6cXXsCjBrbTQHN9pKg@mail.gmail.com> <CAMyc9bXUXR5nrxoQsQwDqE46sHWN_8vicG_c53ZruRbC0gfeMw@mail.gmail.com> <877dfk9fil.wl-jch@irif.fr> <CA+ag07ZxJF95xd7y_ToRRNJmbRboRR56t=mnW+nGYFqpAkH61g@mail.gmail.com> <8735q72yo4.wl-jch@irif.fr>
In-Reply-To: <8735q72yo4.wl-jch@irif.fr>
From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Date: Tue, 14 Sep 2021 14:44:58 +0200
Message-ID: <CA+ag07Z6_Nd2VvWG4HyuXK=E3u2xn8a2a_xVCEWk3_yyfQSp3A@mail.gmail.com>
To: Juliusz Chroboczek <jch@irif.fr>
Cc: Cameron Elliott <cameron@cameronelliott.com>, Matt Ward <mattward@mux.com>, Adam Roach <adam@nostrum.com>, WISH List <wish@ietf.org>
Content-Type: multipart/related; boundary="000000000000c7abcb05cbf3f323"
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/DWE_NkboGDMilZPPdH729B-jblM>
Subject: Re: [Wish] Authentication for resource url
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Sep 2021 12:45:19 -0000

I think this is root cause of the confusion, the client does not generate
or retrieve the token anyhow.

The server/service makes it available to the user somehow (out of the scope
of this document) and the end user configures it on the client (alongside
with the whip url):

[image: image.png]

Best regards
Sergio

El mar, 14 sept 2021 a las 13:18, Juliusz Chroboczek (<jch@irif.fr>)
escribió:

> > Using an username and password for authentication is very limited and
> for sure
> > does not cover all the use cases for whip.
>
> I understand that, and I am all in favour of people implementing better
> authentication mechanisms.
>
> What I am requesting here is an MTI authentication mechanism that
> guarantees interoperability between independent implementations of WHIP.
> In other words, I am asking for guidance about what I need to implement so
> I can ensure that I interoperate with all WHIP clients, including those
> that haven't been written yet.
>
> > * Generate a unique random token, associate it to a stream/account on
> your
> >   service and persist it on db or similar
>
> What procedure do you suggest for securely communicating the token to each
> user?  The obvious solution would be to make it available over HTTPS
> protected by HTTP Basic, but then, we might as well cut out the middleman
> and use HTTP Basic for WHIP.
>
> > * Generate a signed jwt containing the stream/account information which
> does
> >   not require to be persisted on the db,  then use a generic url
> >   /whip/endpoint for all the requests and extract the stream info from
> the jwt
> >   once the signature is validated
>
> I assume this implies that the client is generating the token in
> a compatible manner.  If we want to ensure interoperability, we need to
> normatively reference a document that describes the procedure.
>
> > * Generate a custom token (like base64(${username}:${password})),  then
> use a
> >   generic url /whip/endpoint for all the requests and extract the stream
> info
> >   from the token. [insecure]
>
> I wouldn't be opposed to implementing that, but, again, this implies that
> the client is generating the token in a compatible manner.  So we need
> a normative reference so we can ensure interoperability.
>
> -- Juliusz
>

v2.8.7 | Report a Bug | By Email