IETF Logo Mail Archive

Re: [Wish] Authentication for resource url

Adam Roach <adam@nostrum.com> Tue, 14 September 2021 17:33 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77A8E3A26A3 for <wish@ietfa.amsl.com>; Tue, 14 Sep 2021 10:33:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.281
X-Spam-Level:
X-Spam-Status: No, score=-1.281 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, KHOP_HELO_FCRDNS=0.399, NICE_REPLY_A=-0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0W8MxeQ4koal for <wish@ietfa.amsl.com>; Tue, 14 Sep 2021 10:32:58 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 905403A26A4 for <wish@ietf.org>; Tue, 14 Sep 2021 10:32:58 -0700 (PDT)
Received: from Zephyrus.local (76-218-40-253.lightspeed.dllstx.sbcglobal.net [76.218.40.253]) (authenticated bits=0) by nostrum.com (8.17.1/8.16.1) with ESMTPSA id 18EHWmv5022403 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Tue, 14 Sep 2021 12:32:49 -0500 (CDT) (envelope-from adam@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1631640771; bh=rax8dRZ8gD7X/80Zfy25DMxyUbGkIRJklcJGk+Hu5jg=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=bs/i/99Q1BZXhaA0QltuFqSTC2JIDDm3qQ92QBOPSHwBYNpcFoLoRtX/zw1b2GA8c 6m3XFGBy5DjQ6ikX+SAEmobD+gyqYQ3KH9Qp66VvZ6pvM+KLyVdSsuLBATR1ZLWpv7 yQR7XJPUKKtxaTz6KXsYKKezBSdN8IZJ9anAFs+A=
X-Authentication-Warning: raven.nostrum.com: Host 76-218-40-253.lightspeed.dllstx.sbcglobal.net [76.218.40.253] claimed to be Zephyrus.local
To: Juliusz Chroboczek <jch@irif.fr>, Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Cc: WISH List <wish@ietf.org>, Cameron Elliott <cameron@cameronelliott.com>, Matt Ward <mattward@mux.com>
References: <CA+ag07bjtS1Ucw1BZ5qQ_jJFfXbfQ3-hzDgxfkV1APhV1JZMnQ@mail.gmail.com> <28d39165-3d08-257e-4736-1c8449e99034@nostrum.com> <CAABnt0NxfyTBQmGkh3gU69bf0zDok_pm5+Lun62EABha0gEATQ@mail.gmail.com> <66b34dab-7a67-656e-d619-c5109ca99bbb@nostrum.com> <87ee9sfo63.wl-jch@irif.fr> <CA+ag07Y5Lduu=923bLpp_PC_NLiwpLCiEdfbCN-H3tDD8LnT3A@mail.gmail.com> <CAABnt0M2Vg-9=SwX=O1mFbyYTS4b7ewmevW2qzMf17fsagoc2Q@mail.gmail.com> <CA+ag07aJKFy2s_UD0L-PaGHNwA9XH6Khz+0tReOMMcweJ0Q0hQ@mail.gmail.com> <CAABnt0MSUuxYK1CvOQUmC-a4b_U9m7YQ+vhXfjaaDxFZE+_JOQ@mail.gmail.com> <CA+ag07bb5WfoUJRkQt37nYtkmtEi=Kpp44ihVNGRd=OytakADg@mail.gmail.com> <CAABnt0PXKPejtywBDizx_Og0d0qPp6qa6cXXsCjBrbTQHN9pKg@mail.gmail.com> <CAMyc9bXUXR5nrxoQsQwDqE46sHWN_8vicG_c53ZruRbC0gfeMw@mail.gmail.com> <877dfk9fil.wl-jch@irif.fr> <CA+ag07ZxJF95xd7y_ToRRNJmbRboRR56t=mnW+nGYFqpAkH61g@mail.gmail.com> <8735q72yo4.wl-jch@irif.fr> <CA+ag07Z6_Nd2VvWG4HyuXK=E3u2xn8a2a_xVCEWk3_yyfQSp3A@mail.gmail.com> <87r1dr89mr.wl-jch@irif.fr>
From: Adam Roach <adam@nostrum.com>
Message-ID: <a12adb1d-da65-8290-7d91-d911aa0aa6cc@nostrum.com>
Date: Tue, 14 Sep 2021 12:32:43 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
MIME-Version: 1.0
In-Reply-To: <87r1dr89mr.wl-jch@irif.fr>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/QwjYjVK5hBnenawB5Jja3-G3EJw>
Subject: Re: [Wish] Authentication for resource url
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Sep 2021 17:33:04 -0000

On 9/14/21 10:22, Juliusz Chroboczek wrote:
>> I think this is root cause of the confusion, the client does not generate or
>> retrieve the token anyhow.
> I am increasingly confused.
>
>> The server/service makes it available to the user somehow (out of the scope of
>> this document) and the end user configures it on the client
> So what you are saying is that WHIP does not depend on OAuth2, but it does
> depend on some unspecified token provisioning protocol?


Not really. At least, not in the engineering sense of the word "protocol."

What you need to do is get tokens to the users (users! not clients!) 
somehow so that they can set up their client. Exactly how you do that is 
entirely up to you. You also need to get a WHIP URL to users somehow so 
that they can set up their client. How you do that is also entirely up 
to you in exactly the same way.

Once users get those two bits of information from you (URL and Token), 
they put them into a WHIP client, and are ready to broadcast.

The client has to understand enough about the URL to use it in an HTTP 
stack. The client has to understand nothing about the token.

How you generate the token is 100% up to you, as long as your service 
can look at it and (1) tell which account it corresponds to, and (2) 
validate that it is authentic. There are many ways to accomplish this, 
and which one you choose is entirely up to you. Sergio described many 
viable approaches in his earlier message.

[Technically, it is possible for you to encode one or both of those 
things into the URL itself and then leave them out of the token. I would 
recommend against that for reasons that I can go into in a different 
message; but I don't want to make this email too wide ranging.]

To give an example of how this is done in production services: on 
Twitch, once you log in, you go into account management, click on the 
"Stream" tab, and copy a really long string of junk out of a field 
labeled "Primary Stream Key." You paste this into your broadcast client 
in a field usually named "Stream Key." And then everything just works. 
The client doesn't know whether this long string is some kind of crypto 
token, a random string stored in a database somewhere, or something 
else. As a human, I can't tell either. The only thing that knows how to 
unpack that string into an account identifier and validate that it is 
authentic is Twitch itself.

You can do that, if you like. Or you can hand tokens out on slips of 
paper, if your users are patient. You can send them to users via Signal. 
Really, how you get tokens to users is entirely up to you. And that's 
the important point.

If there are some entirely uncircumventable, non-negotiable constraints 
that entirely prevent you from doing something like what I describe 
above, then you can technically meet the two requirements I mention by 
telling users something like "In the field that asks for an 
authentication token, enter your username, a colon character, and then 
your password." The client doesn't know or care that this is the format 
you're using; only your servers need to know that. And it has the same 
security properties as HTTP Basic Auth, so you're not losing anything 
over what you want to do. (There are reasons I wouldn't use basic auth 
in 2021, but how you secure your system is entirely up to you.)

/a

v2.8.7 | Report a Bug | By Email