IETF Logo Mail Archive

Re: [Wish] Authentication for resource url

Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> Tue, 14 September 2021 07:59 UTC

Return-Path: <sergio.garcia.murillo@gmail.com>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08D963A0DA0 for <wish@ietfa.amsl.com>; Tue, 14 Sep 2021 00:59:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JiH0KcUx5Kv1 for <wish@ietfa.amsl.com>; Tue, 14 Sep 2021 00:59:13 -0700 (PDT)
Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14D643A0D94 for <wish@ietf.org>; Tue, 14 Sep 2021 00:59:13 -0700 (PDT)
Received: by mail-pj1-x102f.google.com with SMTP id k23-20020a17090a591700b001976d2db364so2101436pji.2 for <wish@ietf.org>; Tue, 14 Sep 2021 00:59:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gWir2HX5DYqCYX0e4lSuY2n6VhMJ+TXuoV7nKmvPS+Q=; b=WCWA0mHKGGqc0h+9wmpSF8a1dun2gAdKi+Qpopre+cOkKWI3UYr5aKACKmb65DuuTT deY2sbOTk1iGOSKW4RD5VCcWLmhUocBaQDMLcX1dHpzceeodMAsD9V2m42BhLeU4yulr W1gF8Pt2AxJwGvvo+b6KV49ZIsxRZY1w2REbTULF7YBD9NAMJ6ZZXGyqcW5CFryzPddp fT5H3T/DOnXP4/BalERocIF7Uj4Oz/cC6nmCDNXfjt7W788PncB1hcPxRyvy2XVjS1A0 aRXsRTIUosFH/cIkeoD64D/54M+oUoPiz7fk5+u73QoCXMixSV2q7LZIgzdStiJ2aD8t fTbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gWir2HX5DYqCYX0e4lSuY2n6VhMJ+TXuoV7nKmvPS+Q=; b=fKTbQ0gZ/Hw5c1rQRh6JgmR4VI8eXww597QzzLrvwYBLXRsczZuozgSaOsxgRJTMBq 5dWkk9jj0wl61yYktGmrliINuG1sHmbMu3KrjvPEYfncu9nO4R2BokahjS6w6tyo/B7A J0bWwcSL6dfqMIHAfx2aBFELHKttxrLIqvSIAKcqbFpkwMnzySAyJxiSSeZMtgwnj3PL uocpLsBZUlgCxGkFqZ/OG4HVNkuPMaRE/Vr1Je72FfNs8jE9jiIxiiMJ/8l3IoqGz3Z8 5Qh6HKk4XALbUoNjXzVkjrFyIRRp98aGL9q6GtQ2v6yi/Klh2sAxz+E3JjXWJ7HRzifz eD2w==
X-Gm-Message-State: AOAM532ikzv8j7U4YXU560b2g8fxK/irFeneh5bgevU2FGUUcFswmqrj Gdc9oQIJm8vTUBvB5J3/Fx4RgJ22z1Nh1dcANek=
X-Google-Smtp-Source: ABdhPJy1EDFxRoxwktkCrEAuCT+gJqHjvgjoiyezHJKjZlBYsGStv9if2iFa0NPZqdUKD+K2Aq7d0xOPqhv9xGI9Cc8=
X-Received: by 2002:a17:90b:1488:: with SMTP id js8mr642501pjb.41.1631606350469; Tue, 14 Sep 2021 00:59:10 -0700 (PDT)
MIME-Version: 1.0
References: <CA+ag07bjtS1Ucw1BZ5qQ_jJFfXbfQ3-hzDgxfkV1APhV1JZMnQ@mail.gmail.com> <87o893vuz4.wl-jch@irif.fr> <CA+ag07Y41bg_K-60=d5yyODj+bN442enQn-Grb-NkX7zQ8vVBQ@mail.gmail.com> <1e55c847-6a6c-5fca-d7c0-cd3a822855a7@nostrum.com> <CA+ag07YZdQooVBLtn=R=Lj0XpojCmVzd51P6=ExFUqwhvqYNdA@mail.gmail.com> <28d39165-3d08-257e-4736-1c8449e99034@nostrum.com> <CAABnt0NxfyTBQmGkh3gU69bf0zDok_pm5+Lun62EABha0gEATQ@mail.gmail.com> <66b34dab-7a67-656e-d619-c5109ca99bbb@nostrum.com> <87ee9sfo63.wl-jch@irif.fr> <CA+ag07Y5Lduu=923bLpp_PC_NLiwpLCiEdfbCN-H3tDD8LnT3A@mail.gmail.com> <CAABnt0M2Vg-9=SwX=O1mFbyYTS4b7ewmevW2qzMf17fsagoc2Q@mail.gmail.com> <CA+ag07aJKFy2s_UD0L-PaGHNwA9XH6Khz+0tReOMMcweJ0Q0hQ@mail.gmail.com> <CAABnt0MSUuxYK1CvOQUmC-a4b_U9m7YQ+vhXfjaaDxFZE+_JOQ@mail.gmail.com> <CA+ag07bb5WfoUJRkQt37nYtkmtEi=Kpp44ihVNGRd=OytakADg@mail.gmail.com> <CAABnt0PXKPejtywBDizx_Og0d0qPp6qa6cXXsCjBrbTQHN9pKg@mail.gmail.com>
In-Reply-To: <CAABnt0PXKPejtywBDizx_Og0d0qPp6qa6cXXsCjBrbTQHN9pKg@mail.gmail.com>
From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Date: Tue, 14 Sep 2021 09:58:58 +0200
Message-ID: <CA+ag07aHmVYtkyN-65B-okV+Waz8Ote-sArHJE8+31nYYCW=Aw@mail.gmail.com>
To: Matt Ward <mattward@mux.com>
Cc: Juliusz Chroboczek <jch@irif.fr>, Adam Roach <adam@nostrum.com>, WISH List <wish@ietf.org>
Content-Type: multipart/related; boundary="000000000000f02d2e05cbeff401"
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/_RM7_gsBW2ps7EVF65ZuYYpR60I>
Subject: Re: [Wish] Authentication for resource url
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Sep 2021 07:59:18 -0000

I think in terms of UI it is very similar to what people are used to, for
example this OBS UI to connect to facebook would be exactly the same than
the one required for whip:

[image: image.png]

Where server is the whip endpoint url and the stream key the bearer token
sent on the authentication header. Even the "get stream key" button would
work the same way.

Best regards
Sergio

El lun, 13 sept 2021 a las 20:22, Matt Ward (<mattward@mux.com>) escribió:

> It may be trivial for you to wrap your head around as the author of the
> spec and a strong engineer. However, I still feel quite strongly that
> converting a community of broadcasters (with a wide range of technical
> understanding) from RTMP => WHIP is easier if the protocol drops into
> existing UIs with near 0 changes required.
>
> Imagine working at Blackmagic or Teradek and seeing a requirement to add a
> bunch of UI in addition to a whole new underlying protocol. I suspect
> requiring even basic auth there will slow adoption.
>
> On Mon, Sep 13, 2021 at 11:09 AM Sergio Garcia Murillo <
> sergio.garcia.murillo@gmail.com> wrote:
>
>> FWIW, I did implement the initial whip draft in OBS and doing the UX for
>> configuring the oauth token is trivial. The problem with ffmpeg is not
>> going to be the bearer token authentication neither.. ;)
>>
>>
>> El lun, 13 sept 2021 a las 19:56, Matt Ward (<mattward@mux.com>)
>> escribió:
>>
>>> AFAIK today, there's no "Auth token" input for any of the other
>>> services? Have you found an ffmpeg output that supports bearer
>>> authentication? Usually, more UI/params/config => more state => more
>>> complex clients => longer time to integrate.
>>>
>>> I want every single box that supports RTMP today to add WHIP tomorrow
>>> with minimal friction!  :)
>>>
>>> On Mon, Sep 13, 2021 at 10:55 AM Sergio Garcia Murillo <
>>> sergio.garcia.murillo@gmail.com> wrote:
>>>
>>>> Not sure how an RTMP implementation may affect how OBS or ffmpeg
>>>> implements WHIP, should be as simple as this:
>>>>
>>>> [image: image.png]
>>>>
>>>> El lun, 13 sept 2021 a las 19:29, Matt Ward (<mattward@mux.com>)
>>>> escribió:
>>>>
>>>>> In the current abstract for WHIP, the spec comes out stating
>>>>> "Currently there is no standard protocol (like SIP or RTSP) designed for
>>>>> ingesting media in a streaming service, and content providers still rely
>>>>> heavily on protocols like RTMP for it."
>>>>>
>>>>> Why do content providers rely on RTMP and possibly more interestingly,
>>>>> why do publishers/broadcasters/end-users love RTMP?
>>>>>
>>>>> It is dead simple.
>>>>>
>>>>> If our goal is to replace RTMP, I think we need to allow clients to be
>>>>> as dead simple as RTMP is today. In order to do this, we must allow clients
>>>>> to ship with support for only path based authentication as in RTMP. This
>>>>> will require a minimal amount of UI/UX changes and speed time to support in
>>>>> many broadcasting software/appliances.
>>>>>
>>>>> As for MAY support beyond that, I'd look at how custom RTMP is
>>>>> configured in OBS. To that end, it only supports authentication via basic
>>>>> auth. I imagine adding support for bearer authentication that's only
>>>>> supported for WHIP in OBS adds complexity to that client. I imagine this
>>>>> additional burden would not be uncommon across the space of existing
>>>>> broadcasting software/appliances. As for one more example, I have seen
>>>>> approximately 0 ffmpeg example commands outputting with bearer
>>>>> authentication.
>>>>>
>>>>> [image: Screenshot from 2021-09-13 10-16-54.png]
>>>>>
>>>>>
>>>>> On Mon, Sep 13, 2021 at 9:30 AM Sergio Garcia Murillo <
>>>>> sergio.garcia.murillo@gmail.com> wrote:
>>>>>
>>>>>> I disagree with the approach.
>>>>>>
>>>>>> IMHO, using username/password authentication in http rest apis is
>>>>>> insecure as it forces the user to store it's password into several "low
>>>>>> security" applications and most service providers have deprecated it in
>>>>>> favor of a token based authentication.
>>>>>>
>>>>>> My proposal would be that it is a MUST for clients to support
>>>>>> authentication via the bearer token and it would be optional for the server
>>>>>> to implement it or not. In case the user does not provision the token on
>>>>>> the whip client, an unauthenticated request would be sent to the server.
>>>>>>
>>>>>> Best regards
>>>>>> Sergio
>>>>>>
>>>>>> El lun, 13 sept 2021 a las 18:14, Juliusz Chroboczek (<jch@irif.fr>)
>>>>>> escribió:
>>>>>>
>>>>>>> > I understand the motivation, but this doesn't get us to
>>>>>>> > interoperability. We need a baseline, mandatory-to-implement
>>>>>>> > authentication method for both client and server; otherwise, we'll
>>>>>>> end up
>>>>>>> > in a situation where your client implements mechanism A, my network
>>>>>>> > implements mechanism B, and your users can't use my network.
>>>>>>>
>>>>>>> Yes, and that is why I suggested HTTP Basic instead of bearer token.
>>>>>>>
>>>>>>> Most servers today implement authentication using a username/password
>>>>>>> pair.  While this is certainly not the most secure solution, it is
>>>>>>> well
>>>>>>> understood by users, and is therefore likely to remain the main mode
>>>>>>> of
>>>>>>> authentication for the foreseeable future.
>>>>>>>
>>>>>>> With HTTP Basic, it is perfectly clear how to map a
>>>>>>> username/password pair
>>>>>>> to the protocol.  With bearer token, the client and the server need
>>>>>>> to
>>>>>>> both agree on how to map the username/password pair to a token, and
>>>>>>> I expect different implementations to use different mappings, with
>>>>>>> all the
>>>>>>> fun that this entails.
>>>>>>>
>>>>>>> So I suggest that for clients:
>>>>>>>
>>>>>>>   - support for unauthenticated WISH over HTTPS is MUST;
>>>>>>>   - support for HTTP Basic over HTTPS is MUST;
>>>>>>>   - other authentication methods is MAY.
>>>>>>>
>>>>>>> If that is not what Sergio has in mind, then the draft needs to
>>>>>>> mandate an
>>>>>>> unambiguous and deterministic way of mapping a username/password
>>>>>>> pair to
>>>>>>> an authentication method.
>>>>>>>
>>>>>>> -- Juliusz
>>>>>>>
>>>>>>

v2.8.7 | Report a Bug | By Email