IETF Logo Mail Archive

Re: [Wish] Authentication for resource url

Matt Ward <mattward@mux.com> Sun, 12 September 2021 19:14 UTC

Return-Path: <mattward@mux.com>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3298F3A1841 for <wish@ietfa.amsl.com>; Sun, 12 Sep 2021 12:14:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mux.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dKlx61p0bwrX for <wish@ietfa.amsl.com>; Sun, 12 Sep 2021 12:14:37 -0700 (PDT)
Received: from mail-ot1-x330.google.com (mail-ot1-x330.google.com [IPv6:2607:f8b0:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BBF33A183F for <wish@ietf.org>; Sun, 12 Sep 2021 12:14:37 -0700 (PDT)
Received: by mail-ot1-x330.google.com with SMTP id c8-20020a9d6c88000000b00517cd06302dso10279282otr.13 for <wish@ietf.org>; Sun, 12 Sep 2021 12:14:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mux.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iQfl3irXUgmLtpWJ7+i6yeBGcz9q00Gr9rVSDJPwZj8=; b=aWZyoG2YBVli5JbR2l0VHsfYQHGlbe938stjtd6YokiLuKZNdk472i6xucypV8Q4yg B3Qy9rf3+Pl3OplLg8NeWPuA7ucXFdL5xJBMnpwOJQBIMzrNt2hJhXHrDZTH5GvCLAo3 sxd6R/HJUnuulblNdB0jU1baj3ceO9EyqjgEo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iQfl3irXUgmLtpWJ7+i6yeBGcz9q00Gr9rVSDJPwZj8=; b=QfI1FH9s6vGWxP5IIkXMf+HWGnWgYD/hpqPXQjlTnnuMujFkFQzL0rwD6EiRhewSBQ xcMXDULQUHhV1z9tPopPvXGTsqrkpycqJS7QBTtfm0wEBxFdV0NB5OVByOuodGexrpCq yKbTYcTQMHF2jQsFmxmX3XkfApY8IIQ0C6dNClVXeTdH83Jw5o/pwyN65wLbunAqpC40 nNRDIig4q2MO3YjIFqSTBsJlVcYQ79bqViuIN9ZQJwHO3KxapmoZnNR42alHl84++DEl OPzwqRnYp9UVpsrkc2iF0IPJpxGdZMps3BF8tDhuIPeqX9BNqfv2e/aZ652C8o8XpkVA Pjwg==
X-Gm-Message-State: AOAM532vmGU8N/yFPnONATw7iJZyij+hXj2jsg5rsgJB7cN9ICQ10Ivx 7r6gKR1Nv3nRp7SiSVOz4Ye708F7LyLI6TxsFSGytw==
X-Google-Smtp-Source: ABdhPJxUoVBWUp8S/6gSbY5gWfJBdtBbHHcWw8m1px6rjp6XcMlhJhZxe5+ed0mueRTEHWLGbFB8BGNI5Z7g1CCSQlI=
X-Received: by 2002:a9d:5f9d:: with SMTP id g29mr7178020oti.10.1631474075513; Sun, 12 Sep 2021 12:14:35 -0700 (PDT)
MIME-Version: 1.0
References: <CA+ag07bjtS1Ucw1BZ5qQ_jJFfXbfQ3-hzDgxfkV1APhV1JZMnQ@mail.gmail.com> <87o893vuz4.wl-jch@irif.fr> <CA+ag07Y41bg_K-60=d5yyODj+bN442enQn-Grb-NkX7zQ8vVBQ@mail.gmail.com> <1e55c847-6a6c-5fca-d7c0-cd3a822855a7@nostrum.com> <CA+ag07YZdQooVBLtn=R=Lj0XpojCmVzd51P6=ExFUqwhvqYNdA@mail.gmail.com> <28d39165-3d08-257e-4736-1c8449e99034@nostrum.com>
In-Reply-To: <28d39165-3d08-257e-4736-1c8449e99034@nostrum.com>
From: Matt Ward <mattward@mux.com>
Date: Sun, 12 Sep 2021 12:14:28 -0700
Message-ID: <CAABnt0NxfyTBQmGkh3gU69bf0zDok_pm5+Lun62EABha0gEATQ@mail.gmail.com>
To: Adam Roach <adam@nostrum.com>
Cc: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>, WISH List <wish@ietf.org>, Juliusz Chroboczek <jch@irif.fr>
Content-Type: multipart/alternative; boundary="000000000000bb47d505cbd128e2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/fF1WwCnD_mNKFa9qEQta0yc--qc>
Subject: Re: [Wish] Authentication for resource url
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Sep 2021 19:14:42 -0000

I put this in
https://github.com/wish-wg/webrtc-http-ingest-protocol/issues/16 but here's
a quick cross post of my thoughts.

Today, we do rtmp://live.mux.com/app/{STREAM_KEY} and are imagining support
for WHIP via something akin to https://whip.mux.com/{STREAM_KEY}. In such a
case, this simple URL by itself contains what we believe to be sufficiently
"secret" information to secure ingestion (as we have done this same thing
for years in the RTMP world).

I've proposed an edit in
https://github.com/wish-wg/webrtc-http-ingest-protocol/pull/17 clarifying
that "any HTTP compliant authentication and authorization MAY be
implemented" and that RFC6750 is an example.


On Sat, Sep 11, 2021 at 12:04 PM Adam Roach <adam@nostrum.com> wrote:

> On 9/11/2021 7:56 AM, Sergio Garcia Murillo wrote:
> > As said in a different email, we are not mandating the usage of oauth2.
> >
> > Anyway, in my implementation the token is a unique value that is
> > matched against database on the whip enpoint. Media servers don't have
> > access to that database.
> >
> > It doesn't harm my implementation to receive y
> > the token on the media server, but not sure if we should mandate it if
> > there are no plans for using it.
>
>
> Our infrastructure uses a bearer token (it's a cryptographically-signed
> assertion, so no database required), and it would be kind of a pain to
> require a securely random URL in addition to that. So I'm happy with the
> original formulation from your previous message, wherein the client must
> send the auth token, but the media server can use that or another
> mechanism (such as a sufficiently random URL) to validate that the
> operation is authorized.
>
> /a
>
> --
> Wish mailing list
> Wish@ietf.org
> https://www.ietf.org/mailman/listinfo/wish
>

v2.8.7 | Report a Bug | By Email