IETF Logo Mail Archive

Re: [Wish] Authentication for resource url

Cameron Elliott <cameron@cameronelliott.com> Mon, 13 September 2021 22:31 UTC

Return-Path: <garapa1@gmail.com>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C85393A1488 for <wish@ietfa.amsl.com>; Mon, 13 Sep 2021 15:31:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.395
X-Spam-Level:
X-Spam-Status: No, score=-1.395 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XIWou1V8JhZG for <wish@ietfa.amsl.com>; Mon, 13 Sep 2021 15:31:03 -0700 (PDT)
Received: from mail-ot1-f52.google.com (mail-ot1-f52.google.com [209.85.210.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0281A3A1489 for <wish@ietf.org>; Mon, 13 Sep 2021 15:31:02 -0700 (PDT)
Received: by mail-ot1-f52.google.com with SMTP id q11-20020a9d4b0b000000b0051acbdb2869so15557502otf.2 for <wish@ietf.org>; Mon, 13 Sep 2021 15:31:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=I0C7kRvEAAc+8POS6C/lyzzyMXParWsgzVn/B/Q2A9k=; b=erijG2ADJhvb/5shlg0TOpaAfVMjyZJGeV46UtxoC88HN/NSIjH8o02sj1b/UknEPh xP5Bq8xX87ZNkIxwWgAqQT56ip7fJRiPyxdd4z6k691nNtZdFZyuZjx+5y1tRPah0C9P iLV/x68OL6DHAcw0D8dHK6iUC991lfrFBr9vTWXGJyG5ffOmaOmWt2O5TNqICqTWQGHY PqgAI9eI1rJg3j1FVnBVaBSLoKI43Uwmi8B4114bvYD2m0lImpdHOY2TURYkgApc9KxE bClz8BHOG3+iwQ/kJ9zgqkYznAguqeGRMXjLIamc5kwBrxfhfOzUJ70JB6pcTIRj8hZf 1A3w==
X-Gm-Message-State: AOAM531UzUr9rIgAOrxxGeqne0IjwSUKQseo5I43PRe7Kg1R7f3HuVDH CZsqQ6YdTmsWi9H0KQ6hC98XmnGBMptHJL9lcIg=
X-Google-Smtp-Source: ABdhPJweQp7ZmH2zp6lsE4dR+uTwalyfQ0HLgtcYyTO6qnVaW/+yuLq+0kd/wdpZOct6k2uG3+X7qfmf1cU1qI/dGNQ=
X-Received: by 2002:a9d:7d85:: with SMTP id j5mr12431630otn.164.1631572261979; Mon, 13 Sep 2021 15:31:01 -0700 (PDT)
MIME-Version: 1.0
References: <CA+ag07bjtS1Ucw1BZ5qQ_jJFfXbfQ3-hzDgxfkV1APhV1JZMnQ@mail.gmail.com> <87o893vuz4.wl-jch@irif.fr> <CA+ag07Y41bg_K-60=d5yyODj+bN442enQn-Grb-NkX7zQ8vVBQ@mail.gmail.com> <1e55c847-6a6c-5fca-d7c0-cd3a822855a7@nostrum.com> <CA+ag07YZdQooVBLtn=R=Lj0XpojCmVzd51P6=ExFUqwhvqYNdA@mail.gmail.com> <28d39165-3d08-257e-4736-1c8449e99034@nostrum.com> <CAABnt0NxfyTBQmGkh3gU69bf0zDok_pm5+Lun62EABha0gEATQ@mail.gmail.com> <66b34dab-7a67-656e-d619-c5109ca99bbb@nostrum.com> <87ee9sfo63.wl-jch@irif.fr> <CA+ag07Y5Lduu=923bLpp_PC_NLiwpLCiEdfbCN-H3tDD8LnT3A@mail.gmail.com> <CAABnt0M2Vg-9=SwX=O1mFbyYTS4b7ewmevW2qzMf17fsagoc2Q@mail.gmail.com> <CA+ag07aJKFy2s_UD0L-PaGHNwA9XH6Khz+0tReOMMcweJ0Q0hQ@mail.gmail.com> <CAABnt0MSUuxYK1CvOQUmC-a4b_U9m7YQ+vhXfjaaDxFZE+_JOQ@mail.gmail.com> <CA+ag07bb5WfoUJRkQt37nYtkmtEi=Kpp44ihVNGRd=OytakADg@mail.gmail.com> <CAABnt0PXKPejtywBDizx_Og0d0qPp6qa6cXXsCjBrbTQHN9pKg@mail.gmail.com>
In-Reply-To: <CAABnt0PXKPejtywBDizx_Og0d0qPp6qa6cXXsCjBrbTQHN9pKg@mail.gmail.com>
From: Cameron Elliott <cameron@cameronelliott.com>
Date: Mon, 13 Sep 2021 15:30:50 -0700
Message-ID: <CAMyc9bXUXR5nrxoQsQwDqE46sHWN_8vicG_c53ZruRbC0gfeMw@mail.gmail.com>
To: Matt Ward <mattward@mux.com>
Cc: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>, Adam Roach <adam@nostrum.com>, WISH List <wish@ietf.org>, Juliusz Chroboczek <jch@irif.fr>
Content-Type: multipart/related; boundary="0000000000001a41f305cbe80599"
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/hA4BuJR6AGNeyYdsoNm0BPu4eHY>
Subject: Re: [Wish] Authentication for resource url
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Sep 2021 22:31:09 -0000

I think I appreciate (I hope anyway) what Matt and Juliusz are getting at.

Well, from my perspective, it seems to be the idea that authentication
should be easily understandable and grasped by
developers who are NOT OAuth familiar, and NOT RFC 6750 familiar, and even
non-developer end-users also.
This sounds like a great goal.

>From my perspective the RFC 6750 makes things unnecessarily complicated.
Well maybe it's necessary
in the context of OAuth, but for non-OAuth usage, it seems complicated.

I totally understand, it might not be clear how to do super-simple end-user
auth without OAuth using the short description
in the draft.

But the nice thing about a bearer token approach, is it can support all the
different models that have been discussed.
- OBS stream-key
- username/password (well password-only)
- The different OAuth models

Again, I think the criticisms from Matt & Julius make sense, it's not clear
how to use RFC 6750 in even
the most basic way, unless you have a certain amount of experience around
using bearer tokens for auth.
(I will note, bearer tokens are the most common way to authenticate APIs
these days, not username/password)

Maybe what is needed are two simple examples in the spec that show how
bearer tokens would be used:
1. concrete example comparing how it can be used as an alternative to
username/password. (http basic auth alternative)
2. concrete example comparing how it can be used as an alternative to
passing stream-keys in the URL.


Might really go a long  way to making it clear how to do auth in non-oauth
scenarios where 'http basic auth' or
'url based stream keys' have been used previously.



Cameron




On Mon, Sep 13, 2021 at 11:22 AM Matt Ward <mattward@mux.com> wrote:

> It may be trivial for you to wrap your head around as the author of the
> spec and a strong engineer. However, I still feel quite strongly that
> converting a community of broadcasters (with a wide range of technical
> understanding) from RTMP => WHIP is easier if the protocol drops into
> existing UIs with near 0 changes required.
>
> Imagine working at Blackmagic or Teradek and seeing a requirement to add a
> bunch of UI in addition to a whole new underlying protocol. I suspect
> requiring even basic auth there will slow adoption.
>
> On Mon, Sep 13, 2021 at 11:09 AM Sergio Garcia Murillo <
> sergio.garcia.murillo@gmail.com> wrote:
>
>> FWIW, I did implement the initial whip draft in OBS and doing the UX for
>> configuring the oauth token is trivial. The problem with ffmpeg is not
>> going to be the bearer token authentication neither.. ;)
>>
>>
>> El lun, 13 sept 2021 a las 19:56, Matt Ward (<mattward@mux.com>)
>> escribió:
>>
>>> AFAIK today, there's no "Auth token" input for any of the other
>>> services? Have you found an ffmpeg output that supports bearer
>>> authentication? Usually, more UI/params/config => more state => more
>>> complex clients => longer time to integrate.
>>>
>>> I want every single box that supports RTMP today to add WHIP tomorrow
>>> with minimal friction!  :)
>>>
>>> On Mon, Sep 13, 2021 at 10:55 AM Sergio Garcia Murillo <
>>> sergio.garcia.murillo@gmail.com> wrote:
>>>
>>>> Not sure how an RTMP implementation may affect how OBS or ffmpeg
>>>> implements WHIP, should be as simple as this:
>>>>
>>>> [image: image.png]
>>>>
>>>> El lun, 13 sept 2021 a las 19:29, Matt Ward (<mattward@mux.com>)
>>>> escribió:
>>>>
>>>>> In the current abstract for WHIP, the spec comes out stating
>>>>> "Currently there is no standard protocol (like SIP or RTSP) designed for
>>>>> ingesting media in a streaming service, and content providers still rely
>>>>> heavily on protocols like RTMP for it."
>>>>>
>>>>> Why do content providers rely on RTMP and possibly more interestingly,
>>>>> why do publishers/broadcasters/end-users love RTMP?
>>>>>
>>>>> It is dead simple.
>>>>>
>>>>> If our goal is to replace RTMP, I think we need to allow clients to be
>>>>> as dead simple as RTMP is today. In order to do this, we must allow clients
>>>>> to ship with support for only path based authentication as in RTMP. This
>>>>> will require a minimal amount of UI/UX changes and speed time to support in
>>>>> many broadcasting software/appliances.
>>>>>
>>>>> As for MAY support beyond that, I'd look at how custom RTMP is
>>>>> configured in OBS. To that end, it only supports authentication via basic
>>>>> auth. I imagine adding support for bearer authentication that's only
>>>>> supported for WHIP in OBS adds complexity to that client. I imagine this
>>>>> additional burden would not be uncommon across the space of existing
>>>>> broadcasting software/appliances. As for one more example, I have seen
>>>>> approximately 0 ffmpeg example commands outputting with bearer
>>>>> authentication.
>>>>>
>>>>> [image: Screenshot from 2021-09-13 10-16-54.png]
>>>>>
>>>>>
>>>>> On Mon, Sep 13, 2021 at 9:30 AM Sergio Garcia Murillo <
>>>>> sergio.garcia.murillo@gmail.com> wrote:
>>>>>
>>>>>> I disagree with the approach.
>>>>>>
>>>>>> IMHO, using username/password authentication in http rest apis is
>>>>>> insecure as it forces the user to store it's password into several "low
>>>>>> security" applications and most service providers have deprecated it in
>>>>>> favor of a token based authentication.
>>>>>>
>>>>>> My proposal would be that it is a MUST for clients to support
>>>>>> authentication via the bearer token and it would be optional for the server
>>>>>> to implement it or not. In case the user does not provision the token on
>>>>>> the whip client, an unauthenticated request would be sent to the server.
>>>>>>
>>>>>> Best regards
>>>>>> Sergio
>>>>>>
>>>>>> El lun, 13 sept 2021 a las 18:14, Juliusz Chroboczek (<jch@irif.fr>)
>>>>>> escribió:
>>>>>>
>>>>>>> > I understand the motivation, but this doesn't get us to
>>>>>>> > interoperability. We need a baseline, mandatory-to-implement
>>>>>>> > authentication method for both client and server; otherwise, we'll
>>>>>>> end up
>>>>>>> > in a situation where your client implements mechanism A, my network
>>>>>>> > implements mechanism B, and your users can't use my network.
>>>>>>>
>>>>>>> Yes, and that is why I suggested HTTP Basic instead of bearer token.
>>>>>>>
>>>>>>> Most servers today implement authentication using a username/password
>>>>>>> pair.  While this is certainly not the most secure solution, it is
>>>>>>> well
>>>>>>> understood by users, and is therefore likely to remain the main mode
>>>>>>> of
>>>>>>> authentication for the foreseeable future.
>>>>>>>
>>>>>>> With HTTP Basic, it is perfectly clear how to map a
>>>>>>> username/password pair
>>>>>>> to the protocol.  With bearer token, the client and the server need
>>>>>>> to
>>>>>>> both agree on how to map the username/password pair to a token, and
>>>>>>> I expect different implementations to use different mappings, with
>>>>>>> all the
>>>>>>> fun that this entails.
>>>>>>>
>>>>>>> So I suggest that for clients:
>>>>>>>
>>>>>>>   - support for unauthenticated WISH over HTTPS is MUST;
>>>>>>>   - support for HTTP Basic over HTTPS is MUST;
>>>>>>>   - other authentication methods is MAY.
>>>>>>>
>>>>>>> If that is not what Sergio has in mind, then the draft needs to
>>>>>>> mandate an
>>>>>>> unambiguous and deterministic way of mapping a username/password
>>>>>>> pair to
>>>>>>> an authentication method.
>>>>>>>
>>>>>>> -- Juliusz
>>>>>>>
>>>>>> --
> Wish mailing list
> Wish@ietf.org
> https://www.ietf.org/mailman/listinfo/wish
>

v2.8.7 | Report a Bug | By Email