IETF Logo Mail Archive

Re: [Wish] Authentication for resource url

Lorenzo Miniero <lorenzo@meetecho.com> Wed, 15 September 2021 10:19 UTC

Return-Path: <lorenzo@meetecho.com>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AD0F3A107F for <wish@ietfa.amsl.com>; Wed, 15 Sep 2021 03:19:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.499, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aruba.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pUBcJ5jI4ClT for <wish@ietfa.amsl.com>; Wed, 15 Sep 2021 03:19:11 -0700 (PDT)
Received: from smtpcmd15176.aruba.it (smtpcmd15176.aruba.it [62.149.156.176]) by ietfa.amsl.com (Postfix) with ESMTP id 9379D3A1091 for <wish@ietf.org>; Wed, 15 Sep 2021 03:19:00 -0700 (PDT)
Received: from lminiero ([93.34.36.176]) by Aruba Outgoing Smtp with ESMTPSA id QS0DmdzXAXNB5QS0FmaS7u; Wed, 15 Sep 2021 12:18:58 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aruba.it; s=a1; t=1631701138; bh=FnTYt2U67r3/uCeb8VN8QW9IJFyj4y2+26zfuP8a8xY=; h=Date:From:To:Subject:MIME-Version:Content-Type; b=URsuZ3OJYt8zuWGm1MCzQr9yE2+OP1W6dEwlSMoknlJWzRnc8YI9rLhDmYMMYUO2y STaXU+yQaXwwlhN1ruakU/Qd+4HcAq+4YzvoIlDouMHXW2Y0H/7iJ+tSg0KURJ55fB a3IqFbqMaeDdltprF+fsfS8zWV1473Wqd5q3/D0yLdquoolvg8MN3SG7QahzP113jm zwjpBCcrE1/HTxbBpoEPjQG/A9E5TJlGHPQ2frJIXPeLnSIlnkkF7A74hg+oKGsiRe O2wetxFHY79BrF3HLMrulWZg5jydNV8afnmwDPmQ/hqjI5gZIenJIERhEvTR+zkTmh oA46QWLD9kNpA==
Date: Wed, 15 Sep 2021 12:18:51 +0200
From: Lorenzo Miniero <lorenzo@meetecho.com>
To: Juliusz Chroboczek <jch@irif.fr>
Cc: WISH List <wish@ietf.org>
Message-ID: <20210915121851.67088a25@lminiero>
In-Reply-To: <87bl4uyxr4.wl-jch@irif.fr>
References: <CA+ag07bjtS1Ucw1BZ5qQ_jJFfXbfQ3-hzDgxfkV1APhV1JZMnQ@mail.gmail.com> <66b34dab-7a67-656e-d619-c5109ca99bbb@nostrum.com> <87ee9sfo63.wl-jch@irif.fr> <CA+ag07Y5Lduu=923bLpp_PC_NLiwpLCiEdfbCN-H3tDD8LnT3A@mail.gmail.com> <CAABnt0M2Vg-9=SwX=O1mFbyYTS4b7ewmevW2qzMf17fsagoc2Q@mail.gmail.com> <CA+ag07aJKFy2s_UD0L-PaGHNwA9XH6Khz+0tReOMMcweJ0Q0hQ@mail.gmail.com> <CAABnt0MSUuxYK1CvOQUmC-a4b_U9m7YQ+vhXfjaaDxFZE+_JOQ@mail.gmail.com> <CA+ag07bb5WfoUJRkQt37nYtkmtEi=Kpp44ihVNGRd=OytakADg@mail.gmail.com> <CAABnt0PXKPejtywBDizx_Og0d0qPp6qa6cXXsCjBrbTQHN9pKg@mail.gmail.com> <CAMyc9bXUXR5nrxoQsQwDqE46sHWN_8vicG_c53ZruRbC0gfeMw@mail.gmail.com> <877dfk9fil.wl-jch@irif.fr> <CA+ag07ZxJF95xd7y_ToRRNJmbRboRR56t=mnW+nGYFqpAkH61g@mail.gmail.com> <8735q72yo4.wl-jch@irif.fr> <CA+ag07Z6_Nd2VvWG4HyuXK=E3u2xn8a2a_xVCEWk3_yyfQSp3A@mail.gmail.com> <87r1dr89mr.wl-jch@irif.fr> <a12adb1d-da65-8290-7d91-d911aa0aa6cc@nostrum.com> <87ee9qyyum.wl-jch@irif.fr> <87bl4uyxr4.wl-jch@irif.fr>
Organization: Meetecho
X-Mailer: Claws Mail 3.18.0 (GTK+ 2.24.33; x86_64-redhat-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-CMAE-Envelope: MS4xfDQHlosWGpcB4g/iQLong/tHTySZa1tUZbKwUx7bPPxY5RNU9CgGdxG+TE3gZWGMLb/kSqQO6dOIDfJjCko2fzMq0LklTryEKKwqB43OVExEnbYaZpd0 VL7T6WfgUc3cFWi1KvAO04LNdOfAmEu+IoTBw20DWcIasTq2AFQjXSWxiWQpEXBx34OkooSumFEV5w==
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/jnYwfZbKTqLbmbCKQNCdjczcTp4>
Subject: Re: [Wish] Authentication for resource url
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Sep 2021 10:19:17 -0000

On Wed, 15 Sep 2021 11:49:19 +0200
Juliusz Chroboczek <jch@irif.fr> wrote:

> >> To give an example of how this is done in production services: on
> >> Twitch, once you log in, you go into account management, click on
> >> the "Stream" tab, and copy a really long string of junk out of a
> >> field labeled "Primary Stream Key." You paste this into your
> >> broadcast client in a field usually named "Stream Key."  
> 
> Just to be clear: I think token auth is a good idea, and as a matter
> of fact Galene uses token auth for authentication to the TURN server.
> 
> What I'm arguing for is a simple, interoperable user/password
> mechanism for the simple case, for when the infrastructure required
> to securely communicate the token to the client is not deemed
> necessary.  My current opinion (likely to change as Sergio and Adam
> explain stuff to me further) can be summarised as:
> 
>   * HTTP basic: MUST implement in clients, MAY implement in servers;
>   * token: SHOULD implement in clients, SHOULD implement in servers.
>   
> This way, server authors are guaranteed to interoperate with all
> clients if they choose to implement HTTP Basic, and they can use the
> more secure token auth if they are willing to put it the work
> required to build the infrastructure required to communicate tokens
> to their chosen clients.
> 
> This way, WISH is useful both for Millicast, whose business model
> relies on helping users deploy their high-quality broadcasting
> solutions, and for free servers such as Galene, who want to minimise
> the amount of hand-holding that they need to provide to their
> non-specialist users, even if that implies not using the most secure
> authentication techniques available.
> 
> -- Juliusz
> 


I personally think that would actually needlessly complicate things.
Using Bearer tokens in WHIP right now is as easy as adding an HTTP
header in the client, and reading it in the server: that's what my
prototypes (who know nothing of oauth) do, so very trivial to implement
and seems to be working just fine in my interoperability tests with
Sergio.

Any other authentication mechanism implemented by services (including
Basic Auth) could be reused anyway, as they can be what's used in a
custom API to, e.g., generate the unique token you'll then use in the
WHIP client (and check in the server).

Lorenzo

-- 
I'm getting older but, unlike whisky, I'm not getting any better
https://twitter.com/elminiero

v2.8.7 | Report a Bug | By Email