IETF Logo Mail Archive

Re: [Wish] Authentication for resource url

Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> Tue, 14 September 2021 07:55 UTC

Return-Path: <sergio.garcia.murillo@gmail.com>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BE303A0B10 for <wish@ietfa.amsl.com>; Tue, 14 Sep 2021 00:55:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gGYwwVURNSGM for <wish@ietfa.amsl.com>; Tue, 14 Sep 2021 00:55:07 -0700 (PDT)
Received: from mail-pf1-x433.google.com (mail-pf1-x433.google.com [IPv6:2607:f8b0:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C646C3A0B0C for <wish@ietf.org>; Tue, 14 Sep 2021 00:55:07 -0700 (PDT)
Received: by mail-pf1-x433.google.com with SMTP id 18so11360850pfh.9 for <wish@ietf.org>; Tue, 14 Sep 2021 00:55:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xREu+f6KWsefNyCEQfUs8ktH8+Hp+FZ/1uSY9wakAKo=; b=PfJYSmobIKqsixvS0fQAVZb1Bze8mV0h4EmzcJ5kH5VrARzapPyI+lm2ueXXnA+6mk KzLmvykCWEmVXr28VAdtYP6QI6p8qkVMJWOTuN3A4MIXdkQ+T2QbtvOl0YSkip7IkFLU mUelUo7d1d4T4NDamtycWgGqhasZbICLceiP7AgaZusWPYpy4UR7HVOorTN5xIPZbKOG /u+JIqbYGEc5+GQBFOmw0XgEvsb7bE4cqICi385bbjBbO2E+GZJw4RlWai2fLXufIJW5 KyqBrVOZAEXOirfZidi8GMLFNa2emLyLIEdaA96hS4brWyz03aK/kCuJKh1FTXhy0PD2 3jiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xREu+f6KWsefNyCEQfUs8ktH8+Hp+FZ/1uSY9wakAKo=; b=B1SbkdjsRs9W/0BMceMG5h8bCRj4QPvqsF/wUVdgOo+vD9nE15LbUDraW9zCLHy+PV yimjkxEEVtwYEPz0FBzyP0/AqkheMKc8TD4O4U7MSd6w6NMvhc1IHYh2L+X7KkXk3kSV FI+8Knq9zNV1vTUdJw0fvt17N5vLXpw/gdqhaFc4Wm784UvV9fQF3DhNl9bC8l3WxhCK xxepOXGV9RYnEuskpGEwrmZstGlBM52kU2f+rWm3vwbvLwsdWE8By8w7/dO4CfmVGnu6 UI28yR9gHLXGBWyWr0h8d0J8k1D7dHsUMWzBLuX0Hq5+Tl6RDl4KVjwJqhlGhVf3wMR3 +VXg==
X-Gm-Message-State: AOAM532AtpsaS3Sjq1Ih5tdWElQbMhosTY137C/CKvVJVhZfdt8MjSuD eroRPQhOFXCo+0KytHPNCPnINsHLui8D4ImIuaY=
X-Google-Smtp-Source: ABdhPJyCs9OKDc19i8Lbrjf6ITxJjNtsHwO6ZXwWqmEeO145uVF8vP5Wn6Gv98+eg+5lcfHOXjnAnTUOMY14XQerCR0=
X-Received: by 2002:a62:76c8:0:b0:3f2:6a5:b8eb with SMTP id r191-20020a6276c8000000b003f206a5b8ebmr3500599pfc.58.1631606105572; Tue, 14 Sep 2021 00:55:05 -0700 (PDT)
MIME-Version: 1.0
References: <CA+ag07bjtS1Ucw1BZ5qQ_jJFfXbfQ3-hzDgxfkV1APhV1JZMnQ@mail.gmail.com> <87o893vuz4.wl-jch@irif.fr> <CA+ag07Y41bg_K-60=d5yyODj+bN442enQn-Grb-NkX7zQ8vVBQ@mail.gmail.com> <1e55c847-6a6c-5fca-d7c0-cd3a822855a7@nostrum.com> <CA+ag07YZdQooVBLtn=R=Lj0XpojCmVzd51P6=ExFUqwhvqYNdA@mail.gmail.com> <28d39165-3d08-257e-4736-1c8449e99034@nostrum.com> <CAABnt0NxfyTBQmGkh3gU69bf0zDok_pm5+Lun62EABha0gEATQ@mail.gmail.com> <66b34dab-7a67-656e-d619-c5109ca99bbb@nostrum.com> <87ee9sfo63.wl-jch@irif.fr> <CA+ag07Y5Lduu=923bLpp_PC_NLiwpLCiEdfbCN-H3tDD8LnT3A@mail.gmail.com> <CAABnt0M2Vg-9=SwX=O1mFbyYTS4b7ewmevW2qzMf17fsagoc2Q@mail.gmail.com> <CA+ag07aJKFy2s_UD0L-PaGHNwA9XH6Khz+0tReOMMcweJ0Q0hQ@mail.gmail.com> <CAABnt0MSUuxYK1CvOQUmC-a4b_U9m7YQ+vhXfjaaDxFZE+_JOQ@mail.gmail.com> <CA+ag07bb5WfoUJRkQt37nYtkmtEi=Kpp44ihVNGRd=OytakADg@mail.gmail.com> <CAABnt0PXKPejtywBDizx_Og0d0qPp6qa6cXXsCjBrbTQHN9pKg@mail.gmail.com> <CAMyc9bXUXR5nrxoQsQwDqE46sHWN_8vicG_c53ZruRbC0gfeMw@mail.gmail.com>
In-Reply-To: <CAMyc9bXUXR5nrxoQsQwDqE46sHWN_8vicG_c53ZruRbC0gfeMw@mail.gmail.com>
From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Date: Tue, 14 Sep 2021 09:54:53 +0200
Message-ID: <CA+ag07ZfJeMhop_kSjb7VcDAcjE2DgNiAsWoT-jM3Jr0Y8y11w@mail.gmail.com>
To: Cameron Elliott <cameron@cameronelliott.com>
Cc: Matt Ward <mattward@mux.com>, Adam Roach <adam@nostrum.com>, WISH List <wish@ietf.org>, Juliusz Chroboczek <jch@irif.fr>
Content-Type: multipart/related; boundary="00000000000056d28a05cbefe608"
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/w-F1x7k7u34HxK8H_Fm0AAQS63k>
Subject: Re: [Wish] Authentication for resource url
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Sep 2021 07:55:13 -0000

I agree that the wording in the current draft and the reference to the  RFC
6750 is not clear at all, I will try to improve on the next versions of the
draft.

I have tried to explain different usages of the auth token in a response to
a former email by Juliusz explaining how the service could make use of it
in different ways.

However, not sure how much of that info should be in the draft as the
examples are not normative but implementation specific.

Best regards
Sergio

El mar, 14 sept 2021 a las 0:31, Cameron Elliott (<
cameron@cameronelliott.com>) escribió:

>
> I think I appreciate (I hope anyway) what Matt and Juliusz are getting at.
>
> Well, from my perspective, it seems to be the idea that authentication
> should be easily understandable and grasped by
> developers who are NOT OAuth familiar, and NOT RFC 6750 familiar, and even
> non-developer end-users also.
> This sounds like a great goal.
>
> From my perspective the RFC 6750 makes things unnecessarily complicated.
> Well maybe it's necessary
> in the context of OAuth, but for non-OAuth usage, it seems complicated.
>
> I totally understand, it might not be clear how to do super-simple
> end-user auth without OAuth using the short description
> in the draft.
>
> But the nice thing about a bearer token approach, is it can support all
> the different models that have been discussed.
> - OBS stream-key
> - username/password (well password-only)
> - The different OAuth models
>
> Again, I think the criticisms from Matt & Julius make sense, it's not
> clear how to use RFC 6750 in even
> the most basic way, unless you have a certain amount of experience around
> using bearer tokens for auth.
> (I will note, bearer tokens are the most common way to authenticate APIs
> these days, not username/password)
>
> Maybe what is needed are two simple examples in the spec that show how
> bearer tokens would be used:
> 1. concrete example comparing how it can be used as an alternative to
> username/password. (http basic auth alternative)
> 2. concrete example comparing how it can be used as an alternative to
> passing stream-keys in the URL.
>
>
> Might really go a long  way to making it clear how to do auth in non-oauth
> scenarios where 'http basic auth' or
> 'url based stream keys' have been used previously.
>
>
>
> Cameron
>
>
>
>
> On Mon, Sep 13, 2021 at 11:22 AM Matt Ward <mattward@mux.com> wrote:
>
>> It may be trivial for you to wrap your head around as the author of the
>> spec and a strong engineer. However, I still feel quite strongly that
>> converting a community of broadcasters (with a wide range of technical
>> understanding) from RTMP => WHIP is easier if the protocol drops into
>> existing UIs with near 0 changes required.
>>
>> Imagine working at Blackmagic or Teradek and seeing a requirement to add
>> a bunch of UI in addition to a whole new underlying protocol. I suspect
>> requiring even basic auth there will slow adoption.
>>
>> On Mon, Sep 13, 2021 at 11:09 AM Sergio Garcia Murillo <
>> sergio.garcia.murillo@gmail.com> wrote:
>>
>>> FWIW, I did implement the initial whip draft in OBS and doing the UX for
>>> configuring the oauth token is trivial. The problem with ffmpeg is not
>>> going to be the bearer token authentication neither.. ;)
>>>
>>>
>>> El lun, 13 sept 2021 a las 19:56, Matt Ward (<mattward@mux.com>)
>>> escribió:
>>>
>>>> AFAIK today, there's no "Auth token" input for any of the other
>>>> services? Have you found an ffmpeg output that supports bearer
>>>> authentication? Usually, more UI/params/config => more state => more
>>>> complex clients => longer time to integrate.
>>>>
>>>> I want every single box that supports RTMP today to add WHIP tomorrow
>>>> with minimal friction!  :)
>>>>
>>>> On Mon, Sep 13, 2021 at 10:55 AM Sergio Garcia Murillo <
>>>> sergio.garcia.murillo@gmail.com> wrote:
>>>>
>>>>> Not sure how an RTMP implementation may affect how OBS or ffmpeg
>>>>> implements WHIP, should be as simple as this:
>>>>>
>>>>> [image: image.png]
>>>>>
>>>>> El lun, 13 sept 2021 a las 19:29, Matt Ward (<mattward@mux.com>)
>>>>> escribió:
>>>>>
>>>>>> In the current abstract for WHIP, the spec comes out stating
>>>>>> "Currently there is no standard protocol (like SIP or RTSP) designed for
>>>>>> ingesting media in a streaming service, and content providers still rely
>>>>>> heavily on protocols like RTMP for it."
>>>>>>
>>>>>> Why do content providers rely on RTMP and possibly more
>>>>>> interestingly, why do publishers/broadcasters/end-users love RTMP?
>>>>>>
>>>>>> It is dead simple.
>>>>>>
>>>>>> If our goal is to replace RTMP, I think we need to allow clients to
>>>>>> be as dead simple as RTMP is today. In order to do this, we must allow
>>>>>> clients to ship with support for only path based authentication as in RTMP.
>>>>>> This will require a minimal amount of UI/UX changes and speed time to
>>>>>> support in many broadcasting software/appliances.
>>>>>>
>>>>>> As for MAY support beyond that, I'd look at how custom RTMP is
>>>>>> configured in OBS. To that end, it only supports authentication via basic
>>>>>> auth. I imagine adding support for bearer authentication that's only
>>>>>> supported for WHIP in OBS adds complexity to that client. I imagine this
>>>>>> additional burden would not be uncommon across the space of existing
>>>>>> broadcasting software/appliances. As for one more example, I have seen
>>>>>> approximately 0 ffmpeg example commands outputting with bearer
>>>>>> authentication.
>>>>>>
>>>>>> [image: Screenshot from 2021-09-13 10-16-54.png]
>>>>>>
>>>>>>
>>>>>> On Mon, Sep 13, 2021 at 9:30 AM Sergio Garcia Murillo <
>>>>>> sergio.garcia.murillo@gmail.com> wrote:
>>>>>>
>>>>>>> I disagree with the approach.
>>>>>>>
>>>>>>> IMHO, using username/password authentication in http rest apis is
>>>>>>> insecure as it forces the user to store it's password into several "low
>>>>>>> security" applications and most service providers have deprecated it in
>>>>>>> favor of a token based authentication.
>>>>>>>
>>>>>>> My proposal would be that it is a MUST for clients to support
>>>>>>> authentication via the bearer token and it would be optional for the server
>>>>>>> to implement it or not. In case the user does not provision the token on
>>>>>>> the whip client, an unauthenticated request would be sent to the server.
>>>>>>>
>>>>>>> Best regards
>>>>>>> Sergio
>>>>>>>
>>>>>>> El lun, 13 sept 2021 a las 18:14, Juliusz Chroboczek (<jch@irif.fr>)
>>>>>>> escribió:
>>>>>>>
>>>>>>>> > I understand the motivation, but this doesn't get us to
>>>>>>>> > interoperability. We need a baseline, mandatory-to-implement
>>>>>>>> > authentication method for both client and server; otherwise,
>>>>>>>> we'll end up
>>>>>>>> > in a situation where your client implements mechanism A, my
>>>>>>>> network
>>>>>>>> > implements mechanism B, and your users can't use my network.
>>>>>>>>
>>>>>>>> Yes, and that is why I suggested HTTP Basic instead of bearer token.
>>>>>>>>
>>>>>>>> Most servers today implement authentication using a
>>>>>>>> username/password
>>>>>>>> pair.  While this is certainly not the most secure solution, it is
>>>>>>>> well
>>>>>>>> understood by users, and is therefore likely to remain the main
>>>>>>>> mode of
>>>>>>>> authentication for the foreseeable future.
>>>>>>>>
>>>>>>>> With HTTP Basic, it is perfectly clear how to map a
>>>>>>>> username/password pair
>>>>>>>> to the protocol.  With bearer token, the client and the server need
>>>>>>>> to
>>>>>>>> both agree on how to map the username/password pair to a token, and
>>>>>>>> I expect different implementations to use different mappings, with
>>>>>>>> all the
>>>>>>>> fun that this entails.
>>>>>>>>
>>>>>>>> So I suggest that for clients:
>>>>>>>>
>>>>>>>>   - support for unauthenticated WISH over HTTPS is MUST;
>>>>>>>>   - support for HTTP Basic over HTTPS is MUST;
>>>>>>>>   - other authentication methods is MAY.
>>>>>>>>
>>>>>>>> If that is not what Sergio has in mind, then the draft needs to
>>>>>>>> mandate an
>>>>>>>> unambiguous and deterministic way of mapping a username/password
>>>>>>>> pair to
>>>>>>>> an authentication method.
>>>>>>>>
>>>>>>>> -- Juliusz
>>>>>>>>
>>>>>>> --
>> Wish mailing list
>> Wish@ietf.org
>> https://www.ietf.org/mailman/listinfo/wish
>>
>

v2.8.7 | Report a Bug | By Email