-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: External authentication/authorization check #423
base: master
Are you sure you want to change the base?
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #423 +/- ##
==========================================
- Coverage 40.72% 40.56% -0.17%
==========================================
Files 154 154
Lines 16644 16710 +66
==========================================
Hits 6778 6778
- Misses 9866 9932 +66 ☔ View full report in Codecov by Sentry. |
Nice Job 👍. One question regarding url, can't we use domain with path? Example: http://example.com/auth/webrtc-verify or similar? |
@luongngocminh I think there might be some confusion with hard-coded URL rules. Perhaps we should use a direct endpoint and include the information in the body. As we discussed with @jibon57, it's more flexible to embed the check endpoint inside the token. |
@jibon57 @giangndm my idea is to have a way to separate the checking logic for each concerns (in case we want to fine grain the permissions: create, patch, delete, etc. ) without branching in the target API logic. If I use a single webrtc verify API with body as the parameter, the handler logic of that API will need to be branch (using if or switch case) for each of the case. |
@luongngocminh setting up a fixed url is totally fine. I'm just concerned the url pattern. Do we have to use only domain name without any path? Or path is allowed with domain? Because in your example you used a domain name only. |
You can use any path as base, it's fine, the server will send a GET request to |
@luongngocminh thanks. Yes, that was my concern. |
@luongngocminh @jibon57 I think we shouldn't use different endpoints. Instead, we should post to the configured endpoint, allowing users to flexibly embed more information within the hook URI parameters. This also enables us to have the same mechanism when allowing custom hook URIs per token. |
Pull Request
Description
To keep the server functionalities as simple and compact as possible, currently only JWT verification is used to allow users access to a room. But due to the requirements of modern video conferencing applications, further authentication functionalities are needed (Room participant controls like kicking, banning, ...).
This PR is designed to keep the authen/author out of scope of the server core functions. Developer can now extends the authentication functions by providing a sort of "guard" API HTTP base endpoint.
These "guard" are placed in-front of the authenticated SDK APIs:
/whip/create
/whep/create
/webrtc/connect
/webrtc/ice-restart
The guard API endpoint should contain all of these APIs when
--ext-auth-uri
is provided for the server. The guard only check for success status from this API for the guard to be passed, if the API failed in any other way, the guard will return UNAUTHORIZED.Changes
--ext-auth-uri Option<String>
. For example:http://example.com
(without the backslash at the end of the string)Related Issue
#378
Checklist