Feature: External authentication/authorization check #423
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #423 +/- ##
==========================================
- Coverage 40.72% 40.56% -0.17%
==========================================
Files 154 154
Lines 16644 16710 +66
==========================================
Hits 6778 6778
- Misses 9866 9932 +66 ☔ View full report in Codecov by Sentry. |
|
Nice Job 👍. One question regarding url, can't we use domain with path? Example: http://example.com/auth/webrtc-verify or similar? |
|
@luongngocminh I think there might be some confusion with hard-coded URL rules. Perhaps we should use a direct endpoint and include the information in the body. As we discussed with @jibon57, it's more flexible to embed the check endpoint inside the token. |
|
@jibon57 @giangndm my idea is to have a way to separate the checking logic for each concerns (in case we want to fine grain the permissions: create, patch, delete, etc. ) without branching in the target API logic. If I use a single webrtc verify API with body as the parameter, the handler logic of that API will need to be branch (using if or switch case) for each of the case. |
|
@luongngocminh setting up a fixed url is totally fine. I'm just concerned the url pattern. Do we have to use only domain name without any path? Or path is allowed with domain? Because in your example you used a domain name only. |
You can use any path as base, it's fine, the server will send a GET request to |
|
@luongngocminh thanks. Yes, that was my concern. |
|
@luongngocminh @jibon57 I think we shouldn't use different endpoints. Instead, we should post to the configured endpoint, allowing users to flexibly embed more information within the hook URI parameters. This also enables us to have the same mechanism when allowing custom hook URIs per token. |
Pull Request
Description
To keep the server functionalities as simple and compact as possible, currently only JWT verification is used to allow users access to a room. But due to the requirements of modern video conferencing applications, further authentication functionalities are needed (Room participant controls like kicking, banning, ...).
This PR is designed to keep the authen/author out of scope of the server core functions. Developer can now extends the authentication functions by providing a sort of "guard" API HTTP base endpoint.
These "guard" are placed in-front of the authenticated SDK APIs:
/whip/create/whep/create/webrtc/connect/webrtc/ice-restartThe guard API endpoint should contain all of these APIs when
--ext-auth-uriis provided for the server. The guard only check for success status from this API for the guard to be passed, if the API failed in any other way, the guard will return UNAUTHORIZED.Changes
--ext-auth-uri Option<String>. For example:http://example.com(without the backslash at the end of the string)Related Issue
#378
Checklist