Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

API, metrics, pprof: JWT Auth only works with jwt in Query not in Header #3630

Closed
1 of 13 tasks
izanbard opened this issue Aug 7, 2024 · 1 comment · Fixed by #3795
Closed
1 of 13 tasks

API, metrics, pprof: JWT Auth only works with jwt in Query not in Header #3630

izanbard opened this issue Aug 7, 2024 · 1 comment · Fixed by #3795
Labels
bug Something isn't working general

Comments

@izanbard
Copy link

izanbard commented Aug 7, 2024

Which version are you using?

v1.8.5

Which operating system are you using?

  • Linux amd64 standard
  • Linux amd64 Docker
  • Linux arm64 standard
  • Linux arm64 Docker
  • Linux arm7 standard
  • Linux arm7 Docker
  • Linux arm6 standard
  • Linux arm6 Docker
  • Windows amd64 standard
  • Windows amd64 Docker (WSL backend)
  • macOS amd64 standard
  • macOS amd64 Docker
  • Other (please describe)

Describe the issue

When accessing the API while using JWT auth, the API only recognises the jwt if it is in the query string. Whereas the more normal method of delivering the token - in the Authorization header - is ignored and a 401 issued. Although I have not tested it, I suspect this is true also of METRICS, PLAYBACK and PPROF too.

Describe how to replicate the issue

  1. Conf: set api to yes
  2. Conf: set authMethod to jwt
  3. Follow instructions in README.md to set up keycloak.
  4. Conf: set authJWTJWKS to url for keycloak server
  5. Start the MediaMTX server
  6. Get valid JWT from keycloak
  7. Using your favourite API access tool (have tested with Postman and curl) access the API with Authorization header set eg
curl -v -H "Authorization: Bearer <<YOUR_JWT>>" http://localhost:9997/v3/config/global/get
  1. Get 401
  2. Using your favourite API access tool (have tested with Postman and curl) access the API with jwt query param set eg
curl -v http://localhost:9997/v3/config/global/get?jwt=<<YOUR_JWT>>
  1. Get 200

Did you attach the server logs?

no

Did you attach a network dump?

no

Comments

I think this problem is already solved for HLS and WebRTC connection. The same strategy could be used here.

On line 162 of internal/servers/hls/http_server.go a function scrapes the Authorization header and adds it to the request query, ready for the JWT auth routine to process.

q := ctx.Request.URL.RawQuery
if h := ctx.Request.Header.Get("Authorization"); strings.HasPrefix(h, "Bearer ") {
	q = addJWTFromAuthorization(q, h)
}

The function addJWTFromAuthorization id defined in the same file at line 40.

Similar code exists in internal/servers/webrtc/http_server.go at lines 126 and 206. And again the addJWTFromAuthorization function is defined in that file as a copy/paste.

I would suggest that the function addJWTFromAuthorization is centralised, then code similar to above added to internal/api/apo.go, probably in the function middlewareAuth around line 267.

I have not tested it, but suspect similar is required in internal/metric/metrics.go in the function onRequest near line 124; internal/pprof/pprof.go in the function onRequest near line 96; and in internal/playback/server.go in the function doAuth near line 125.
@aler9 aler9 added bug Something isn't working general labels Sep 22, 2024
@aler9 aler9 changed the title API: JWT Auth only works with jwt in Query not in Header API, metrics, pprof: JWT Auth only works with jwt in Query not in Header Sep 22, 2024
aler9 added a commit that referenced this issue Sep 22, 2024
@aler9
support using JWT in Authorization header with API, Metrics, PProf (#…
c6414d4 
…3630)
@aler9 aler9 mentioned this issue Sep 22, 2024
Merged
aler9 added a commit that referenced this issue Oct 5, 2024
@aler9
support using JWT in Authorization header with API, Metrics, PProf (#…
075d4de 
…3630)
aler9 added a commit that referenced this issue Oct 5, 2024
@aler9
support using JWT in Authorization header with API, Metrics, PProf (#…
534b637 
…3630) (#3795)
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 7, 2024

This issue is mentioned in release v1.9.2 🚀
Check out the entire changelog by clicking here

@BrewTestBot BrewTestBot mentioned this issue Oct 7, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working general
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

support using JWT in Authorization header with API, Metrics, PProf (#3630) bluenviron/mediamtx
2 participants
@izanbard @aler9