Configure the JWT Claim Key for holding MediaMTX Permissions #3560
Conversation
This change adds functionality to be able to choose the JWT clim key that is used to store the mediamtx_permissions. This is useful if you do not have unlimited access to your IdP and there is a policy that your JWT extension claims should be of a specific format - I am looking at you, Azure B2C.
…diamtx into rekey-jwt-claim
fixing a linting issue
|
@aler9 The test above that has failed is nowhere near the code I have written; passes on my system and is similar to a fail you had yesterday that went away on retry. Please rerun the check. |
…diamtx into rekey-jwt-claim
|
@aler9 thank you |
There was a problem hiding this comment.
Hello, this feature is useful but you need to perform a couple of changes in order to get the patch merged:
- the permission parsing logic is vulnerable to multiple crashes. In my opinion you should rewrite it entirely by using something like
type customClaims map[string]json.RawMessage
var cc customClaims
_, err = jwt.ParseWithClaims(v["jwt"][0], &cc, keyfunc)
...
rawClaim, ok := cc[m.JWTClaimKey]
if !ok {
return fmt.Errorf(...)
}
var claim []conf.AuthInternalUserPermission
err := json.Unmarshal(rawClaim, &claim)
if err != nil {
return err
}
// finally you can use the claim- you need to add the new key to
apidocs/openapi.yamltoo
updating to catch panics
extending and correcting the openapi schema
…diamtx into rekey-jwt-claim # Conflicts: # apidocs/openapi.yaml
|
@aler9 I have made some changes to the code to protect against I have stuck with |
…diamtx into rekey-jwt-claim
|
i found a way to implement this feature that is slightly more efficient, since it avoids calling |
|
This issue is mentioned in release v1.9.0 🚀 |
Why is this change needed?
I offer this change as when using Azure B2C the policy for naming custom JWT claims is to prefix with
extension_<<app_id>>_. With MediaMTX having a fixed JWT ofmediamtx_permissionsit meant that I could not use Azure B2C as my IdP.This will be the case for many people who need to secure video streams using JWTs.
What has been done?
The main changes are in
manager.go:268-283andconf.go:568-573.manager.go: I have intercepted the automagic un-marshalling of the JWT in tocustomClaimsobject and done it manually instead. This means that the key used to search the claim for themediamtx_permissionscan be set at runtime rather than at compile time.conf.go: in addition to setting the default for the new config key (authJWTClaimKey) to bemediamtx_permissionsfor backward compatibility, I have also added some validation to ensure the claim key is not blank and that it only has valid JWT chars in it[a-zA-Z0-9-_].I have updated unit tests and made simple changes to the
README.mdand defaultmediamtx.ymlfiles.