RFC 7635 - Extension for Third-Party Authorization

[adrianosela]

Summary

Today, those who deploy pion/turn servers are limited to authenticating users with a long-lived username and password. RFC 7635 describes how OAuth 2.0 can be used to authenticate clients with short lived tokens.

This issue tracks implementing RFC 7635.

Note: This issue does not track support JWT tokens, OIDC, or anything not described by just RFC 7635 (but those things would be nice to build after this is in place).

Motivation

TL;DR; Short lived credentials - nuff said. Not having support for short-lived credentials will deter many folks from using pion/turn in favour of something that does.

[rg0now]

This comes up often, with the standard response that JWTs have been removed from ICE and there is no browser support. Is that still true?

Stupid idea: can we somehow squeeze the JWT into the USERNAME attribute? We have a full 512 bytes and a limited Unicode charset to exploit here. This would need no browser support.

[Raraku]

This would be really cool.

Currently though, there is support for ephemeral credentials; that align with the proposed RFC 8489.
The timestamp:username format along with the HMAC key as a password also works with sip servers like Kamailio.

The code is here:

turn/lt_cred.go

Line 28 in 8f349cf

func GenerateLongTermTURNRESTCredentials(sharedSecret string, user string, duration time.Duration) (

I personally switched out sha1 for sha256

[adrianosela]

This comes up often, with the standard response that JWTs have been removed from ICE and there is no browser support. Is that still true?

My opinion is that we should still implement it, even if not helpful for WebRTC use cases. There are plenty other use cases for pion/turn e.g. VPNs, any p2p communication scheme.

Stupid idea: can we somehow squeeze the JWT into the USERNAME attribute? We have a full 512 bytes and a limited Unicode charset to exploit here. This would need no browser support.

Its a great idea! but JWTs have arbitrary claims and thus arbitrary lengths. 512 might be enough for some but not all users.

[adrianosela]

This would be really cool.

Currently though, there is support for ephemeral credentials; that align with the proposed RFC 8489. The timestamp:username format along with the HMAC key as a password also works with sip servers like Kamailio.

The code is here:

turn/lt_cred.go

Line 28 in 8f349cf

func GenerateLongTermTURNRESTCredentials(sharedSecret string, user string, duration time.Duration) (

I personally switched out sha1 for sha256

Thanks for pointing this out. This is better than static username and password in that the secret is not being sent over the wire. But the secret is still a long-lived credential.