-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configure the JWT Claim Key for holding MediaMTX Permissions #3560
Configure the JWT Claim Key for holding MediaMTX Permissions #3560
Conversation
This change adds functionality to be able to choose the JWT clim key that is used to store the mediamtx_permissions. This is useful if you do not have unlimited access to your IdP and there is a policy that your JWT extension claims should be of a specific format - I am looking at you, Azure B2C.
…diamtx into rekey-jwt-claim
fixing a linting issue
@aler9 The test above that has failed is nowhere near the code I have written; passes on my system and is similar to a fail you had yesterday that went away on retry. Please rerun the check. |
…diamtx into rekey-jwt-claim
@aler9 thank you |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello, this feature is useful but you need to perform a couple of changes in order to get the patch merged:
- the permission parsing logic is vulnerable to multiple crashes. In my opinion you should rewrite it entirely by using something like
type customClaims map[string]json.RawMessage
var cc customClaims
_, err = jwt.ParseWithClaims(v["jwt"][0], &cc, keyfunc)
...
rawClaim, ok := cc[m.JWTClaimKey]
if !ok {
return fmt.Errorf(...)
}
var claim []conf.AuthInternalUserPermission
err := json.Unmarshal(rawClaim, &claim)
if err != nil {
return err
}
// finally you can use the claim
- you need to add the new key to
apidocs/openapi.yaml
too
updating to catch panics
extending and correcting the openapi schema
…diamtx into rekey-jwt-claim # Conflicts: # apidocs/openapi.yaml
@aler9 I have made some changes to the code to protect against I have stuck with |
…diamtx into rekey-jwt-claim
i found a way to implement this feature that is slightly more efficient, since it avoids calling |
This issue is mentioned in release v1.9.0 🚀 |
Why is this change needed?
I offer this change as when using Azure B2C the policy for naming custom JWT claims is to prefix with
extension_<<app_id>>_
. With MediaMTX having a fixed JWT ofmediamtx_permissions
it meant that I could not use Azure B2C as my IdP.This will be the case for many people who need to secure video streams using JWTs.
What has been done?
The main changes are in
manager.go:268-283
andconf.go:568-573
.manager.go
: I have intercepted the automagic un-marshalling of the JWT in tocustomClaims
object and done it manually instead. This means that the key used to search the claim for themediamtx_permissions
can be set at runtime rather than at compile time.conf.go
: in addition to setting the default for the new config key (authJWTClaimKey
) to bemediamtx_permissions
for backward compatibility, I have also added some validation to ensure the claim key is not blank and that it only has valid JWT chars in it[a-zA-Z0-9-_]
.I have updated unit tests and made simple changes to the
README.md
and defaultmediamtx.yml
files.