Add config option to bypass authserver for reading streams and only do requests for publishing. #2205
Comments
|
Hello, this idea will be surely taken into consideration, but i think that the best solution to the external authentication problem is to add support for JWT authentication, that requires a single interaction between each user and an authentication server, without further contacts. This is being tracked here: #1992 |
|
A cookie that will allow authentication to stay valid is surely a good idea, but as for my request it isn't really changing anything. I do not want to even hit the auth server once and be able to play the stream even if the auth server is unavailable. |
|
I have a variant of this issue: I use a "secret token" passed as query parameter for simple authentication, plus an external authentication server. It works well for WebRTC (it does a couple requests and passes the query string in both) but not for HLS (it passes the query string to open the page, but not to request .m3u8 and segments). If some sort of ID was passed to the authentication server to correlate the first and next requests it would suffice to make it secure. (Here, I added a workaround where all HLS requests are accepted inside a time window, once a request with token has been authenticated. Not very secure, but it is just a home camera, and we don't use HLS unless WebRTC fails, which is rare.) |
This is a new authentication system that covers all the features exposed by the server, including playback, API, metrics and PPROF, improves internal authentication by adding permissions, improves HTTP-based authentication by adding the ability to exclude certain actions from being authenticated, adds an additional method (JWT-based authentication).
|
This issue is mentioned in release v1.6.0 🚀 |
|
This issue is being locked automatically because it has been closed for more than 6 months. |
Describe the feature
I'd love to see a config option that that allows skipping the auth server for read requests.
I've recently switched to using a auth server for publishing requests, and would love if i can have a SkipAuthForRead=true setting to bypass auth requests for viewing and only auth for publishing requests.
This will also mean that even if the auth server is unreachable, times out, or has a super high latency, as long as the stream is already publishing, the viewing end will not be affected. (This especially benefits HLS)
I noticed that with HLS every single hls segment means a new auth request, causing a load of unnessesary requests for each individual viewer on the auth server.
(Hunreds of requests per minute per viewer, which just spams my simple auth server with tons of unnesseary requests.)
And if the auth server has a high latency or even timeouts, this can also unnessearily affect viewing stabillity / freeze the stream despite the publishing continuing uninterrupted.
I hope a bypass for read can be implemented.
Regards FPaul
(Note: This request is not focussing on the specifc HLS behaviour, i want to skip any auth for reading reagardless of HLS/RTMP/RTSP/SRT/WebRTC to remove any external dependency for just viewing.)
The text was updated successfully, but these errors were encountered: