Custom RTMP authentication on a per stream basis

I read the documentation on RTMP authentication. It seems like you can only get this to work by supplying a password for a specific username.

What I want to do:

  • Let users supply an username and password in FMLE for streaming

  • Only allow streaming to a specific stream name

  • Validate the supplied credentials against an external source (REST api)

Is it possible to have access to the supplied username and password later on in the application? So that I can validate that a user is allowed to stream a specific stream name? Because then I could use a two-step authentication scheme:

Step 1) Validate if credentials are valid

Step 2) When user tries to stream validate if supplied credentials are valid for specified stream name.

Is this possible or should I stick with my current URL Query parameters approach?

You can use WMSProperties in the onConnect handler to attach credentials to IClient object that you can look at later in publish (or play) override or IMediaStreamActionNotify3.onPublish() or .onPlay()

client.getProperties().setProperty("username", "richard");
		
String username = client.getProperties().getPropertyStr("username");

This article shows how to extend ModuleRTMPAuthenticate so you can validate against external database or other authentication services.

Richard

But how do I get access to the username and password if it’s supplied via RTMP authentication?

The article I linked to above is what we have to do that.

It doesn’t actually return the password, just the username. You then look up that user in your database and return the password.

Richard

I’m not sure what you mean at this point. At top you had credentials in a querystring, which you can grab in onConnect and add to the client instance with WMSProperties, and look at anytime later.

With AuthenticateUsernamePasswordProviderBase you can get the username supplied by the encoder and look up the password. In that case the username and password is sent to Wowza with digest authentication, not in the rtmp connection.

Richard

This is how to do it:

public String getPassword(String username)
	{
		// return password for given username		
		String pwd = null;
		// lookup pwd in external authentication system
		
		IClient client = this.getClient();
		
		client.getProperties().setProperty("username", username);
		client.getProperties().setProperty("pwd", pwd);
	}

Richard

Not sure what you mean exactly, but RTMP Authentication uses digest, which is not clear text.

Richard

I read that article and know how to store variables on a client object. But I don’t think that will solve my problem.

But how do I get access to the username and password if it’s supplied via RTMP authentication?

Because as far as I can see you don’t have access to the client object in the ModuleRTMPAuthenticate (at least not in the right methods)? And I don’t know how to access this information in the onConnect method.

I have this working already with URL parameters. I just want to know if I can access the supplied username and password somewhere else in the application when they are supplied via RTMP authentication and not via URL parameters.

But how do I store the username in the client object if I don’t have access to the client object in the getPassword method?

And I still think it’s a strange implementation. For this you need the passwords as plain-text, it’s very bad practice to store passwords as plain text.

So there’s is basically no way to do a more sophisticated integration with RTMP authentication because you can’t access the supplied credentials later on? So you can’t do a per publish stream authentication with RTMP, only with query params?

Thank you, that I can use.

Is there no way to use RTMP authentication with encrypted passwords? In a lot of usecases the plain text password is not available.

I mean that most external authentication mechanisms do not have clear text passwords available to return. They can only validate if a password is valid or not.

Would be useful to implement this in a way that you can verify both the username and password and just return true or false.

Meinaart,

  • the point of the digest authentication is to not send a clear password through the unsecured networks. So, there is no way to retrieve the password with digest method. At all )) It is not a wowza issue

  • FMLE natively supports digest auth only, afaik

The only alternative is yes, to specify auth credentials in a query string. Of course, it would be safer to use encrypted connection like rtmps, rtmpe