I have been considering this for some time.
I think there should be a new auth_jwt module, probably based on auth_ephemeral (which is similar in concept). For SIP over WebSockets this can then be used to authenticate the client during the WebSocket handshake.
There should be a “Private Claim Name” defined to contain the identity of the calling/registering party. This can be cached during the WebSocket handshake and then used to valid the To-URI (REGISTER/PUBLISH) and From-URI (other requests without To-tags). The “Expiration Time Claim” should be cached too.
auth_jwt should contain helper functions for checking URIs and whether the token is still valid - similar to those in auth_ephemeral.
Regards,
Peter
— Peter Dunkley http://www.dunkley.me.uk/ http://www.dunkley.me.uk/ http://www.linkedin.com/in/pdunkley http://www.linkedin.com/in/pdunkley
On 13 Jan 2015, at 20:59, kamailio-sync notifications@github.com wrote:
On 12 Jan 2015, at 21:34, mading087 notifications@github.com wrote:
It seems a good idea to support JWT as a new SIP authorization method. Wonder if anyone is interested? Think auth_db would be the best spot to add support for JWT.
Please check the work that is ongoing with OAuth - there is an IETF draft on that.
/O — Reply to this email directly or view it on GitHub https://github.com/kamailio/kamailio/issues/29#issuecomment-69818698.
--- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/29#issuecomment-69819723