Thanks for the comments. Think a new module auth_jwt is a better way. Will take a closer look at auth_ephemeral. The two IETF draft I was looking at are http://www.ietf.org/id/draft-ietf-oauth-json-web-token-32.txt <http://www.ietf.org/id/draft-ietf-oauth-json-web-token-32.txt> and http://www.ietf.org/id/draft-ietf-jose-json-web-signature-40.txt <http://www.ietf.org/id/draft-ietf-jose-json-web-signature-40.txt>. OAuth 2.0 is a nice framework to handle auth and issue web tokens. But maybe the first step is to use configured public keys to verify the token and then use info from the token to validate SIP messages. Another thing is that it seems we need a new SIP header to send the JWT token. Cannot find an existing header that is suitable for JWT.
—
Reply to this email directly or view it on GitHub.