Hi all!
I need to integrate a REST Service with Kamailio. Integration is easy, not a problem, but my concern is that the REST Services has a JWT token authentication required for each request, common to many (it not all) REST Services. So, it is required to POST for authentication (username and password) and once I get authentication done, and receive a JWT token, I will need to use this token in all other requests to the REST Service. The token is valid for 24h. My question is: - how to save the token for use during 24h, on all calls/sessions, without the need to authenticate on every call? - how to detect the token has expired and re-authenticate?
I looked for some modules, but could not find any that suited me. I am thinking of executing a Python script for this, but concerned about latency and PDD.... Any thoughts? Any suggestions? Any known best-practice?
Atenciosamente / Kind Regards / Cordialement / Un saludo,
*Sérgio Charrua*
The `htable` module can potentially assist with both tasks. You can use it to save the token, and also set an expiration time of 24 hours. It's kind of like Redis, but inside Kamailio.
Of course, expiring the token after 24 hours is not the same thing as detecting that it has expired.
-- Alex
Have you considered an inbetween service (such as a go/python/node api listener) to handle the authentication / token issuance part?
In theory I assume you could use the JWT and other modules to help do what you are looking for, but you’re really hacking kamailio to be an http api server at that point and although it may be able to do it quite well, it’s really not the first candidate I’d choose for the job.
Regards,
Fred Posner https://fredoso.com
On Aug 27, 2024, at 7:54 AM, Fred Posner via sr-users sr-users@lists.kamailio.org wrote:
In theory I assume you could use the JWT and other modules to help do what you are looking for, but you’re really hacking kamailio to be an http api server at that point and although it may be able to do it quite well, it’s really not the first candidate I’d choose for the job.
I assumed from the OP that this wasn't on the table ipso facto. If it is, I definitely agree that this is a better way to go.
Thanks Fred!
... but you’re really hacking kamailio to be an http api server...
Actually it will be a HTTP Client...kamailio will send requests to an HTTPS REST Service that requires authentication, returning a JWT token if authentication is OK. Then, with the Token, Kamailio will make another HTTPS Request to another endpoint of the REST Service to do some voodoo.... My issue is on how to handle, on Kamailio, the authentication JWT token returned from the REST Service.
I did consider having a Python script handling HTTP requests...might be the best solution, as it is (or seems to be....) more flexible in the long term....
Atenciosamente / Kind Regards / Cordialement / Un saludo,
*Sérgio Charrua*
On Tue, Aug 27, 2024 at 1:08 PM Fred Posner via sr-users < sr-users@lists.kamailio.org> wrote:
Hello,
don’t looked into the details, but the kamailio jwt module has a verify function (https://www.kamailio.org/docs/modules/stable/modules/jwt.html)
Regarding storage, you can easily store them in a DB table with sqlops, or in htable in memory with automatic 24h expiry, just two options. The DB could be used from multiple Kamailio servers, htable would be individual per server.
Cheers,
Henning
-- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.comhttps://gilawa.com/
From: Sergio Charrua via sr-users sr-users@lists.kamailio.org Sent: Dienstag, 27. August 2024 12:58 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Cc: Sergio Charrua sergio.charrua@voip.pt Subject: [SR-Users] Kamailio integration with REST services
Hi all!
I need to integrate a REST Service with Kamailio. Integration is easy, not a problem, but my concern is that the REST Services has a JWT token authentication required for each request, common to many (it not all) REST Services. So, it is required to POST for authentication (username and password) and once I get authentication done, and receive a JWT token, I will need to use this token in all other requests to the REST Service. The token is valid for 24h. My question is: - how to save the token for use during 24h, on all calls/sessions, without the need to authenticate on every call? - how to detect the token has expired and re-authenticate?
I looked for some modules, but could not find any that suited me. I am thinking of executing a Python script for this, but concerned about latency and PDD.... Any thoughts? Any suggestions? Any known best-practice?
Atenciosamente / Kind Regards / Cordialement / Un saludo,
Sérgio Charrua
Thanks Henning,
I did take a look at the JWT module, prior posting to the ML, but it seems to me that it requires a private key (.pem) which I won't have access to, hence the only way to authenticate is to send a HTTPS request to an URL with the login and password in it.... Or am I missing something?
The DB Table might be a good option, though the high amount of CPS might overload the database, so I will try the HTable option instead.
Atenciosamente / Kind Regards / Cordialement / Un saludo,
*Sérgio Charrua*
On Tue, Aug 27, 2024 at 12:57 PM Henning Westerholt hw@gilawa.com wrote:
On Aug 27, 2024, at 7:57 AM, Henning Westerholt via sr-users sr-users@lists.kamailio.org wrote:
htable would be individual per server.
It's worth pointing out that htable can be replicated via DMQ.
This might seem like needless pedantry, but I've used this to successful effect in number of places to remove dependency on external storage mechanisms.
-- Alex
Hi Alex,
you are right of course, DMQ can be used to synchronize htable content. Not sure I would use it personally for security tokens in this special case, due to the lack of synchronisation, integrity protections and encryption (the two latter parts can of course be mitigated by using TLS).
Cheers,
Henning
Hi,
You can use a $shv() variable to store the key. To track it you can use rtimer or just don't track it at lll, but just renew at 403. There are other ways tho, these are what I use
вт, 27 авг. 2024 г. в 14:25, Sergio Charrua via sr-users < sr-users@lists.kamailio.org>:
-
Alex Balashov -
Alexandru Covalschi -
Fred Posner -
Henning Westerholt -
Mojtaba -
Sergio Charrua