9

I want to use coturn with oAuth. If I understood it correctly I need to do two things:

  • Storing the oAuth tokens in the database coturn is using
  • Sending the ACCESS-TOKEN and USERNAME STUN attributes

First point is clear but how do I need to change my WebRTC client to achieve the second point?

Without oAuth I would initialize my RTCPeerConnection like this:

var configuration = {
  'iceServers': [{
    'url': 'turn:turn.example.org',
    'username': 'user',
    'credential': 'password'
  }]
};
var pc = new RTCPeerConnection(configuration)

The WebRTC 1.0 draft defines a RTCIceCredentialType enum so i would think I need to change my configuration like this:

var configuration = {
  'iceServers': [{
    'url': 'turn:turn.example.org',
    'username': 'kid',
    'credential': 'oAuthToken',
    'credentialType': 'token'
  }]
};

Using Wireshark I can't see the ACESS-TOKEN attribute. Any ideas or does anyone know a working example?

lefloh
  • 10,653
  • 3
  • 28
  • 50
  • what is the command you are using to start the TURN server? – mido Aug 04 '15 at 07:04
  • `turnserver -n -f -v -l stdout -a --oauth -r "myRealm" -J "myMongoConnection"` – lefloh Aug 04 '15 at 07:18
  • I am guessing you are getting `401` error in the TURN server logs – mido Aug 04 '15 at 07:25
  • Sorry for the late reply. You're right, the error is: `26: session 005000000000000001: realm user : incoming packet message processed, error 401: Unknown error 26: check_stun_auth: user turn credentials are incorrect`. I thought that coturn is using long term credentials here because the `ACCESS-TOKEN` attribute is not sent. – lefloh Aug 05 '15 at 08:21
  • I was trying it out for the last two days, was getting similar error, but I did not have an oauth setup, used a redis server, and manually added rows in it – mido Aug 05 '15 at 08:29
  • for my project, I use TURN auth secret, so need dependency on database, but hook is the system time of your server and that of WebRTC must be nearly similar – mido Aug 05 '15 at 08:30
  • my guess is, you must pass the `mac_key` as credential, also for some reason, suspect that it is checking the table `turnusers_lt` instead of `oauth_key` then again, I am only guessing. – mido Aug 05 '15 at 08:40
  • Are you using the coturn REST API or oauth? The auth secret is only used for the REST API as far as I know. I'm also manually adding oauth keys to my DB and sending the `ikm_key` value as credential. My guess is that it's checking `turnusers_lt` because my client doesn't tell that he wants to use oauth because the credential is not passed as `ACCESS-TOKEN`. My guess is that the client is doing it wrong not the server. – lefloh Aug 05 '15 at 08:46
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/85180/discussion-between-mido22-and-lefloh). – mido Aug 05 '15 at 09:06

1 Answers1

1

It seems like things changed a bit since original question was asked. The webrtc-pc#1033 pull-request alters the spec and introduces the following iceServers configuration syntax:

var configuration = {
    'iceServers': [{
        "urls": "turns:turn.example.net",
        "username": "username",
        "credential": {
            "macKey": "...",
            "accessToken": "..."
        },
        "credentialType": "oauth"
    }],
    ...
}

See RTCIceServer documentation page for more configuration examples.

firegurafiku
  • 3,017
  • 1
  • 28
  • 37
  • 1
    Sadly, `"credentialType": "oauth"` was [removed from the spec](https://github.com/w3c/webrtc-pc/pull/2362) and [turned into an extension](https://github.com/w3c/webrtc-extensions/issues/18) because it was "at risk". :( – Richard Hansen Aug 17 '21 at 20:24