CORS preflight and externalAuthenticationURL

[DavidAFox]

Describe the feature

Description When using webrtc/whep there is currently nothing sent in the post to externalAuthenticationURL to identify OPTIONS preflight requests. Since they are required to have no authorization headers and are sent by the browser they get rejected for not having a username/password. Ideally the server would just respond appropriately to the request but if it does go through the external authentication we would need a way to identify them.

[saket424]

@DavidAFox I am trying to use externalAuthenticationURL to play a whep stream with mixed results and I think I am running into the same issues as you are since all these preflight requests are ending up at the external authentication server with no way to disambiguate them

Only the first request has the token, the remaining 2 or 3 requests to the externalAuthenticationURL all have empty username, password and query parameters and probably are due to the OPTIONS preflight requests

https://server.example.com:8889/wsg/?token=xyz {"ip":"a.b.c.d","user":"","password":"","path":"wsg","protocol":"webrtc","id":null,"action":"read","query":"token=xyz"}

{"ip":"a.b.c.d","user":"","password":"","path":"","protocol":"webrtc","id":null,"action":"read","query":""}

Did you find a workaround or patch yet to prevent these preflight requestss from being forwarded to the externalAuthentication server ?

[DavidAFox]

@saket424 For now we have forked it and modified the webrtc server to skip the authentication when the method is OPTIONS. I'm not sure if this is secure and there might be a way to be more specific but it seems to work. https://github.com/bluenviron/mediamtx/commit/7ca65354a5056949aafcd7e6eb641d797e2c723c

[saket424]

as expected, the rtsp and rtmp URLs dont seem to suffer from this preflight OPTIONS issue

But it is weird the the rtsp and rtmp URLs don't expect the trailing slash whereas the whep url does

https://server.example.com:8889/wsg/?token=xyz rtsp://server.example.com:8554/wsg?token=xyz rtmp://server.example.com:1935/wsg?token=xyz

[aler9]

Thanks for reporting the issue, this is fixed by #1964.

The patch developed by @DavidAFox has the security issue that TURN servers and their credentials, contained in OPTIONS responses, are shown to any user without authentication.

The final patch allows OPTIONS requests but hides TURN servers from responses unless authentication is successful.

[aler9]

added in v0.23.6

[saket424]

@aler9 I am running bluenviron/mediamtx:0.23.6-ffmpeg dockerhub image with the latest code changes Unfortunately I am still seeing 3 externalauth POST messages where the username="" password="" and token="" and protocol="webrtc" how do I know that these are associated with OPTIONS so I do not default 200ok it ?

[aler9]

@saket424 you can return code 401, it won't be passed to the user.

[saket424]

returning 401 broke the flow. could you pass the method : OPTIONS as part of the externalAuth postmessage so I can 200ok them ?

[aler9]

You should't white-flag OPTIONS requests, since they can contain TURN credentials. Just return 401 in case user doesn't provide credentials, and 200 if the user provides them. If you return 401, TURN credentials won't be included in the OPTIONS response, if you return 200 they will be included.

[saket424]

when i 401 all 3 subsequent options requests, even good jwt tokens that was previously 200ok'd fail

[aler9]

@saket424 you aren't providing enough information to identify any issue at all, since you're talking about your personal login flow which is not clear.

I repeat what i already wrote: OPTIONS requests must return 200 to allow preflight CORS requests, but they also have to be checked for authentication since they contain TURN credentials too, as the specification prescribes. Therefore, all OPTIONS requests must be passed to external authentication, and external authentication has to check their credentials, regardless of the fact that they are preflight CORS requests or not. The server was improved in order to return 200 to all OPTIONS requests, but it hides TURN credentials in case authentication fails.

If you still have problems, please open another issue and provide relevant details that allow to replicate the problem.

[aler9]

i read again the specification, which is a little bit clearer on the matter:

The generation of the TURN server credentials may require performing a request to an external provider, which can both add latency to the OPTIONS request processing and increase the processing required to handle that request. In order to prevent this, the WHIP Endpoint SHOULD NOT return the STUN/TURN server configuration if the OPTIONS request is a preflight request for CORS, that is, if The OPTIONS request does not contain an Access-Control-Request-Method with "POST" value and the the Access-Control-Request-Headers HTTP header does not contain the "Link" value.

Therefore, preflight requests can be identified by the fact that Access-Control-Request-Method is not POST and Access-Control-Request-Headers doesn't contain "Link", and should not be passed to the external authentication server.

Given the fact that the specification provides a criterion to distinguish between preflight and non-preflight OPTIONS requests, the server will be changed in order not to pass the former to the external authentication server.

[saket424]

I am not talking about my personal login flow. Here are the 4 http POSTs I am receiving and 3 of them i cant disambiguate I will await your next drop. Thanks again

object
_msgid: "24ee024f407ffa0f"
payload: object
ip: "172.58.165.104"
user: ""
password: ""
path: "wsg"
protocol: "webrtc"
id: null
action: "read"
query: "token=a.b.cSgAvyXXP0fC_Px2XM1A9tQQ"

msg : Object
{ statusCode: 200, payload: "{"header":{"typ":"JWT","alg":"…", _msgid: "24ee024f407ffa0f", res: object }

msg : Object
object
_msgid: "5e6260a31d203a02"
payload: object
ip: "172.58.165.104"
user: ""
password: ""
path: "wsg"
protocol: "webrtc"
id: null
action: "read"
query: ""

msg : Object
object
_msgid: "c7196a36027b14bd"
payload: object
ip: "172.58.165.104"
user: ""
password: ""
path: "wsg"
protocol: "webrtc"
id: null
action: "read"
query: ""

msg : Object
object
_msgid: "642618b29b613c2d"
payload: object
ip: "172.58.165.104"
user: ""
password: ""
path: "wsg"
protocol: "webrtc"
id: null
action: "read"
query: ""

[aler9]

@saket424 i released a fix in #1972, please test this nightly release and let me know if it works:

mediamtx_v0.23.6-1-g5bdb923_darwin_amd64.tar.gz mediamtx_v0.23.6-1-g5bdb923_darwin_arm64.tar.gz mediamtx_v0.23.6-1-g5bdb923_linux_amd64.tar.gz mediamtx_v0.23.6-1-g5bdb923_linux_arm64v8.tar.gz mediamtx_v0.23.6-1-g5bdb923_linux_armv6.tar.gz mediamtx_v0.23.6-1-g5bdb923_linux_armv7.tar.gz mediamtx_v0.23.6-1-g5bdb923_windows_amd64.zip

[saket424]

@aler9 I tested your 1972.patch and no change in behavior. I still get 3 POST messages to the externalAuth nodered server that don't have username/passwd/token that I don't know how to disambiguate even after the first POST message with the jwt token was 200OK'd

[saket424]

I think i applied the 1972.patch correctly and built this docker image for linux/amd64

docker pull asetlur13/mediamtx:0.23.6-2-g4823409-ffmpeg

anand@pop-os-111:~/mediamtx$ git log -v | head -20
commit dc18a54b9091e9526e045ca72b043cdf3191434d
Author: aler9 <46489434+aler9@users.noreply.github.com>
Date:   Thu Jun 22 00:08:59 2023 +0200

    webrtc: do not pass preflight requests to external auth (#1941)

commit ba6c0fa822930d6138d12c5189277a3fcd11df3a
Author: Alessandro Ros <aler9.dev@gmail.com>
Date:   Thu Jun 22 00:16:19 2023 +0200

    set Access-Control-Allow-Headers to a static string (#1973)

commit 5033d1e145739377a34d31f1183bcc542500cb20
Author: Alessandro Ros <aler9.dev@gmail.com>
Date:   Wed Jun 21 16:20:21 2023 +0200

    update dependencies (#1968)

[saket424]

@DavidAFox Does the recent set of patches work better for you than it does for me ?

[aler9]

@saket424 please post a server log with 'logLevel: debug'

[saket424]

@aler9 I am afraid the 'logLevel: debug' is not logging the externalAuth POST messages but here is the server log. There appears to be a PATCH method invoked after the OPTIONS and POST as seen in this grep whep output

anand@pop-os-111:~/mediamtx$ grep whep t.out
mediamtx    | 2023/06/22 09:34:26 DEB [WebRTC] [conn 9.122.85.11:51314] OPTIONS /wsg/whep
mediamtx    | 2023/06/22 09:34:26 DEB [WebRTC] [conn 9.122.85.11:51314] [c->s] OPTIONS /wsg/whep HTTP/2.0
mediamtx    | 2023/06/22 09:34:26 DEB [WebRTC] [conn 9.122.85.11:51314] POST /wsg/whep
mediamtx    | 2023/06/22 09:34:26 DEB [WebRTC] [conn 9.122.85.11:51314] [c->s] POST /wsg/whep HTTP/2.0
mediamtx    | Location: /wsg/whep
mediamtx    | 2023/06/22 09:34:28 DEB [WebRTC] [conn 9.122.85.11:51314] PATCH /wsg/whep
mediamtx    | 2023/06/22 09:34:28 DEB [WebRTC] [conn 9.122.85.11:51314] [c->s] PATCH /wsg/whep HTTP/2.0

anand@pop-os-111:~/mediamtx$ docker-compose up
Creating mediamtx ... done
Attaching to mediamtx
mediamtx    | 2023/06/22 09:32:28 INF MediaMTX v0.23.6-2-g4823409
mediamtx    | 2023/06/22 09:32:28 DEB [path WMD] created
mediamtx    | 2023/06/22 09:32:28 DEB [path csky] created
mediamtx    | 2023/06/22 09:32:28 DEB [path wsg] created
mediamtx    | 2023/06/22 09:32:28 DEB path manager created
mediamtx    | 2023/06/22 09:32:28 INF [RTSP] listener opened on :8554 (TCP), :8000 (UDP/RTP), :8001 (UDP/RTCP)
mediamtx    | 2023/06/22 09:32:28 INF [RTSPS] listener opened on :8322 (TCP)
mediamtx    | 2023/06/22 09:32:28 INF [RTMP] listener opened on :1935
mediamtx    | 2023/06/22 09:32:28 INF [RTMPS] listener opened on :1936
mediamtx    | 2023/06/22 09:32:28 INF [HLS] listener opened on :8888
mediamtx    | 2023/06/22 09:32:28 INF [WebRTC] listener opened on :8889 (HTTP)
mediamtx    | 2023/06/22 09:34:26 DEB [WebRTC] [conn 9.122.85.11:51314] GET /wsg/
mediamtx    | 2023/06/22 09:34:26 DEB [WebRTC] [conn 9.122.85.11:51314] [c->s] GET /wsg/?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJmdW4td2l0aC1qd3RzIiwic3ViIjoibWxpbmsiLCJqdGkiOiIxNzI0MzNjZC0wMzExLTQyMTgtODI2Yy04ODNmMjRiNDIzYjIiLCJpYXQiOjE2ODc0MjYzNzIsImV4cCI6MTY4NzQyOTk3Mn0.MGE2cSWEiZalVy-Q2RvcavnyLuBUYFn7it2xe8C5Dk8 HTTP/2.0
mediamtx    | Host: server2.example.com:8889
mediamtx    | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
mediamtx    | Accept-Encoding: gzip, deflate, br
mediamtx    | Accept-Language: en-US,en;q=0.9
mediamtx    | Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
mediamtx    | Sec-Ch-Ua-Mobile: ?0
mediamtx    | Sec-Ch-Ua-Platform: "Linux"
mediamtx    | Sec-Fetch-Dest: document
mediamtx    | Sec-Fetch-Mode: navigate
mediamtx    | Sec-Fetch-Site: none
mediamtx    | Sec-Fetch-User: ?1
mediamtx    | Upgrade-Insecure-Requests: 1
mediamtx    | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
mediamtx    | 
mediamtx    | 
mediamtx    | 2023/06/22 09:34:26 DEB [WebRTC] [conn 9.122.85.11:51314] [s->c] HTTP/1.1 200 OK
mediamtx    | Access-Control-Allow-Credentials: true
mediamtx    | Access-Control-Allow-Origin: *
mediamtx    | Content-Type: text/html
mediamtx    | Server: mediamtx
mediamtx    | 
mediamtx    | (body of 6680 bytes)
mediamtx    | 2023/06/22 09:34:26 DEB [WebRTC] [conn 9.122.85.11:51314] OPTIONS /wsg/whep
mediamtx    | 2023/06/22 09:34:26 DEB [WebRTC] [conn 9.122.85.11:51314] [c->s] OPTIONS /wsg/whep HTTP/2.0
mediamtx    | Host: server2.example.com:8889
mediamtx    | Accept: */*
mediamtx    | Accept-Encoding: gzip, deflate, br
mediamtx    | Accept-Language: en-US,en;q=0.9
mediamtx    | Origin: https://server2.example.com:8889
mediamtx    | Referer: https://server2.example.com:8889/wsg/?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJmdW4td2l0aC1qd3RzIiwic3ViIjoibWxpbmsiLCJqdGkiOiIxNzI0MzNjZC0wMzExLTQyMTgtODI2Yy04ODNmMjRiNDIzYjIiLCJpYXQiOjE2ODc0MjYzNzIsImV4cCI6MTY4NzQyOTk3Mn0.MGE2cSWEiZalVy-Q2RvcavnyLuBUYFn7it2xe8C5Dk8
mediamtx    | Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
mediamtx    | Sec-Ch-Ua-Mobile: ?0
mediamtx    | Sec-Ch-Ua-Platform: "Linux"
mediamtx    | Sec-Fetch-Dest: empty
mediamtx    | Sec-Fetch-Mode: cors
mediamtx    | Sec-Fetch-Site: same-origin
mediamtx    | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
mediamtx    | 
mediamtx    | 
mediamtx    | 2023/06/22 09:34:26 DEB [WebRTC] [conn 9.122.85.11:51314] [s->c] HTTP/1.1 200 OK
mediamtx    | Access-Control-Allow-Credentials: true
mediamtx    | Access-Control-Allow-Headers: Content-Type, If-Match
mediamtx    | Access-Control-Allow-Methods: OPTIONS, GET, POST, PATCH
mediamtx    | Access-Control-Allow-Origin: *
mediamtx    | Link: <stun:stun.l.google.com:19302>; rel="ice-server"
mediamtx    | Server: mediamtx
mediamtx    | 
mediamtx    | 
mediamtx    | 2023/06/22 09:34:26 DEB [WebRTC] [conn 9.122.85.11:51314] POST /wsg/whep
mediamtx    | 2023/06/22 09:34:26 DEB [WebRTC] [conn 9.122.85.11:51314] [c->s] POST /wsg/whep HTTP/2.0
mediamtx    | Host: server2.example.com:8889
mediamtx    | Accept: */*
mediamtx    | Accept-Encoding: gzip, deflate, br
mediamtx    | Accept-Language: en-US,en;q=0.9
mediamtx    | Content-Length: 5079
mediamtx    | Content-Type: application/sdp
mediamtx    | Origin: https://server2.example.com:8889
mediamtx    | Referer: https://server2.example.com:8889/wsg/?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJmdW4td2l0aC1qd3RzIiwic3ViIjoibWxpbmsiLCJqdGkiOiIxNzI0MzNjZC0wMzExLTQyMTgtODI2Yy04ODNmMjRiNDIzYjIiLCJpYXQiOjE2ODc0MjYzNzIsImV4cCI6MTY4NzQyOTk3Mn0.MGE2cSWEiZalVy-Q2RvcavnyLuBUYFn7it2xe8C5Dk8
mediamtx    | Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
mediamtx    | Sec-Ch-Ua-Mobile: ?0
mediamtx    | Sec-Ch-Ua-Platform: "Linux"
mediamtx    | Sec-Fetch-Dest: empty
mediamtx    | Sec-Fetch-Mode: cors
mediamtx    | Sec-Fetch-Site: same-origin
mediamtx    | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
mediamtx    | 
mediamtx    | v=0
mediamtx    | o=- 1499228976780701937 2 IN IP4 127.0.0.1
mediamtx    | s=-
mediamtx    | t=0 0
mediamtx    | a=group:BUNDLE 0 1
mediamtx    | a=extmap-allow-mixed
mediamtx    | a=msid-semantic: WMS
mediamtx    | m=video 9 UDP/TLS/RTP/SAVPF 96 97 102 103 104 105 106 107 108 109 127 125 39 40 45 46 98 99 100 101 112 113 114
mediamtx    | c=IN IP4 0.0.0.0
mediamtx    | a=rtcp:9 IN IP4 0.0.0.0
mediamtx    | a=ice-ufrag:iIui
mediamtx    | a=ice-pwd:L+UtTFZGjq9h2CM4KR7lWk/2
mediamtx    | a=ice-options:trickle
mediamtx    | a=fingerprint:sha-256 8B:34:B2:C8:7D:A6:71:14:27:EE:23:AB:79:64:47:38:E6:F9:89:C0:9C:EB:71:8D:C9:6E:C6:63:9A:13:0E:E1
mediamtx    | a=setup:actpass
mediamtx    | a=mid:0
mediamtx    | a=extmap:1 urn:ietf:params:rtp-hdrext:toffset
mediamtx    | a=extmap:2 http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
mediamtx    | a=extmap:3 urn:3gpp:video-orientation
mediamtx    | a=extmap:4 http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
mediamtx    | a=extmap:5 http://www.webrtc.org/experiments/rtp-hdrext/playout-delay
mediamtx    | a=extmap:6 http://www.webrtc.org/experiments/rtp-hdrext/video-content-type
mediamtx    | a=extmap:7 http://www.webrtc.org/experiments/rtp-hdrext/video-timing
mediamtx    | a=extmap:8 http://www.webrtc.org/experiments/rtp-hdrext/color-space
mediamtx    | a=extmap:9 urn:ietf:params:rtp-hdrext:sdes:mid
mediamtx    | a=extmap:10 urn:ietf:params:rtp-hdrext:sdes:rtp-stream-id
mediamtx    | a=extmap:11 urn:ietf:params:rtp-hdrext:sdes:repaired-rtp-stream-id
mediamtx    | a=sendrecv
mediamtx    | a=msid:- 41998fbb-0cff-400a-b4d6-918648049247
mediamtx    | a=rtcp-mux
mediamtx    | a=rtcp-rsize
mediamtx    | a=rtpmap:96 VP8/90000
mediamtx    | a=rtcp-fb:96 goog-remb
mediamtx    | a=rtcp-fb:96 transport-cc
mediamtx    | a=rtcp-fb:96 ccm fir
mediamtx    | a=rtcp-fb:96 nack
mediamtx    | a=rtcp-fb:96 nack pli
mediamtx    | a=rtpmap:97 rtx/90000
mediamtx    | a=fmtp:97 apt=96
mediamtx    | a=rtpmap:102 H264/90000
mediamtx    | a=rtcp-fb:102 goog-remb
mediamtx    | a=rtcp-fb:102 transport-cc
mediamtx    | a=rtcp-fb:102 ccm fir
mediamtx    | a=rtcp-fb:102 nack
mediamtx    | a=rtcp-fb:102 nack pli
mediamtx    | a=fmtp:102 level-asymmetry-allowed=1;packetization-mode=1;profile-level-id=42001f
mediamtx    | a=rtpmap:103 rtx/90000
mediamtx    | a=fmtp:103 apt=102
mediamtx    | a=rtpmap:104 H264/90000
mediamtx    | a=rtcp-fb:104 goog-remb
mediamtx    | a=rtcp-fb:104 transport-cc
mediamtx    | a=rtcp-fb:104 ccm fir
mediamtx    | a=rtcp-fb:104 nack
mediamtx    | a=rtcp-fb:104 nack pli
mediamtx    | a=fmtp:104 level-asymmetry-allowed=1;packetization-mode=0;profile-level-id=42001f
mediamtx    | a=rtpmap:105 rtx/90000
mediamtx    | a=fmtp:105 apt=104
mediamtx    | a=rtpmap:106 H264/90000
mediamtx    | a=rtcp-fb:106 goog-remb
mediamtx    | a=rtcp-fb:106 transport-cc
mediamtx    | a=rtcp-fb:106 ccm fir
mediamtx    | a=rtcp-fb:106 nack
mediamtx    | a=rtcp-fb:106 nack pli
mediamtx    | a=fmtp:106 level-asymmetry-allowed=1;packetization-mode=1;profile-level-id=42e01f
mediamtx    | a=rtpmap:107 rtx/90000
mediamtx    | a=fmtp:107 apt=106
mediamtx    | a=rtpmap:108 H264/90000
mediamtx    | a=rtcp-fb:108 goog-remb
mediamtx    | a=rtcp-fb:108 transport-cc
mediamtx    | a=rtcp-fb:108 ccm fir
mediamtx    | a=rtcp-fb:108 nack
mediamtx    | a=rtcp-fb:108 nack pli
mediamtx    | a=fmtp:108 level-asymmetry-allowed=1;packetization-mode=0;profile-level-id=42e01f
mediamtx    | a=rtpmap:109 rtx/90000
mediamtx    | a=fmtp:109 apt=108
mediamtx    | a=rtpmap:127 H264/90000
mediamtx    | a=rtcp-fb:127 goog-remb
mediamtx    | a=rtcp-fb:127 transport-cc
mediamtx    | a=rtcp-fb:127 ccm fir
mediamtx    | a=rtcp-fb:127 nack
mediamtx    | a=rtcp-fb:127 nack pli
mediamtx    | a=fmtp:127 level-asymmetry-allowed=1;packetization-mode=1;profile-level-id=4d001f
mediamtx    | a=rtpmap:125 rtx/90000
mediamtx    | a=fmtp:125 apt=127
mediamtx    | a=rtpmap:39 H264/90000
mediamtx    | a=rtcp-fb:39 goog-remb
mediamtx    | a=rtcp-fb:39 transport-cc
mediamtx    | a=rtcp-fb:39 ccm fir
mediamtx    | a=rtcp-fb:39 nack
mediamtx    | a=rtcp-fb:39 nack pli
mediamtx    | a=fmtp:39 level-asymmetry-allowed=1;packetization-mode=0;profile-level-id=4d001f
mediamtx    | a=rtpmap:40 rtx/90000
mediamtx    | a=fmtp:40 apt=39
mediamtx    | a=rtpmap:45 AV1/90000
mediamtx    | a=rtcp-fb:45 goog-remb
mediamtx    | a=rtcp-fb:45 transport-cc
mediamtx    | a=rtcp-fb:45 ccm fir
mediamtx    | a=rtcp-fb:45 nack
mediamtx    | a=rtcp-fb:45 nack pli
mediamtx    | a=rtpmap:46 rtx/90000
mediamtx    | a=fmtp:46 apt=45
mediamtx    | a=rtpmap:98 VP9/90000
mediamtx    | a=rtcp-fb:98 goog-remb
mediamtx    | a=rtcp-fb:98 transport-cc
mediamtx    | a=rtcp-fb:98 ccm fir
mediamtx    | a=rtcp-fb:98 nack
mediamtx    | a=rtcp-fb:98 nack pli
mediamtx    | a=fmtp:98 profile-id=0
mediamtx    | a=rtpmap:99 rtx/90000
mediamtx    | a=fmtp:99 apt=98
mediamtx    | a=rtpmap:100 VP9/90000
mediamtx    | a=rtcp-fb:100 goog-remb
mediamtx    | a=rtcp-fb:100 transport-cc
mediamtx    | a=rtcp-fb:100 ccm fir
mediamtx    | a=rtcp-fb:100 nack
mediamtx    | a=rtcp-fb:100 nack pli
mediamtx    | a=fmtp:100 profile-id=2
mediamtx    | a=rtpmap:101 rtx/90000
mediamtx    | a=fmtp:101 apt=100
mediamtx    | a=rtpmap:112 red/90000
mediamtx    | a=rtpmap:113 rtx/90000
mediamtx    | a=fmtp:113 apt=112
mediamtx    | a=rtpmap:114 ulpfec/90000
mediamtx    | a=ssrc-group:FID 57053924 3663002422
mediamtx    | a=ssrc:57053924 cname:dymfDefwlPKygjZT
mediamtx    | a=ssrc:57053924 msid:- 41998fbb-0cff-400a-b4d6-918648049247
mediamtx    | a=ssrc:3663002422 cname:dymfDefwlPKygjZT
mediamtx    | a=ssrc:3663002422 msid:- 41998fbb-0cff-400a-b4d6-918648049247
mediamtx    | m=audio 9 UDP/TLS/RTP/SAVPF 111 63 9 0 8 13 110 126
mediamtx    | c=IN IP4 0.0.0.0
mediamtx    | a=rtcp:9 IN IP4 0.0.0.0
mediamtx    | a=ice-ufrag:iIui
mediamtx    | a=ice-pwd:L+UtTFZGjq9h2CM4KR7lWk/2
mediamtx    | a=ice-options:trickle
mediamtx    | a=fingerprint:sha-256 8B:34:B2:C8:7D:A6:71:14:27:EE:23:AB:79:64:47:38:E6:F9:89:C0:9C:EB:71:8D:C9:6E:C6:63:9A:13:0E:E1
mediamtx    | a=setup:actpass
mediamtx    | a=mid:1
mediamtx    | a=extmap:14 urn:ietf:params:rtp-hdrext:ssrc-audio-level
mediamtx    | a=extmap:2 http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
mediamtx    | a=extmap:4 http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
mediamtx    | a=extmap:9 urn:ietf:params:rtp-hdrext:sdes:mid
mediamtx    | a=sendrecv
mediamtx    | a=msid:- badc9209-6e10-47e2-a86d-220239c61709
mediamtx    | a=rtcp-mux
mediamtx    | a=rtpmap:111 opus/48000/2
mediamtx    | a=rtcp-fb:111 transport-cc
mediamtx    | a=fmtp:111 minptime=10;useinbandfec=1
mediamtx    | a=rtpmap:63 red/48000/2
mediamtx    | a=fmtp:63 111/111
mediamtx    | a=rtpmap:9 G722/8000
mediamtx    | a=rtpmap:0 PCMU/8000
mediamtx    | a=rtpmap:8 PCMA/8000
mediamtx    | a=rtpmap:13 CN/8000
mediamtx    | a=rtpmap:110 telephone-event/48000
mediamtx    | a=rtpmap:126 telephone-event/8000
mediamtx    | a=ssrc:2379740826 cname:dymfDefwlPKygjZT
mediamtx    | a=ssrc:2379740826 msid:- badc9209-6e10-47e2-a86d-220239c61709
mediamtx    | 
mediamtx    | 2023/06/22 09:34:26 INF [WebRTC] [session 57a3f668] created by 9.122.85.11
mediamtx    | 2023/06/22 09:34:26 INF [path wsg] [rtsp source] started
mediamtx    | 2023/06/22 09:34:26 DEB [path wsg] [rtsp source] connecting
mediamtx    | 2023/06/22 09:34:26 DEB [path wsg] [rtsp source] c->s OPTIONS rtsp://100.6.1.20:8554/wsg_5 RTSP/1.0
mediamtx    | CSeq: 1
mediamtx    | User-Agent: gortsplib
mediamtx    | 
mediamtx    | 
mediamtx    | 2023/06/22 09:34:27 DEB [path wsg] [rtsp source] s->c RTSP/1.0 200 OK
mediamtx    | CSeq: 1
mediamtx    | Public: DESCRIBE, ANNOUNCE, SETUP, PLAY, RECORD, PAUSE, GET_PARAMETER, TEARDOWN
mediamtx    | Server: gortsplib
mediamtx    | 
mediamtx    | 
mediamtx    | 2023/06/22 09:34:27 DEB [path wsg] [rtsp source] c->s DESCRIBE rtsp://100.6.1.20:8554/wsg_5 RTSP/1.0
mediamtx    | Accept: application/sdp
mediamtx    | CSeq: 2
mediamtx    | User-Agent: gortsplib
mediamtx    | 
mediamtx    | 
mediamtx    | 2023/06/22 09:34:27 DEB [path wsg] [rtsp source] s->c RTSP/1.0 200 OK
mediamtx    | CSeq: 2
mediamtx    | Content-Base: rtsp://100.6.1.20:8554/wsg_5/
mediamtx    | Content-Length: 254
mediamtx    | Content-Type: application/sdp
mediamtx    | Server: gortsplib
mediamtx    | 
mediamtx    | v=0
mediamtx    | o=- 0 0 IN IP4 127.0.0.1
mediamtx    | s=Stream
mediamtx    | c=IN IP4 0.0.0.0
mediamtx    | t=0 0
mediamtx    | m=video 0 RTP/AVP 96
mediamtx    | a=rtpmap:96 H264/90000
mediamtx    | a=fmtp:96 packetization-mode=1; sprop-parameter-sets=Z0IAH5Y1QKALdNQEBAUAAAMD6AAA6mCE,aM48gA==; profile-level-id=42001F
mediamtx    | a=control:trackID=0
mediamtx    | 
mediamtx    | 2023/06/22 09:34:27 DEB [path wsg] [rtsp source] c->s SETUP rtsp://100.6.1.20:8554/wsg_5/trackID=0 RTSP/1.0
mediamtx    | CSeq: 3
mediamtx    | Transport: RTP/AVP;unicast;client_port=38472-38473;mode=play
mediamtx    | User-Agent: gortsplib
mediamtx    | 
mediamtx    | 
mediamtx    | 2023/06/22 09:34:28 DEB [path wsg] [rtsp source] s->c RTSP/1.0 200 OK
mediamtx    | CSeq: 3
mediamtx    | Server: gortsplib
mediamtx    | Session: 3993230943;timeout=60
mediamtx    | Transport: RTP/AVP;unicast;client_port=38472-38473;server_port=8000-8001;ssrc=867403CA
mediamtx    | 
mediamtx    | 
mediamtx    | 2023/06/22 09:34:28 INF [path wsg] [rtsp source] ready: 1 track (H264)
mediamtx    | 2023/06/22 09:34:28 DEB [path wsg] [rtsp source] c->s PLAY rtsp://100.6.1.20:8554/wsg_5/ RTSP/1.0
mediamtx    | CSeq: 4
mediamtx    | Range: npt=0-
mediamtx    | Session: 3993230943
mediamtx    | User-Agent: gortsplib
mediamtx    | 
mediamtx    | 
mediamtx    | 2023/06/22 09:34:28 DEB [WebRTC] [session 57a3f668] peer connection state: connecting
mediamtx    | 2023/06/22 09:34:28 DEB [WebRTC] [conn 9.122.85.11:51314] [s->c] HTTP/1.1 201 Created
mediamtx    | Accept-Patch: application/trickle-ice-sdpfrag
mediamtx    | Access-Control-Allow-Credentials: true
mediamtx    | Access-Control-Allow-Origin: *
mediamtx    | Access-Control-Expose-Headers: E-Tag, Accept-Patch, Link
mediamtx    | Content-Type: application/sdp
mediamtx    | E-Tag: e82c84d6-fd1c-443c-bfab-e5e15ee22bd5
mediamtx    | Id: 57a3f668-c3a8-41db-9aad-60f556bbf206
mediamtx    | Link: <stun:stun.l.google.com:19302>; rel="ice-server"
mediamtx    | Location: /wsg/whep
mediamtx    | Server: mediamtx
mediamtx    | 
mediamtx    | (body of 5134 bytes)
mediamtx    | 2023/06/22 09:34:28 DEB [WebRTC] [conn 9.122.85.11:51314] PATCH /wsg/whep
mediamtx    | 2023/06/22 09:34:28 DEB [WebRTC] [conn 9.122.85.11:51314] [c->s] PATCH /wsg/whep HTTP/2.0
mediamtx    | Host: server2.example.com:8889
mediamtx    | Accept: */*
mediamtx    | Accept-Encoding: gzip, deflate, br
mediamtx    | Accept-Language: en-US,en;q=0.9
mediamtx    | Cache-Control: max-age=0
mediamtx    | Content-Length: 788
mediamtx    | Content-Type: application/trickle-ice-sdpfrag
mediamtx    | If-Match: e82c84d6-fd1c-443c-bfab-e5e15ee22bd5
mediamtx    | Origin: https://server2.example.com:8889
mediamtx    | Referer: https://server2.example.com:8889/wsg/?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJmdW4td2l0aC1qd3RzIiwic3ViIjoibWxpbmsiLCJqdGkiOiIxNzI0MzNjZC0wMzExLTQyMTgtODI2Yy04ODNmMjRiNDIzYjIiLCJpYXQiOjE2ODc0MjYzNzIsImV4cCI6MTY4NzQyOTk3Mn0.MGE2cSWEiZalVy-Q2RvcavnyLuBUYFn7it2xe8C5Dk8
mediamtx    | Sec-Ch-Ua: "Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
mediamtx    | Sec-Ch-Ua-Mobile: ?0
mediamtx    | Sec-Ch-Ua-Platform: "Linux"
mediamtx    | Sec-Fetch-Dest: empty
mediamtx    | Sec-Fetch-Mode: cors
mediamtx    | Sec-Fetch-Site: same-origin
mediamtx    | User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
mediamtx    | 
mediamtx    | a=ice-ufrag:iIui
mediamtx    | a=ice-pwd:L+UtTFZGjq9h2CM4KR7lWk/2
mediamtx    | m=video 9 UDP/TLS/RTP/SAVPF 96 97 102 103 104 105 106 107 108 109 127 125 39 40 45 46 98 99 100 101 112 113 114
mediamtx    | a=mid:0
mediamtx    | a=candidate:1884965007 1 udp 2113937151 ae52e700-758c-47c5-b064-4e12e6a343ec.local 57135 typ host generation 0 ufrag iIui network-cost 999
mediamtx    | a=candidate:2829537845 1 udp 1677729535 9.122.85.11 57135 typ srflx raddr 0.0.0.0 rport 0 generation 0 ufrag iIui network-cost 999
mediamtx    | m=audio 9 UDP/TLS/RTP/SAVPF 111 63 9 0 8 13 110 126
mediamtx    | a=mid:1
mediamtx    | a=candidate:1884965007 1 udp 2113937151 ae52e700-758c-47c5-b064-4e12e6a343ec.local 33022 typ host generation 0 ufrag iIui network-cost 999
mediamtx    | a=candidate:2829537845 1 udp 1677729535 9.122.85.11 33022 typ srflx raddr 0.0.0.0 rport 0 generation 0 ufrag iIui network-cost 999
mediamtx    | 
mediamtx    | 2023/06/22 09:34:28 DEB [WebRTC] [conn 9.122.85.11:51314] [s->c] HTTP/1.1 204 No Content
mediamtx    | Access-Control-Allow-Credentials: true
mediamtx    | Access-Control-Allow-Origin: *
mediamtx    | Server: mediamtx
mediamtx    | 
mediamtx    | 
mediamtx    | 2023/06/22 09:34:28 DEB [WebRTC] [session 57a3f668] peer connection state: connected
mediamtx    | 2023/06/22 09:34:28 INF [WebRTC] [session 57a3f668] peer connection established, local candidate: host/udp/70.34.13.18/41621, remote candidate: prflx/udp/9.122.85.11/57135
mediamtx    | 2023/06/22 09:34:28 INF [WebRTC] [session 57a3f668] is reading from path 'wsg', 1 track (H264)
mediamtx    | 2023/06/22 09:34:28 DEB [path wsg] [rtsp source] s->c RTSP/1.0 200 OK
mediamtx    | CSeq: 4
mediamtx    | RTP-Info: url=rtsp://100.6.1.20:8554/wsg_5/trackID=0;seq=52507;rtptime=531329196
mediamtx    | Server: gortsplib
mediamtx    | Session: 3993230943;timeout=60
mediamtx    | 
mediamtx    | 
mediamtx    | 2023/06/22 09:35:16 DEB [path wsg] [rtsp source] c->s GET_PARAMETER rtsp://100.6.1.20:8554/wsg_5/ RTSP/1.0
mediamtx    | CSeq: 5
mediamtx    | Session: 3993230943
mediamtx    | User-Agent: gortsplib
mediamtx    | 
mediamtx    | 
mediamtx    | 2023/06/22 09:35:16 DEB [path wsg] [rtsp source] s->c RTSP/1.0 200 OK
mediamtx    | CSeq: 5
mediamtx    | Content-Type: text/parameters
mediamtx    | Server: gortsplib
mediamtx    | Session: 3993230943;timeout=60
mediamtx    | 
mediamtx    | 
mediamtx    | 2023/06/22 09:36:04 DEB [path wsg] [rtsp source] c->s GET_PARAMETER rtsp://100.6.1.20:8554/wsg_5/ RTSP/1.0
mediamtx    | CSeq: 6
mediamtx    | Session: 3993230943
mediamtx    | User-Agent: gortsplib
mediamtx    | 
mediamtx    | 
mediamtx    | 2023/06/22 09:36:04 DEB [path wsg] [rtsp source] s->c RTSP/1.0 200 OK
mediamtx    | CSeq: 6
mediamtx    | Content-Type: text/parameters
mediamtx    | Server: gortsplib
mediamtx    | Session: 3993230943;timeout=60
mediamtx    | 
mediamtx    | 
^CGracefully stopping... (press Ctrl+C again to force)
Stopping mediamtx ... done

[aler9]

@saket424 there are no preflight CORS OPTIONS requests involved in your log. The OPTIONS, POST and PATCH requests in your log are part of a standard WHEP handshake without CORS. The issue is a completely different one than the one that was the subject of this thread, and is that you want to pass the JWT to the external authentication server by using it as a query parameter of the sample WebRTC read page, and that page currently doesn't pass query parameters to inner requests performed with fetch().

You can accomplish this by editing the sample WebRTC read page and pass window.location.search to fetch():

fetch(new URL('whep', window.location.href) + window.location.search, {

[saket424]

@aler9 Thanks for the fetch() tip . As you can tell, I am a novice at this. Can we bypass the external auth server for the inner requests since the jwt has already been vetted by the outermost request.

[saket424]

@aler9 Thanks for fixing the inner requests to add the query parameters to them https://github.com/bluenviron/mediamtx/commit/2faca7374942aef79ff94bbfb3e578bf6bbb2817

I can confirm now that each inner request in webrtc read now has the JWT passed to it with this commit

[aler9]

added in v0.23.7

[github-actions[bot]]

This issue is being locked automatically because it has been closed for more than 6 months. Please open a new issue in case you encounter a similar problem.