Developing custom authentication for BBB
Eugene Voytitsky
I need to integrate BBB 0.71a with an external (from BB point of view)
custom authentication service is located within the same intranet as BBB is.
1. Please point me at some BBB doc article or src where I can start to
dig how BBB authentication/authorization works and how I can plug/hack
my custom auth to BBB.
2. BBB itself integrates several component/services - Red5/FreeSwitch/etc.
What does it happen after the user successfully authenticated at BBB
Demo page - to what other components the authentication is propagated?
How BBB auth context is transmitted/propagated to those components?
3. Is there any difference between BBB 0.71 and upcoming 0.8 regarding
auth? (Cause I plan to migrate my solution from 0.71a to 0.8 as soon as
0.8 got stable release state)
Thanks in advance for your help and time.
--
Best regards,
Eugene Voytitsky
Fred Dixon
There are two points of reference for understanding how authentication
works in BigBlueButton.
The first is our API documentation:
http://code.google.com/p/bigbluebutton/wiki/API
The second are the API examples included with BigBlueButton to
demonstrate how to use the API
https://github.com/bigbluebutton/bigbluebutton/tree/master/bbb-api-demo/src/main/webapp
The key point is that BigBlueButton uses security tokens for
authentication. In the API they are called moderator and viewer
password, but most 3rd party applications will authenticate the user
using their own business logic, then create a meeting with a random 16
character moderator and viewer password, then return the user a Join
URL with one of the two passwords.
The other key point is there isn't any business logic in BigBlueButton
with regards to the process for authentication. Take this API
demo3.jsp for example
You can use this as a starting point and replace line 245 with your
own authentication.
Beyond the 3rd party application having a shared secret to make proper
API calls, there is no further authentication. No authentication is
transmitted to the various components. BigBlueButton makes *no*
warranty that any of the data streams are secure or anything about the
server is secure beyond restricting API calls to using a shared
secret.
> 3. Is there any difference between BBB 0.71 and upcoming 0.8 regarding auth?
In 0.8 API you are able to pass the createTime parameter for the
'join' API call. This links the Join URL you send back to a client to
a specific meeting. Once that meeting is finished, a subsequent
meeting would have a different create time and the older URL would not
work.
Regards,... Fred
--
http://code.google.com/p/bigbluebutton/wiki/FAQ#BigBlueButton_Committer
> --
> You received this message because you are subscribed to the Google Groups
> "BigBlueButton-dev" group.
> To post to this group, send email to bigblueb...@googlegroups.com.
> To unsubscribe from this group, send email to
> bigbluebutton-...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/bigbluebutton-dev?hl=en.
>
>
Eugene Voytitsky
great thanks for such a detailed answer.
PS. I sincerely appreciate your titanic efforts to answer all questions
in the mail-lists!
--
Best regards,
Eugene Voytitsky
Alec Taylor
Fred Dixon
To be clear, BigBlueButton doesn't have any concept of external user
authentication, external user directory, external user roles -- none
of it.
It only knows about the API commands for create a meeting, which is to
define a meetingID along with a security token for moderator and
viewer, along with some other properties for the meeting.
It's up to the 3rd party application to verify the user and, when
verified, make the calls to 'create' and 'join' to instruct
BigBlueButton to create a meeting and join a user.
If (user verified) {
// call BigBlueButton 'create' to create the meeting
// construct a Join URL and return to user's browser
}
It's the responsibility of the 3rd party application can keep track of
meetings, who can join, and so on. The design of the API is to enable
you to restart the BigBlueButton server and, other than terminating
the active meetings, not break any dependency on the 3rd party
application.
What we'd like to do is include in our API examples if using CAS
authentication to login to BigBlueButton, but when you look under the
hood, what the example will show is how to use generic CAS library to
authenticate a user, and the BigBlueButton API.
Right now it's a very clean separation, and it keeps all the
authentication in the 3rd party client (that has the shared secret and
can make API calls).
Alex and Eugene, is the above sufficient for integrating BigBlueButton
into a CAS environment, or do we need to bring the CAS login inside
BigBlueButton?
Regards,... Fred
--
http://code.google.com/p/bigbluebutton/wiki/FAQ#BigBlueButton_Committer
Alec Taylor
Hard to say. I'm thinking user information would need to have some
accountability from a CAS.
Eugene Voytitsky
Fred, seems yes,
but to be sure, next week I'll start the integration and will answer as
soon as I got more information and details.
Thanks.