Usage of realm with turnserver

[Frank]

Hi,
we have a WebRTC client and try to use the coturn turnserver.
Everything works nice as long as I use a user of the default realm.
But the coturn server supports different realms and now I try to use a different realm with my webrtc client.
But I cannot get it working.
The turnserver gets contacted and reports back the default realm. Then WebRTC wants to authenticate as a user of this (default) realm. But the user is member of a different realm.
Here my setup to make it more understandable:
My default realm is “north.gov”.
A user of “north.gov” is “test3”. When I use the turnserver with the user “test3” everything works.
But I also have a user “test2” with the realm "test.com"
But the turnserver always tries to find the “user2” with the realm "north.gov", which he can't find of course.
Is there a way in WebRTC to set the realm of a user. I even tried to enter the credentials in the form of 0xbc807ee29df3c9ffa736523fb2c4e8ee
I generated the key with the realm "test.com"
Does WebRTC support different realms?
If so, what is to do?
Best regards,
Frank

[Taylor Brandstetter]

I don't think this is possible without doing something creative. The first allocation request is sent with no realm, expecting an error with "REALM" and "NONCE" attributes, and then the next request includes this realm. Since this initial request doesn't include any credential information, I can't think of a way for the server to decide which realm to send in the response.

Though... You could have a server that responds to all allocate requests with a "Try Alternate" error, pointing to the "real" TURN server, including a specific realm in its response. That way, the non-default realm is in essence encoded in the ICE server address. I'm not sure how practical this would be to implement/deploy, though.

--

---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrtc+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/793eaa4f-f4fe-4bc8-a2bf-5294ceca059c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[shakeeb nazmus]

>>Is there a way in WebRTC to set the realm of a user.

WebRTC has not exposed any API to set realm. You can modify WebRTC code to expose it. 

When TURN server sends default realm to WebRTC client, client can ignore the server's realm and send its own realm for authentication.

But it is not a good idea because most of the time you don't have the option to modify the client.  

>>Does WebRTC support different realms?
>>If so, what is to do?

You can use the combination of username and domain name as a username for WebRTC client. Such as your first username name will be  te...@north.gov. Second username name will be te...@test.com.

And in the TURN server, you can make some simple change in the source code to send the desired realm based on username.

 
I like the second approach.

[Simon Perreault]

Le 2017-02-10 à 03:40, shakeeb nazmus a écrit :
> When TURN server sends default realm to WebRTC client, client can ignore
> the server's realm and send its own realm for authentication.

This is false. See <https://tools.ietf.org/html/rfc5389#section-10.2.3>:

"The request MUST contain the REALM, copied from the error response."

--
Simon Perreault
Director of Engineering, Platform | Jive Communications, Inc.
https://jive.com | +1 418 478 0989 ext. 1241 | sperr...@jive.com

[Frank]

Thanks to all for your answers.
For now, I will live with the single default domain. Although I really like the idea of

> You can use the combination of username and domain name as a username for WebRTC client. Such as your first username name will be  te...@north.gov. Second username name will be te...@test.com.

Maybe if I have time sometime I try this.
Thanks for your help!

[Alvaro Gil]

Frank,

Did you just copy the password from realm 1 to realm to 2?

Notice that... "The key value depends on user name, realm, and password".

--

---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrtc+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/4e0df631-66e7-422d-99f4-be167f61a1dc%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Alvaro

[Frank]

Alvaro,
I created the key with the corresponding realm. So I think I did it correctly.
Do you think it should work?
--Frank

[Alvaro Gil]

I think so based on what documentation says, but never tried myself.

.conf file is pretty full of information about realms and accounts perhaps you should look there (in case you didn't already), they mention the turnadmin tool to generate keys.

--

---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrtc+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/962f8367-8bdd-4d44-b381-4830c33a7e81%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Alvaro

[Frank]

That is what I did.
The problem is not the Coturn server, but the WebRTC Client. (or their work together)

[Argha Sen]

I was trying to host a turn server for my webRTC project. I have my entire server running on a virtual machine static public IP Address. I found this article Turn Server Installation Guide. For configuring the turn server we need to have a domain name that is not available in my case. Is it possible to have a turn server running on my public IP without configuring any domain/realm name?