OT: Sharing SIP/Asterisk authentication with external web app
300 views
Skip to first unread message
Nolan Darilek
Oct 22, 2014, 10:36:21 AM10/22/14
to SIP.js
I know this isn't strictly SIP.js-related but perhaps someone here can
put me on the right track. I'm also not sure how much of this is related
to Asterisk or how much is allowed by the protocol itself.
I'm using SIP to coordinate audio/video communication between users of
my web app. Basically, every app user should also have an Asterisk SIP
endpoint, with access allowed on ports 5060/5061 so users can also use
external softphones when their browsers don't support getusermedia. The
client-side JS doesn't have access to the user's password, and the
passwords are in MongoDB encrypted via BCrypt.
There appears to be a curl module for getting Asterisk config from a
third-party service, but SIP.js doesn't have the user's password anyway
and can't connect. I'm wondering if SIP has any provisions for, say,
generating a one-time password once the user logs in, then
authenticating using that? Asking here because it seems like someone on
this list has to have integrated SIP authentication/session pass-off
with an existing web app.
Thanks.
put me on the right track. I'm also not sure how much of this is related
to Asterisk or how much is allowed by the protocol itself.
I'm using SIP to coordinate audio/video communication between users of
my web app. Basically, every app user should also have an Asterisk SIP
endpoint, with access allowed on ports 5060/5061 so users can also use
external softphones when their browsers don't support getusermedia. The
client-side JS doesn't have access to the user's password, and the
passwords are in MongoDB encrypted via BCrypt.
There appears to be a curl module for getting Asterisk config from a
third-party service, but SIP.js doesn't have the user's password anyway
and can't connect. I'm wondering if SIP has any provisions for, say,
generating a one-time password once the user logs in, then
authenticating using that? Asking here because it seems like someone on
this list has to have integrated SIP authentication/session pass-off
with an existing web app.
Thanks.
Will Mitchell
Oct 22, 2014, 11:15:09 AM10/22/14
to sip...@googlegroups.com
Hey Nolan,
It sounds like you have an interesting setup. Others may comment as well with their own ideas or implementations, but I would probably go about this with an out-of-band authentication mechanism. If Asterisk can communicate with the web server serving the page, then it can validate that the SIP.js connection matches an active session authorized by the web server. I haven't tried this myself, but I have heard of some applications using this (specifically, tryit.jssip.net comes to mind). Other options include customizing the authentication that Asterisk does to use something more complex, like OAuth or OpenID, to delegate the identity and password to a third party.
I suspect any way forward is going to become somewhat custom to your system. Let me know how it goes, though... I'm really curious what you'll end up with!
Cheers,
-Will
Nolan Darilek
Oct 22, 2014, 1:03:34 PM10/22/14
to SIP.js
Sorry, just realized this list is reply-to-sender. Resending...
authentication method? A quick glance makes it appear like a normal SIP
client, just authenticating with your normal credentials against a
server you control.
Anyhow, thanks for the pointers. I was thinking about generating
one-time passwords on the server, updating the asterisk configs with
that password, then swapping out the OTP for the original password once
it was used. It seems hellishly complicated though, and I'm no security
expert, so working on this level makes me jumpy.
Alternatively, if anyone knows of another solution for web apps that
require video chat functionality and which need to work on all major
platforms, please do let me know. I'd just go with plain web RTC if IOS'
lack of getUserMedia wasn't a factor. Jingle/XMPP would also be nice,
but I'd also like to provide an echo server so users can test their VOIP
connectivity before paying me, and there are no working Jingle echobots
that I could find. As of now SIP seems like my only solution, but it
feels like a bit of a 10000-pound gorilla in that I'm stripping out lots
of unneeded functionality, then contending with the bloat that
functionality introduces.
On 10/22/2014 10:15 AM, Will Mitchell wrote:
> haven't tried this myself, but I have heard of some applications using this
> (specifically, tryit.jssip.net comes to mind). Other options include
>
Interesting, where did you hear/read about tryit using an out-of-band
> haven't tried this myself, but I have heard of some applications using this
> (specifically, tryit.jssip.net comes to mind). Other options include
>
authentication method? A quick glance makes it appear like a normal SIP
client, just authenticating with your normal credentials against a
server you control.
Anyhow, thanks for the pointers. I was thinking about generating
one-time passwords on the server, updating the asterisk configs with
that password, then swapping out the OTP for the original password once
it was used. It seems hellishly complicated though, and I'm no security
expert, so working on this level makes me jumpy.
Alternatively, if anyone knows of another solution for web apps that
require video chat functionality and which need to work on all major
platforms, please do let me know. I'd just go with plain web RTC if IOS'
lack of getUserMedia wasn't a factor. Jingle/XMPP would also be nice,
but I'd also like to provide an echo server so users can test their VOIP
connectivity before paying me, and there are no working Jingle echobots
that I could find. As of now SIP seems like my only solution, but it
feels like a bit of a 10000-pound gorilla in that I'm stripping out lots
of unneeded functionality, then contending with the bloat that
functionality introduces.
Will Mitchell
Oct 22, 2014, 1:35:45 PM10/22/14
to sip...@googlegroups.com
I believe I was thinking of this discussion (beware, you may be entering deep discussion there...): https://groups.google.com/forum/#!searchin/jssip/web$20server/jssip/EaWrPq8YTvA/l-2o26F8H88J
Nolan Darilek
Oct 22, 2014, 9:41:09 PM10/22/14
to SIP.js
Sweet, thanks for pointing me at this thread!
In particular, it looks like Kamailio and its MongoDB module, plus a bit
of hackery around new/change password flows, would let SIP and web
clients share the same credentials. The ephemeral auth module also looks
like it hands out short-lived one-time passwords for standard JS clients
to consume.
Thanks for that pointer, I'm feeling better about this problem than I
did this morning when I thought I'd need to hack my own password-sharing
system and likely get it wrong. :)
In particular, it looks like Kamailio and its MongoDB module, plus a bit
of hackery around new/change password flows, would let SIP and web
clients share the same credentials. The ephemeral auth module also looks
like it hands out short-lived one-time passwords for standard JS clients
to consume.
Thanks for that pointer, I'm feeling better about this problem than I
did this morning when I thought I'd need to hack my own password-sharing
system and likely get it wrong. :)
Reply all
Reply to author
Forward
0 new messages