Introduction
Local authentication refers to using parameters passed by the client on this server to determine whether a streaming or playback request is legitimate. For example, when streaming with the following URL:
rtmp\://test.publish.com/app/test?sign=120705DE7E61C5B\&expire=1746451971The
signis generated by concatenating the domain, stream name, expiration time, and secret key, then calculating the MD5 hash. The server recalculates the MD5 value using the same method and compares it with the providedsign. If they match, authentication is successful; otherwise, it fails.
Configuration
To make configuration easy, mms provides a very simple, highly extensible, and intuitive authentication configuration method (applicable to streaming, playback, and origin URL generation).
Simplest Authentication Configuration
For example, in the streaming domain test.publish.com.yaml, you can configure the simplest (though it can be more complex, explained later) streaming authentication as follows:
type: publish
name: test.publish.com
apps:
- name: app # Access point name
publish_auth_check: # Streaming authentication
enabled: true # enabled
checks: # Verification items
- "${url_params[publishKey]} == 123" # Static authenticationThis authentication means that the value of the publishKey parameter in the URL must be 123 for authentication to pass.
Placeholder for Authentication
To provide a clear understanding, the simplest authentication rule was introduced above. You can see that url_params[publishKey] is a special notation here, which we call a placeholder, similar to %s in printf.
Placeholders are wrapped in ${}, and the actual value is determined based on the content within {}. Below is a list of placeholders currently supported by mms-server:
| Placeholder | Description | Example |
|---|---|---|
| ${domain} | This placeholder will be replaced by the domain name. | |
| ${app} | This placeholder will be replaced by the access point. | |
| ${stream_name} | This placeholder will be replaced by the stream name. | |
| ${stream_type} | This placeholder will be replaced by the stream type (e.g., rtmp, webrtc, flv). | |
| ${url_params[key]} | This placeholder will be replaced by the corresponding URL parameter, with the name key. | For example, if the request is rtmp://test.com/app/stream?key=abc, this placeholder will be replaced with abc. |
| ${header_params[key]} | This placeholder will be replaced by the corresponding headers, with the name key | For example, if the request is http://test.com/app/stream has a header:"key: 123", this placeholder will be replaced with abc. |
| ${params[key]} | This placeholder will be replaced by a user-defined parameter value named key. | Will be explained later. |
Parameter Generation Methods
After obtaining the domain, access point, stream name, and parameters using the above placeholders, we may need to perform calculations on these parameters, such as generating an MD5 hash of ${domain}/${app}/${stream_name}?key=abc&expire=123. These calculations are specified in the params configuration section with the following format: method_name(parameters...)
Below is a list of calculation methods currently available in mms-server:
| Method | Number of Parameters | Description |
|---|---|---|
| string(p1) | 1 | For example, string(1234) generates the string "1234". |
| get_time() | 0 | For example, get_time() gets the current system Unix timestamp. |
| md5_upper(p1) | 1 | For example, md5_upper(${app}/${stream_name}/${url_params[key]}) calculates the uppercase MD5 value. |
| md5_lower(p1) | 1 | Similar to above but produces lowercase MD5. |
| hmac_sha1(p1,p2) | 2 | Uses HMAC-SHA1 with two parameters. |
| base64(p1) | 1 | Base64 encodes the provided value. |
| add(p1,p2) | 2 | Adds two values, for example, add(${params[time]},10). |
| sub(p1,p2) | 2 | Subtracts the second value from the first. |
| bin_to_hex(p1) | 1 | this function will change the param p1 from bin to hex string |
Configuration Example 1
type: publish
name: test.publish.com
apps:
- name: app # Access point name
publish_auth_check: # Expiry authentication
enabled: true
params:
key: string(sys@test.publish.com)
time: get_time()
token: md5_upper(${params[key]}/${stream_name}/${url_params[expire]})
checks: # Verification items
- "${url_params[token]} == ${params[token]}"
- "${url_params[expire]} < ${params[time]}"Explanation
key: The value of${params[key]}is set to "sys@test.publish.com".time: The value of${params[time]}is the current system timestamp.token: The value of${params[token]}is the MD5 hash of${params[key]}/${stream_name}/${url_params[expire]}.The
checkssection specifies the conditions for authentication:- The URL parameter
tokenmust match the generated${params[token]}value. - The URL parameter
expiremust be less than the generated${params[time]}value.
- The URL parameter
Configuration Example 2
type: publish
name: test.publish.com
apps:
- name: app # Access point name
publish_auth_check: # Expiry authentication with secret key
enabled: true
params:
SignStr: string(/{app}/{stream}/?e={url_params[e]})
SecretKey: string(312ae9gd2BrCfpTdF4U8aIg9Puh62K4eEGY72Ea_)
AccessKey: string(7O7hf7Ld1RrC_fpZdFvU8aCgOPuhw2K4eapYOdII)
HMAC: hmac_sha1(${params[SecretKey]},${params[SignStr]})
HMACStr: bin_to_hex(${params[HMAC]})
Base64: base64(${params[HMACStr]})
Token: string(${params[AccessKey]}:${params[Base64]})
time: get_time()
checks:
- "${url_params[token]} == ${params[Token]}"
- "${url_params[e]} < ${params[time]}"Explanation
- A signature string is generated and signed using HMAC-SHA1.
- The signature is encoded in Base64 and combined with the access key to form the final token.
- The token and expiration time are then validated against the client-provided values.
Stream Authentication and Playback Authentication
The examples above use publish_auth_check for stream authentication. Playback authentication is similar but uses play_auth_check:
type: play
name: test.play.com
publish_domain: test.publish.com
apps:
- name: app
play_auth_check:
params:
key: string(sys@test.publish.com)
time: get_time()
token: md5_upper(${params[key]}/${stream_name}/${url_params[expire]})
checks:
- ${url_params[token]} == ${params[token]}
- ${url_params[expire]} > ${params[time]}