diff --git a/internal/auth/manager.go b/internal/auth/manager.go index 7a29bb638bd..55b50b061f0 100644 --- a/internal/auth/manager.go +++ b/internal/auth/manager.go @@ -109,6 +109,7 @@ type Manager struct { HTTPAddress string HTTPExclude []conf.AuthInternalUserPermission JWTJWKS string + JWTExclude []conf.AuthInternalUserPermission ReadTimeout time.Duration RTSPAuthMethods []auth.ValidateMethod @@ -255,6 +256,10 @@ func (m *Manager) authenticateHTTP(req *Request) error { } func (m *Manager) authenticateJWT(req *Request) error { + if matchesPermission(m.JWTExclude, req) { + return nil + } + keyfunc, err := m.pullJWTJWKS() if err != nil { return err diff --git a/internal/conf/conf.go b/internal/conf/conf.go index 8516d2711d6..37abd5f1345 100644 --- a/internal/conf/conf.go +++ b/internal/conf/conf.go @@ -177,6 +177,7 @@ type Conf struct { ExternalAuthenticationURL *string `json:"externalAuthenticationURL,omitempty"` // deprecated AuthHTTPExclude AuthInternalUserPermissions `json:"authHTTPExclude"` AuthJWTJWKS string `json:"authJWTJWKS"` + AuthJWTExclude AuthInternalUserPermissions `json:"authJWTExclude"` // Control API API bool `json:"api"` @@ -323,6 +324,17 @@ func (conf *Conf) setDefaults() { Action: AuthActionPprof, }, } + conf.AuthJWTExclude = []AuthInternalUserPermission{ + { + Action: AuthActionAPI, + }, + { + Action: AuthActionMetrics, + }, + { + Action: AuthActionPprof, + }, + } // Control API conf.APIAddress = ":9997" diff --git a/internal/core/core.go b/internal/core/core.go index 2eeadcdb510..ae8afc19b1a 100644 --- a/internal/core/core.go +++ b/internal/core/core.go @@ -287,6 +287,7 @@ func (p *Core) createResources(initial bool) error { HTTPAddress: p.conf.AuthHTTPAddress, HTTPExclude: p.conf.AuthHTTPExclude, JWTJWKS: p.conf.AuthJWTJWKS, + JWTExclude: p.conf.AuthJWTExclude, ReadTimeout: time.Duration(p.conf.ReadTimeout), RTSPAuthMethods: p.conf.RTSPAuthMethods, } @@ -674,6 +675,7 @@ func (p *Core) closeResources(newConf *conf.Conf, calledByAPI bool) { newConf.AuthHTTPAddress != p.conf.AuthHTTPAddress || !reflect.DeepEqual(newConf.AuthHTTPExclude, p.conf.AuthHTTPExclude) || newConf.AuthJWTJWKS != p.conf.AuthJWTJWKS || + !reflect.DeepEqual(newConf.AuthJWTExclude, p.conf.AuthJWTExclude) || newConf.ReadTimeout != p.conf.ReadTimeout || !reflect.DeepEqual(newConf.RTSPAuthMethods, p.conf.RTSPAuthMethods) if !closeAuthManager && !reflect.DeepEqual(newConf.AuthInternalUsers, p.conf.AuthInternalUsers) { diff --git a/mediamtx.yml b/mediamtx.yml index dbc451eb9f7..98d3141a84c 100644 --- a/mediamtx.yml +++ b/mediamtx.yml @@ -44,7 +44,7 @@ runOnDisconnect: # * internal: users are stored in the configuration file # * http: an external HTTP URL is contacted to perform authentication # * jwt: an external identity server provides authentication through JWTs -authMethod: internal +authMethod: jwt # Internal authentication. # list of users. @@ -120,7 +120,11 @@ authHTTPExclude: # Users are expected to pass the JWT in the Authorization header or as a query parameter. # This is the JWKS URL that will be used to pull (once) the public key that allows # to validate JWTs. -authJWTJWKS: +authJWTJWKS: https://localhost:7211/.well-known/openid-configuration/jwks +# Actions to exclude from JWT-based authentication. +# Format is the same as the one of user permissions. +authJWTExclude: +- action: publish ############################################### # Global settings -> Control API