Proposal: Enhance Custom Authorization Abilities #415
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #415 +/- ##
==========================================
- Coverage 68.15% 67.78% -0.38%
==========================================
Files 43 45 +2
Lines 2352 2387 +35
==========================================
+ Hits 1603 1618 +15
- Misses 582 601 +19
- Partials 167 168 +1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
This seems like a really useful addition, I suggest we merge it with minor modifications.
I think it's OK to break the API with a new major version, it's still better than the confusion two auth handler APIs would create. Plus, the new API seems extensible without another API break.
I'm OK with providing this is a prefab functionality, mTLS seems useful and general enough to warrant a built-in implementation. Do you think your implementation is reusable for other users? But |
Just updating the |
Description
This PR is a proof-of-concept for extending the ability to write custom authorizers beyond using a custom function to check the value of a string (
usernamein the existingAuthFuncfunction definition), and specifically facilitating mTLS authentication.I would like my TURN communication to happen over TLS (which is already possible today), but I would like my TURN clients to present a signed TLS certificate for authn/authz instead of a static username and password.
This PR demonstrates how this could be possible.
This breaks the existing API - but it doesn't need to. Both
AuthHandlerandAuthorizercould co-exist until the next major release (assuming there's interest in this change).Note that
internal/server/authz/tls.gois only included for illustrative purposes -- that shound't go in here... though perhaps maybe an/examplewould be worthwhile.