Stream ID & Authentication

Mark P. 2020-06-02 19:32:18 UTC in Nimble Streamer


If you have a solution that I can use via some API to determine if the stream should be accepted or not, can you please point me to the docs for it?

The addition of new approved stream IDs / keys (from registered users) to a database or file will be automated and I need a way to have Nimble Streamer check if the given ID/key is valid.

If the user is using my app to publish the SRT stream then I'd like to tell them that their ID/key is missing or invalid.

Please point me to the docs for authenticating streams or advise as to how I can only accept streams from registered users without having to configure via WMSPanel for each new user.

Is there some XML or JSON configuration file from which Nimble Streamer can update its list of accepted IDs/keys without restarting?

Please clarify your authentication model.

Thank you.

Mark P. 2020-06-02 21:34:51 UTC 


I realize StreamID means something else. What I'm talking about is the StreamKey used for authentication. For example, Twitch uses a StreamKey that is tied to the user's Twitch account. That's what I'm asking in regards to.

Alex Pokotilo 2020-06-03 04:37:37 UTC 

we are working right now on stream_id with userid -> password mapping.
It will be available in the next week. Please check Nimble release notes/subscribe blog/telegram/youtube to be informed once this feature available

Mark P. 2020-06-03 07:45:07 UTC 


The way I imagine it is the stream publishing client gets a token after it successfully signs-in. The token has an expiration date/time and is digitally signed with the server's pubic key (or some such scheme) The token can then be sent by the publisher to the server as stream_id or auth or whatever field the SRT protocol allows for this. The server can then validate the token is authentic and still valid (has not expired) and based on that it agrees to ingest the stream. Otherwise, it returns an authentication error (assuming SRT protocol allows for that) The token would be renewed by the server before it expires (client can be required to re-authenticate with the same username and password (that it has in memory after the user enters them the first time) and reinsert the new token into the SRT stream.

I look forward to finding out whether or not you'll support signed tokens with expiry. It reduces the risk of the token being stolen and re-used by someone which could incur a lot of cost to the user. But I would be happy with any practical and secure way to authenticate that won't be coupled tightly to WMSPanel.

Mark P. 2020-06-03 08:56:39 UTC 
Mark P. 2020-06-03 15:55:17 UTC 

" in SRT-to-SRT connection, each user can have an individual passphrase known to the server. So that the server can tell this passphrase to SRT (via listener callback). SRT will check authentification, and accept or reject the user's connection attempt."

This is what I need and the passphrase in my case is a signed token generated after the user authenticates via web/https by entering their username and password. The signed token has an expiration time and can be sent to publisher and stored on the server in a database so that when publisher sends the token in the SRT stream it can be validated and user is identified (from the token->user_id mapping or verifying the token is valid was assigned to the associated user_id)

The idea of the SRT callback for verifying user is authenticated via token/passphrase is perfect.

What I don't understand is how the SLDP side will work. Does SLDP support authentication? or is it a free-for-all stream?

None of this has to be tied to WMSPanel but as an option it could be configured from there (and should be possible too from some config file so it can be automated and decoupled from WMSPanel)

Mark P. 2020-06-03 16:39:48 UTC 

After reading the doc here:

I have more clarity on the scheme

Here are my updated thoughts based on the doc above:

This is what I need and the passphrase in my thinking would be a signed token generated after the user authenticates via web/https path by entering their username and password into a web app that returns the signed token (that will be the passphrase that I would set on the socket once stream_id gives me the username.) The signed token/passphrase has an expiration time in my case and can be re-generated by before expiration (on server side upon client request) and sent to the publisher, set on the socket once again, sent by publisher with the SRT data, and checked by this SRT library to allow/deny the connection.

The idea of the SRT callback for verifying user is authenticated via token/passphrase is perfect. My only thought about it is that it probably should have an expiration time and it should be digitally signed. If it does have an expiration time then we need to be able to renew it while the stream is live and in progress. If it's not renewed and it expires the stream should be interrupted but it can have any expiration period like 2 hours or more. Alternatively, the expiration of the passphrase/token should not terminate any live stream in progress but should disallow it from being used for a new connection.

I don't have much knowledge of PSK encryption, or how you'd prove that the expiration date in the passphrase hasn't been modified. If the password doesn't expire then it's akin to a hashed password, and that's totally fine if MITM attack scenario (to steal the token) is not possible or not in scope for this feature.

Alex Pokotilo 2020-06-04 06:16:25 UTC 

please find our plans about SRT passphrase+our view to authorization in my reply to your post here starting with " Speaking of access control for SRT"
Please also find what I personally think about SRT traffic encryption future here
Please also note that we should ask you to wait for this feature and it's description in near future once my view to this subject become a product.
I respect all feedback from our clients but we have 4 parallel threads about this feature so you need wait to get what I want to bring to the product in SRT/streamid field.
I have my own view on this subject and it would be cool if you find something useful to your cases. But I'm not feedback driven in this case so don't wast you time and just wait for new release please.

Mark P. 2020-06-04 14:37:35 UTC 

"I think passphrase now used for both publish authorization and traffic encryption but if we implement DTLS we get traffic encryption out of the box and each vendor can implement authorization based on streamid. This is more secure too as passphrase is used multiple times while DTLS session key is changed on each session and probably during long sessions as well."

This would be exactly what I would do anyway and it's the most credible solution.

If stream_id is a signed token like how JWT is used commonly then the SRT data would have to also include user_id so you can look up in the database by user_id and see if the token is valid.

Such a scheme would not only meet my requirements but is exactly how most modern token based authentication works.

Thank you for starting that issue in the SRT repo.

Yury 2020-06-23 03:22:32 UTC 

We've released SRT Publisher Assistance Security Set premium feature set. It includes the support for streamid parameter for Listen mode or receiver among other features.

Please read this article giving overview of this huge feature set:
We're also working on related technical articles describing the setup, they are coming soon.

Yury 2020-06-23 03:23:26 UTC 

We also support streamid for outgoing connections, that is part of freeware functionality of Nimble Streamer.

We'll update Nimble website accordingly soon.

Post a reply

Post a new question



nimbleNimble StreamerFAQHLSDVRRTMPnimble streamerhlsABRcachewmsauthNimbleAPISRTtranscoderffmpegdvrapiVODfailoverrtmpstreamingDASHwmspanelvodudprtsppaywallsubtitlessrtsldpDispersaRTSPyoutubelivelivestreamingmp4WMSAuthMPEG-DASHpay-per-viewgeodashWMSPaneledgestreamervideoabrWindowsencryptionhttpsUDPuser agentwhite labelconfigsmilFFMPEGmulticastsslMPEG-TSaudioCORSre-streamingmpeg-dashchunksraspberry piandroidbandwidthadvertizercorsvlcS3DRMrules.confplaylistadvertisingipv6MPEGTSFastSpringRAMthumbnailFMLEVATcrossdomainupdateRecordingmpegtsSMILaespushakamaiwowzaserverserrorm3u8TranscodeSSLbalancechromecastplaylist_dvrWowzaconfigurationIDreportingbugperformancedomainnimblestreamerLarixIPrepublishingmpeg-tspublish controlcodecmobileloopHttpsVidillionawsAWSdownloadoriginSLDPcloudfrontCDNraspianrouteswms panelchunknimble webcam html5UIbitrateRegistration Issuedirect link32-bit Windowstwitchcache_controlitworkmelive abr support mpeg-dashwmspanelapiresumertmp abrbeirutWWDCdubaideep statsCentOS v6.4hls to multicast udplogcloudIIS Smooth StreamingmediaHot-linking protectionHTTPSAbrHDSvaddioalertsjwplayer websitebaselinewhmcsnginx rtmp nimbleAV BridgeAuthentication in HLSVaddioPI3 Ubuntupriceview timelimitOld logsscreencastinterfacesattaching domainsDVRRecordingloadbalancingmod_rewritemetadataprofileID3 tagsgbpsAxismessageWMSCONFIG_HOMEwmsauthsignhighhds hotlinkhls restreaminggentoo install server nimbleVLCPublic Iptranscoding using NvidiaPaywall AuthniblerofflinedocumentationNimble streamer upgradedecodertransocding republishingVideo PlayerTrancoderconcurrent-connectionsfileAliaslost trafficServer-sidetasks-controllebanonlocationmanifeststoppedNimble Streamer versionipMP4 not playedspacemainicecast urlruleseekingconnectivitydvr streamunique visitorhot linkingchangeamfpay per viewplayoutPlayReadyamazon web servicelimuxdvr stream twicedvr_archivesmpeg dashhot-linkAXVVGobsTCOopensslSteam stopped workingonblocknvencHLS vod7Expression EncoderanalyticspaywalapplicationbrandingtrialMP4microsoft streamerrorsrocksoftlog traffic statsHLS PlayerDASH Playerdebianprogressive downloadABR DASHFFmpegmultiple originsnimblesessionidlive video on demandbandwithscreen freezecan't registerserverheaderprivate networkLarge DVR fileslog nimble analysertmp playbackvideojsno WMSPanellive videosourceinterleavingadaptiveAV1 codecmac osx installSnapshotsNGINX-RTMPJWPLAYERwotermarkPullvimeohelp errorvideo stopload balance4Kcrossdomain more then 1 domainattachmentvsomcdnlive streamvod no soundconcurrent connectionAWS 3buttmpeg2tsDelayServer-Side-Task-ControlWidevinedisk migrationFairplayfallbackamazonControl APILive streamingTranscoderscreen capturestereo to monoRemote StorageWowza Agentsecuritynot foundCPU Loaddrmpullresourceaes encryptionAS3subscriptionABR HLS Bitrateslive pull settingsWMSPanel settingstwitch larix broadcaster androidDVRSettingsinstall players setup ready to goDelete recordsAppleicecastrtmp for YouTubeudp streamingoutratevideo loopstarttime duration seekpointrebootdvr streamsnimble streamer vod hls transmuxingloggingmonitorautomationnimble streamer web server php script pageNimble Streamer APIlivestreamlearnernimble.confrtmp republishing transcodeIIS Media Servicsapi accessDeep statsNimble CapacityABR DVR probleminsert logoweb playerLive SwitcherAVCaptureMovieFileOutputblock downloadcontent-dispositionnot to stealLive BroadcastPost processingadd_chunk failedfake extensionMPEG DASHUbuntu artful 17.10Transcoder MPEG DASHNimble Serverstatus:errorFFMPEG;RTMP;I/O errortranscodingRTMP republishHotlinking ProtectionStreaming routePIDbroadcasterOSXlarix broadcasterMPEG-Dashpaymentstatspremium featureThumbnailsserver incorrect timereloadLiveLIVEHow to do live stream with multiple audio trackdemandProgressivenimble aliasesrmtpno internetprogressiveHLS Streamingthumbnail dvr-thumbnailLoad-Balancingnimble streamer mpeg-ts multiple inputswmsAuthSignsoundHLS Meta Tag editing.streamsSecureraspberryavoid refreshreportsdelaympeg4transcoder nimbleAndroiduser_agentdvr on wmspanelVideo cant be playedS3 AWSBroadcastcredentialslivestream bitratevbv-maxratetranscodeRepublishingubuntu 18Teradek DecoderVR-360Failoverpublish streamStream Delaytraffichd25Larix BroadcasterAArch64PacketizingABR bitratesbuildcontentRTMP Republishdomain lockoutputUsers limitcloudflareVOD HLS streaming on public IPincoming streamno soundInvalid frame headerHTML5 playerGopDVR Setting limitssaibufferNimbleStreamerav1 codecrtsp push androidartifactscache expiryvideo streamingQuickTime.movalias routestoragedistributionspeedup my videoiOSqataritworkscdnvideo.jsfastspringmp2 audiodata slicesaliasplayer sldptransocderlivestreaminRAM Loaddiskstorage space available3.6.1-1webhookdvr to livedissapointmentpay-per-minuteSO_RCVBUFbuffering videoadvp9latencynimble dvrdurationBandwidthgpuadjustsoftware versionPaywallvideo and audio not matchmanage_dvrhow-toError when installingrulesDVRStreamsaws amazonFallbackhelprestartIOSUDP MulticastMax connectionMPEG2 Videologo in streamcompatibility protocolsa recordwirecasthttp serverSSL requestserver ip21analisyssctenimble on cloudprerollsha265VP9dynamic linksTLSV 1.2 CertificateCSSactionscript 3server ssl errorViewer StatsNDICross DomainSRT protocolabr fallbackNimble connectionsmd5pricingissuecpugoogle cloud storagePORTDVR SettinganalyseStreamID

This website or its third-party tools use cookies, which are necessary to its functioning and required to achieve the purposes illustrated in the Privacy Policy. If you want to know more or withdraw your consent to all or some of the cookies, please refer to the Privacy Policy.
By closing this banner, scrolling this page, clicking a link or continuing to browse otherwise, you agree to the use of cookies.