using RTSP with bearer authentication
AnsweredHi,
We are currently in the process of upgrading our integration to support Nx Witness 6.1.0.42176. As part of this transition, we are moving away from Digest Authentication toward Bearer Tokens for our RTSP streams, currently using VLC based application.
As mentioned in my comment on [Link to Old Post], we have attempted to implement the "token-as-password" method recently introduced for third-party players, but we are consistently unable to establish a connection.
Our Setup:
- Site Version: 6.1.0.42176
-
Method: Session token used as password with a hyphen (
-) as the username. - Security Settings: "Force Secure Connections" is currently disabled for testing.
- User Permissions: The account has "Extract Video" permissions enabled.
Example URL Tested:
rtsp://-:vms-b1e9ed282c51d2aee9c8e04e8e8ecd1b-PnPZ6bVX61Ab02TTlZAr8T9Oy4UYUL@<SERVER-IP>:7001/b769050d-ab92-3762-cf8e-614414ab37f7?stream=0
The Issues:
-
VLC: Returns a 401 Unauthorized error immediately. We have verified the token is fresh and valid via the
/rest/v4/login/sessionsendpoint. - Encoding: We have tried both raw and URL-encoded versions of the token to ensure the special characters aren't breaking the RTSP string parsing.
- We've also enabled digest auth temporarily for our user to isolate the authentication problem - which worked just fine.
Questions:
- Is the "hyphen username" feature fully supported in this specific build, or is a newer patch required?
- Are there specific global security levels that override the hyphen-token method?
We would appreciate any guidance or logs we should look into to debug why the server is rejecting these credentials.
Best regards, Eylon.
-
Hello Eylon Cohen ,
Is the "hyphen username" feature fully supported in this specific build, or is a newer patch required?
Due to certain complications it is not going to be delivered under 6.1.0 support and will only be available with 6.2 version.
Partially because of that the complete depreciation of digest auth was postponed to 6.2 too.
Are there specific global security levels that override the hyphen-token method?
No, there are not. It is just not supported yet.
As soon as it is delivered, this option will be covered in one of the public documentation sections.
0 -
I did a bit of digging with this. In my installed version (6.1.2.42921), I found that NX advertises
WWW-Authenticate: Digest realm="VMS"in its 401 response. The-:token Basicauth scheme works, but only if you:- Let NX issue the Digest 401 challenge first. Sending Basic auth causes NX to close the connection silently
- Never send
OPTIONSto NX on the same TCP connection beforeDESCRIBE, as it prevents theBasicauth from being accepted afterward.
Most clients (VLC, ffplay, etc.) follow the Digest challenge, get the 401, and won't attempt Basic.
I made a quick Python script which allows you to specify your original credentials, and get them exchanged for a token, and which then allows clients to connect. It's fundamentally less secure than even digest, but it might help someone somewhere: https://github.com/bevans-vc/nx-witness-rtsp-proxy
0
Please sign in to leave a comment.
Comments
3 comments