Add pluggable AuthHook trait and C4M token authentication#171
Open
suhasHere wants to merge 13 commits into
Open
Add pluggable AuthHook trait and C4M token authentication#171suhasHere wants to merge 13 commits into
suhasHere wants to merge 13 commits into
Conversation
…blic_key_pem, expires_in)
thibmeu
reviewed
Jun 3, 2026
| /// (REGISTER, USE_ALIAS, DELETE) are not yet supported. | ||
| /// | ||
| /// Wire format per token entry: | ||
| /// Alias Type (vi64) = 0x2 (USE_VALUE) |
There was a problem hiding this comment.
very brief comment as I'm building off this PR: this is USE_ALIAS, not USE_VALUE which is 0x3, both in -16 and -18 https://datatracker.ietf.org/doc/html/draft-ietf-moq-transport-16#section-13.1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR is an implementation of #169. Adds intra-scope authorization to the relay via a pluggable AuthHook trait, with a C4M (CAT for MoQ) implementation using the cat-token crate.
New crates:
Relay integration
Test plan
Shared-secret (no extra features needed)
Start relay
cargo run --bin moq-relay-ietf -- --bind "[::]:4443" --tls-cert dev/localhost.crt --tls-key dev/localhost.key --auth-shared-secret "test-secret"
Publish (should succeed)
cargo run --bin moq-clock-ietf -- --publish --namespace "clock" --auth-token-type 0 --auth-token "test-secret" --tls-disable-verify https://localhost:4443
Publish with wrong secret (should be rejected)
cargo run --bin moq-clock-ietf -- --publish --namespace "clock" --auth-token-type 0 --auth-token "wrong" --tls-disable-verify https://localhost:4443
C4M token auth
Generate keys
openssl ecparam -genkey -name prime256v1 -noout | openssl pkcs8 -topk8 -nocrypt -out key.pem
openssl ec -in key.pem -pubout -out pub.pem
Install cat-token CLI
cargo install cat-token
Start relay with C4M
cargo run --bin moq-relay-ietf --features auth-cat -- --bind "[::]:4443" --tls-cert dev/localhost.crt --tls-key dev/localhost.key --auth-cat-public-key pub.pem --auth-cat-issuer my-issuer --auth-cat-audience my-relay
Generate publisher token
PUB_TOKEN=$(cat-cli moqt-token key.pem publisher "clock" --issuer my-issuer --audience my-relay --expires 3600)
Publish with token
cargo run --bin moq-clock-ietf -- --publish --namespace "clock" --auth-token "$PUB_TOKEN" --tls-disable-verify https://localhost:4443
Subscribe (generate subscriber token first)
SUB_TOKEN=$(cat-cli moqt-token key.pem subscriber "clock" --issuer my-issuer --audience my-relay --expires 3600)
Subscribe with token
cargo run --bin moq-clock-ietf -- --namespace "clock" --auth-token "$SUB_TOKEN" --tls-disable-verify https://localhost:4443