Table of Contents
db_url (string)profiles_table (string)secrets_table (string)tag_column (string)username_column (string)secret_tag_column (string)secret_column (string)start_ts_column (string)end_ts_column (string)tag_claim (string)load_credentials (string)List of Tables
List of Examples
db_url parameter usageprofiles_table parameter usagesecrets_table parameter usagetag_column parameterusername_column parametersecret_tag_column parametersecret_column parameterstart_ts parameterend_ts parametertag_claim parameterload_credentials parameter usagewww_authorize usageThe module implements authentication over JSON Web Tokens. In some cases ( ie. WebRTC ) the user authenticates on another layer ( other than SIP ), so it makes no sense to double-authenticate it on the SIP layer. Thus, the SIP client will simply present the JWT auth token it received from the server, and pass it on to OpenSIPS which will use that for authentication purposes. It relies on two DB tables, one containing JWT profiles ( a profile name and it's SIP username associated to it ) and one containing JWT secrets. Each secret has a corresponding profile, the KEY used for signing the JWT and two timestamps describing a validation interval. Multiple JWT secrets can point to the same JWT profile.
The module depends on the following modules (in the other words the listed modules must be loaded before this module):
database -- Any database module (currently mysql, postgres, dbtext)
This is URL of the database to be used. Value of the parameter depends on the database module used. For example for mysql and postgres modules this is something like mysql://username:password@host:port/database. For dbtext module (which stores data in plaintext files) it is directory in which the database resides.
Default value is “mysql://opensipsro:opensipsro@localhost/opensips”.
Example 1.1. db_url parameter usage
modparam("auth_jwt", "db_url", "dbdriver://username:password@dbhost/dbname")
Name of the DB table containing the jwt profiles
Default value of this parameter is jwt_profiles.
Name of the DB table containing the jwt secrets
Default value of this parameter is jwt_secrets.
Column holding the JWT profile tag.
Default value is “tag”.
Column holding the JWT profile associated SIP username.
Default value is “sip_username”.
Example 1.5. Set username_column parameter
...
modparam("auth_jwt", "username_column", "my_username_column")
...
Column holding the JWT secret associated tag.
Default value is “corresponding_tag”.
Example 1.6. Set secret_tag_column parameter
...
modparam("auth_jwt", "secret_tag_column", "my_secret_tag_column")
...
Column holding the actual jwt signing secret.
default value is “secret”.
Example 1.7. set secret_column parameter
...
modparam("auth_jwt", "secret_column", "my_secret_column")
...
Column holding the JWT secret start UNIX timestamp.
default value is “start_ts”.
column holding the jwt secret end unix timestamp.
default value is “end_ts”.
The JWT claim which will be used to identify the JWT profile
default value is “tag”.
This parameter specifies credentials to be fetched from the JWT profiles table when the authentication is performed. The loaded credentials will be stored in AVPs. If the AVP name is not specificaly given, it will be used a NAME AVP with the same name as the column name.
Parameter syntax:
load_credentials = credential (';' credential)*
credential = (avp_specification '=' column_name) | (column_name)
avp_specification = '$avp(' + NAME + ')'
Default value of this parameter is “none ( empty )”.
Example 1.11. load_credentials parameter usage
# load my_extra_column into $avp(extra_jwt_info)
modparam("auth_jwt", "load_credentials", "$avp(extra_jwt_info)=my_extra_column")
The function will read the first param ( jwt_token ), extract the tag claim and then try to authenticate it against the DB secrets for the respective profile tag. In case of success, it populates the out_decoded_token pvar with the decoded JWT ( in plaintext format header_json.payload_json ) and the out_sip_username with the SIP username corresponding to that JWT profile.
Negative codes may be interpreted as follows:
-1 ( error) - JWT authentication failed
Meaning of the parameters is as follows:
jwt_token (string) - The JWT token to perform auth on
The string may contain pseudo variables.
out_decoded_token (pvar) - PVAR used to store the decoded JWT upon succesful auth
out_sip_username (pvar) - PVAR used to store the SIP username corresponding to the JWT profile, upon succesful auth
This function can be used from REQUEST_ROUTE.
Example 1.12. www_authorize usage
...
if (!jwt_authorize("$avp(my_jwt_token)", $avp(decoded_token), $avp(sip_username) )) {
send_reply("401","Unauthorized");
exit;
} else {
xlog("Succesful JWT auth - $avp(decoded_token) \n");
if ($fU != $avp(sip_username)) {
send_reply("403","Forbidden AUTH ID");
exit;
}
}
...
Table 2.1. Top contributors by DevScore(1), authored commits(2) and lines added/removed(3)
| Name | DevScore | Commits | Lines ++ | Lines -- | |
|---|---|---|---|---|---|
| 1. | Vlad Paiu (@vladpaiu) | 12 | 2 | 1136 | 0 |
| 2. | Bogdan-Andrei Iancu (@bogdan-iancu) | 4 | 2 | 6 | 7 |
(1) DevScore = author_commits + author_lines_added / (project_lines_added / project_commits) + author_lines_deleted / (project_lines_deleted / project_commits)
(2) including any documentation-related commits, excluding merge commits. Regarding imported patches/code, we do our best to count the work on behalf of the proper owner, as per the "fix_authors" and "mod_renames" arrays in opensips/doc/build-contrib.sh. If you identify any patches/commits which do not get properly attributed to you, please submit a pull request which extends "fix_authors" and/or "mod_renames".
(3) ignoring whitespace edits, renamed files and auto-generated files
Table 2.2. Most recently active contributors(1) to this module
| Name | Commit Activity | |
|---|---|---|
| 1. | Bogdan-Andrei Iancu (@bogdan-iancu) | Mar 2020 - Dec 2021 |
| 2. | Vlad Paiu (@vladpaiu) | Mar 2020 - Mar 2020 |
(1) including any documentation-related commits, excluding merge commits
Last edited by: Vlad Paiu (@vladpaiu).