Document hello version 2.0 authentication.

2024-04-26 19:30:26 +02:00 · 2022-05-12 17:13:23 +02:00 · 2022-05-12 17:13:23 +02:00 · 0338e9db42
parent 9c159dc4f8
commit 0338e9db42
1 changed files with 79 additions and 9 deletions
--- a/docs/standalone-signaling-api-v1.md
+++ b/docs/standalone-signaling-api-v1.md
@ -140,7 +140,7 @@ Message format (Client -> Server):
      "id": "unique-request-id",
      "type": "hello",
      "hello": {
-        "version": "the-protocol-version-must-be-1.0",
+        "version": "the-protocol-version",
        "auth": {
          "url": "the-url-to-the-auth-backend",
          "params": {
@ -159,7 +159,7 @@ Message format (Server -> Client):
        "sessionid": "the-unique-session-id",
        "resumeid": "the-unique-resume-id",
        "userid": "the-user-id-for-known-users",
-        "version": "the-protocol-version-must-be-1.0",
+        "version": "the-protocol-version",
        "server": {
          "features": ["optional", "list, "of", "feature", "ids"],
          ...additional information about the server...
@ -172,12 +172,82 @@ future version. Clients should use the data from the
 [`welcome` message](#welcome-message) instead.


+### Protocol version "1.0"
+
+For protocol version `1.0` in the `hello` request, the `params` from the `auth`
+field are sent to the Nextcloud backend for [validation](#backend-validation).
+
+
+### Protocol version "2.0"
+
+For protocol version `2.0` in the `hello` request, the `params` from the `auth`
+field must contain a `token` entry containing a [JWT](https://jwt.io/).
+
+The JWT must contain the following fields:
+- `iss`: URL of the Nextcloud server that issued the token.
+- `iat`: Timestamp when the token has been issued.
+- `exp`: Timestamp of the token expiration.
+- `sub`: User Id (if known).
+- `userdata`: Optional JSON containing more user data.
+
+It must be signed with an RSA, ECDSA or Ed25519 key.
+
+Example token:
+```
+eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiJ9.eyJpc3MiOiJodHRwczovL25leHRjbG91ZC1tYXN0ZXIubG9jYWwvIiwiaWF0IjoxNjU0ODQyMDgwLCJleHAiOjE2NTQ4NDIzODAsInN1YiI6ImFkbWluIiwidXNlcmRhdGEiOnsiZGlzcGxheW5hbWUiOiJBZG1pbmlzdHJhdG9yIn19.5rV0jh89_0fG2L-BUPtciu1q49PoYkLboj33EOdD0qQeYcvE7_di2r5WXM1WmKUCOGeX3hzn6qldDMrJBNuxvQ
+```
+
+Example public key:
+```
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIoCsNSCXyxK25zvSKRio0uiBzwub
+ONq3tiGTPZo3p2Ogn6wAhhsuSxbFuUQDWMX7Tsu9fDzVdwpRHPT4y3V9cA==
+-----END PUBLIC KEY-----
+```
+
+Example payload:
+```
+{
+  "iss": "https://nextcloud-master.local/",
+  "iat": 1654842080,
+  "exp": 1654842380,
+  "sub": "admin",
+  "userdata": {
+    "displayname": "Administrator"
+  }
+}
+```
+
+The public key is retrieved from the capabilities of the Nextcloud instance
+in `config` key `hello-v2-token-key` inside `signaling`.
+
+```
+        "spreed": {
+          "features": [
+            "audio",
+            "video",
+            "chat-v2",
+            "conversation-v4",
+            ...
+          ],
+          "config": {
+            …
+            "signaling": {
+              "hello-v2-token-key": "-----BEGIN RSA PUBLIC KEY----- ..."
+            }
+          }
+        },
+```
+
+
 ### Backend validation

-The server validates the connection request against the passed auth backend
-(needs to make sure the passed url / hostname is in a whitelist). It performs
-a POST request and passes the provided `params` as JSON payload in the body
-of the request.
+For `hello` protocol version `1.0`, the server validates the connection request
+against the passed auth backend (needs to make sure the passed url / hostname
+is in a whitelist).
+
+It performs a POST request and passes the provided `params` as JSON payload in
+the body of the request.

 Message format (Server -> Auth backend):

@ -236,7 +306,7 @@ Message format (Client -> Server):
      "id": "unique-request-id",
      "type": "hello",
      "hello": {
-        "version": "the-protocol-version-must-be-1.0",
+        "version": "the-protocol-version",
        "auth": {
          "type": "the-client-type",
          ...other attributes depending on the client type...
@ -294,7 +364,7 @@ Message format (Client -> Server):
      "id": "unique-request-id",
      "type": "hello",
      "hello": {
-        "version": "the-protocol-version-must-be-1.0",
+        "version": "the-protocol-version",
        "resumeid": "the-resume-id-from-the-original-hello-response"
      }
    }
@ -306,7 +376,7 @@ Message format (Server -> Client):
      "type": "hello",
      "hello": {
        "sessionid": "the-unique-session-id",
-        "version": "the-protocol-version-must-be-1.0"
+        "version": "the-protocol-version"
      }
    }