Missing documentation on WebRtcEndpoint #461
Comments
Thanks for bringing this up. There are 2 available methods to configure a STUN/TURN server in Kurento Media Server; with this latest rewrite of all STUN/TURN contents in the documentation, both methods are now properly explained in the section named How to configure STUN/TURN?. |
Reading the documentation I can't find a mention of the shared secret configuration. To clarify, I think about The documentation admits that this is not ideal but doesn't mention an alternative.
I therefore kindly ask you to reopen this issue. |
Note that I said "There are 2 available methods to configure a STUN/TURN server in Kurento". These methods are:
Kurento is not related with any TURN server, and does not provide user docs for them. You can use Coturn, or you can use any other commercial TURN servers that are available, and you should find user docs in their respective homepages. |
I think I understand now. So this issue is about telling Kurento to use a STUN/TURN Server (necessary when it's installed behind a NAT).
What confused me was that the coturn install example only mentions long-term credentials. So afaiu Kurento does offer an API which can be used to set the STUN/TURN-config but it can't itself request ephemeral credentials. Thanks a lot for your reply and your work. |
I've pushed an update to the FAQ section, in an attempt to clarify that the example shown is just that, an example, and that more advanced credential mechanisms may be used if they are handled by the application code, as long as the new credentials are correctly set to each WebRtcEndpoint via the Client API.
You're welcome! |
Oh I've been reviewing the credentials mechanisms in Coturn and have now a better perspective on the issue. In Coturn, there are long-term credential mechanism (lt-cred-mech) and REST-based authentication secret (use-auth-secret). Then, the long-term credential mechanism can use either static or dynamic credentials, of which static ones are shown in the example Coturn configuration. However, Kurento can be indirectly made compatible with other dynamic flavors of the long-term credential mechanism, if the actual credentials are retrieved by the application itself from whatever sources such as PostgreSQL (psql-userdb), MySQL (mysql-userdb), MongoDB (mongo-userdb), or Redis (redis-userdb), and then provided to the Kurento WebRtcEndpoint instances through the Kurento API. However, I'm not sure about the REST-based authentication secret mechanism. We haven't tried that one, and I'm not sure if it could be used in the same way, or if the WebRtcEndpoint lacks specific code to handle this mechanism. If you test it, please let me know so we can extend the docs in this regard. |
Prerequisites
I have read the SUPPORT document
I have checked the Troubleshooting Guide
I have tested with the latest version of Kurento
Issue description
The current documentation lacks information on how to configure a TURN server that uses shared secret authentication (avoiding the inherently insecure username/password auth described in the sample configuration).
The text was updated successfully, but these errors were encountered: