[Feature] RFC 8898 support

[gkapkowski]

Description

Hi, is there anyone working on adding support for RFC 8898 and do you know of any clients that already implement it or are working towards supporting it?

How could I go about starting such effort?

RFC 8898

Third-Party Token-Based Authentication and Authorization for Session
Initiation Protocol (SIP)

Abstract

This document defines the "Bearer" authentication scheme for the
Session Initiation Protocol (SIP) and a mechanism by which user
authentication and SIP registration authorization is delegated to a
third party, using the OAuth 2.0 framework and OpenID Connect Core
1.0. This document updates RFC 3261 to provide guidance on how a SIP
User Agent Client (UAC) responds to a SIP 401/407 response that
contains multiple WWW-Authenticate/Proxy-Authenticate header fields.

...

[miconda]

Personally I do not work on such extensions, others devs can comment if they plan to work on it.

If you want to develop it, the recommended way is to try to make a new module if is going to have dependencies on external libraries. If no external dependencies, and not significant changes to the existing code, then can eventually plugged in the auth module.

[grumvalski]

Hi,
actually you can implement RFC 8898 in kamailio routing script, all the pieces are already there.
For the challenge you can easily reply 401/407 adding a "forged" WWW-Authenticate header with Bearer schema and authz_server.
For the token validation:

• if it's a structured token you can validate the JWT and extract the claims using the jwt module and jansson module
• if it's a reference token you can call the /inspect endpoint using http_client or http_async_client modules and parse the response with jansson module

Basically all the RFC is here, being the claims and how they apply to the routing logic strictly domain/business logic dependent.
A dedicated module would just wrap the token validation and challenge logics into some functions exposed to kemi/script.
I've though about this for some time but at the end I didn't start for lack of time and because the implemenation I've done using routing script is fullfilling our needs and running in production since several years.
But it would be probably nice to have :)
About the client, I'm not aware of any client actively working on implementing it, in my case I'm using a modified Linphone client for android/iOS.

[miconda]

@grumvalski: thanks for these useful details and good to know it was already possible to implement it. I got a similar feeling that should be doable by blending several modules/functions in native config/kemi when I quickly looked over the specs. Not spending time to look at details, I let it open for further discussions, and as you said it too, if someone wants to add it, it would be nice to have and welcome to do it.

[miconda]

Closing, being possible with script operations based on the comments above. If someone wants to make a C implementation, then just make a PR.