[Icecast-dev] HTTP Basic Auth alternative

"Thomas B. Rücker" thomas at ruecker.fi
Tue Jan 13 08:16:18 PST 2015 

Hi,

On 01/13/2015 03:47 PM, dtouch3d completely wrote:
> Is HTTP basic authentication the only way for icecast to perform
> authentication ? With a link like
>
> http://username:password@example.com:8000/mystream
>

No, you are misunderstanding HTTP auth. Parameters in the URL is not the
only way and has been largely out of fashion since the end of the last
millennium.
Most software nowadays expects the credentials outside the URL. Even
XMLHTTPRequest has own parameters for that if you look at web browsers.


> (HTTP basic authentication) it has a number of problems regarding
> browsers. Chrome for security reasons does not follow the link and
> shows a popup asking to enter the credentials but this destroys user
> experience for a site with a webplayer. It works fine afterwards.
> Internet Explorer does the same.

That particular use case won't work well with standard HTTP
authentication, by design.
Saying that it "destroys user experience" is a bit harsh and will
completely depend on circumstances. If you authenticate the user
otherwise, it is certainly redundant, but see below.


> It would be ideal if icecast would get the credentials from the GET
> parameters, something similar to
>
> http://example.com:8000/mystream?user=username&pass=password
>

You can do that if you use the URL auth backend:
http://icecast.org/docs/icecast-2.4.1/auth.html#url


> this would eliminate the browser problems with the basic auth.

Just use URL auth, pass a session ID, or other token, you can also pass
a cookie, etc.
As this is an advanced feature we don't offer it for the plain htpasswd
auth.


> I am willing to implement something like this as it seems relatively
> simple.

In addition I should mention, that we have completely rewritten (most
work was by ph3) the authentication backend after 2.4.1. This is going
to be in the 2.5.0 release planned for later this year. This feature is
still limited to URL auth though, IIRC.

If you'd like to map parameters to user/password also for type
'htpasswd' and 'static', we could be interested in a patch. I'd
recommend to discuss this with PH3 on IRC though, to avoid problems with
how we structure the config XML.


Cheers

Thomas


PS: In addition you're using HTML email, please don't, thank you.

More information about the Icecast-dev mailing list