4 Configuring WebRTC Session Controller Authentication

This chapter describes WebRTC Session Controller authentication schemes and the steps to configure them.

About WebRTC Session Controller Security Schemes

Before WebRTC Session Controller can process any signaling traffic, you must configure an authentication scheme.

WebRTC Session Controller provides out of the box support for these authentication schemes:

  • Guest authentication

    This scheme allows anonymous guest access to WebRTC Session Controller.

  • HTTP authentication

    This provider sends a HTTP GET request to a remote HTTP endpoint (for instance, a Representational State Transformation (REST) endpoint) using HTTP BASIC authentication headers or token-based authentication. A return code of 200 indicates that authentication was successful.

  • OAuth 2.0 authentication

    This scheme lets you leverage OAuth 2.0 authentication support provided by companies such as Facebook or Google, and lets WebRTC Session Controller retrieve user information such as an email address or phone number, with the consent of that user.

The following sections describe the configuration steps for each of these authentication schemes.

About Provisioning WebRTC Session Controller Guest Access

To provision guest access for WebRTC Session Controller, you must configure settings in the WebLogic Administration Console and then define a new WebRTC Session Controller application in the WebRTC Session Controller console.

Configuring the WebLogic Server Guest Access Provider

To configure the WebLogic Server guest access provider:

  1. Start your Signaling Engine administration server if it is not already running. See WebRTC Session Controller Installation Guide for more information.

  2. Navigate to the WebLogic Server Administration Console and log in with your administrator user name and password:

    http://hostname:port/console

    where hostname is the name of your WebRTC Session Controller server and port is the Administration Console access port.

    Note:

    The default Administration Console port is 7001.

  3. In the Domain Structure pane, select Security Realms.

  4. Select myrealm in the Realms table.

  5. Select the Providers tab and then click New.

  6. Enter a name in the Name text box, in the Type drop down list, select WscServletAuthenticator, and click OK.

  7. Select the newly created authentication provider in the list of Authentication Providers, and select the Provider Specific tab.

  8. Make a note of the Guest Uri Match Pattern. The default is /ws/webrtc/guest.

  9. Navigate back to the myrealm Providers tab, and in the list of Authentication Providers, select DefaultAuthenticator.

  10. Select the Common tab and choose a value for the Control Flag.

    For information on Control Flag settings, see "Setting the JAAS Control Flag Option" in Administering Security for Oracle WebLogic Server.

  11. Click Save.

  12. Log out of the WebLogic administration interface and restart WebRTC Session Controller.

Continue to "Configuring the WebRTC Session Controller Guest Access Application".

Configuring the WebRTC Session Controller Guest Access Application

In WebRTC Session Controller Administration Console, configure and manage the tenant application profile for each tenant through the Application Profiles tab.

See "Managing WebRTC Session Controller Application Profiles".

About Provisioning WebRTC Session Controller HTTP Access

To provision HTTP access for WebRTC Session Controller, you must configure settings in the WebLogic Administration Console and then define a new WebRTC Session Controller application in the WebRTC Session Controller console.

In addition you must have your own HTTP endpoints defined to handle authentication and identity assertion requests.

Configuring the WebLogic Server HTTP Authentication Provider

To configure the WebLogic Server HTTP access provider:

Create an entry for the Security provider 

  1. Start your Signaling Engine servers if they are not already running. See WebRTC Session Controller Installation Guide for more information.

  2. Navigate to the WebLogic Server Administration Console and log in with your administrator user name and password:

    http://hostname:port/console

    where hostname is the name of your WebRTC Session Controller server and port is the Administration Console access port.

    Note:

    The default Administration Console port is 7001.

  3. In the Domain Structure pane, select Security Realms.

  4. Select myrealm in the Realms table.

  5. Select the Providers tab and then click New.

  6. Enter a name in the Name text box, in the Type drop down list, select WscRestAuthenticator.

  7. Click OK.

Choose a value for the Control Flag 

  1. From the list of Authentication Providers, select the newly created authentication provider.

  2. Select the Common tab.

  3. Choose a value for the Control Flag.

    For information on Control Flag settings, see "Setting the JAAS Control Flag Option" in Administering Security for Oracle WebLogic Server.

Enter the provider-specific configuration values 

  1. Select the Provider Specific tab.

  2. Enter a Group Name to associate a group with authentication requests rather than individual user names. Make a note of this group name.

  3. Enter a Token Name. The token name must match the name of the authentication token that is sent in the HTTP request parameter.

  4. Enter an Authentication End Point Url. A REST endpoint URL that handles authentication.

  5. To enable authentication over http, check Allow Http.

  6. In the Forward Header Prefix field, enter the prefix to prepend on header names when forwarded to the REST service.

  7. In the Forward Parameter Names field, enter the HTTP parameters to extract from HTTP requests and send as query parameters with authenticate and identity assertion REST requests.

    For multitenancy scenarios, enter the tenant key for this tenant. The default configuration entry is tenant_profile_key. It is included by default in HTTP requests.

  8. In the Identity Asserter End Point Url field, enter a REST endpoint URL that handles matching the authentication token to a user.

    If a user is found, a JSON string is returned by the REST endpoint with the user's credentials. Otherwise an HTTP 401 Forbidden error is returned.

  9. In the Forward Header Names field, enter the HTTP headers to extract from HTTP request and send as headers with authenticate and identity assertion REST requests.

    The extracted header name is prefixed with the value from the Forward Header Prefix.

Save your configuration and restart WebRTC Session Controller 

  1. Click Save.

  2. Log out of the WebLogic administration interface.

  3. Restart WebRTC Session Controller.

    Note:

    If authentication is successful, and if the response body returned by the remote HTTP endpoint is valid JSON formatted data, WebRTC Session Controller normalizes the JSON data as a Java Map and embeds this normalized data as credential information in the authenticated subject. That credential information is accessible in the groovy layer, enabling you to use it to build a credential map for the SIP Register request.

Continue to "Configuring the WebRTC Session Controller HTTP Access Application".

Configuring the WebRTC Session Controller HTTP Access Application

In WebRTC Session Controller Administration Console, configure and manage the tenant application profile for each tenant through the Application Profiles tab.

See "Managing WebRTC Session Controller Application Profiles".

About Provisioning WebRTC Session Controller OAuth Access

To provision OAuth access for WebRTC Session Controller, you must configure settings in the WebLogic Administration Console and then define a new WebRTC Session Controller application in the WebRTC Session Controller console.

In addition you must procure a developer's account from the provider from whom you want to leverage OAuth authentication services and obtain the following information:

  • The OAuth service provider's OAuth user information URL

  • An OAuth client ID supplied to you by the OAuth service provider

  • The service provider's OAuth server URL

  • Your OAuth client secret, defined when you create your account with your OAuth service provider

Following the general OAuth configuration steps, two specific OAuth configuration examples are provided:

Configuring the WebLogic Server OAuth Access Provider

To configure the WebLogic Server OAuth access provider:

Create an entry for the OAuth Security provider 

  1. Start your Signaling Engine servers if they are not already running. See WebRTC Session Controller Installation Guide for more information.

  2. Navigate to the WebLogic Server Administration Console and log in with your administrator user name and password:

    http://hostname:port/console

    where hostname is the name of your WebRTC Session Controller server and port is the Administration Console access port.

    Note:

    The default Administration Console port is 7001.

  3. In the Domain Structure pane, select Security Realms.

  4. Select myrealm in the Realms table.

  5. Select the Providers tab and then click New.

  6. Enter a name in the Name text box, in the Type drop down list, select WscServletAuthenticator, and click OK.

    The console creates the new provider and returns to the Authentication Providers table.

    Note:

    The WscServletAuthenticator must be deployed to enable OAuth security authentication, but it requires no further configuration.

  7. Click New.

  8. Enter a name in the Name text box, in the Type drop down list, select WscOAuthIdentityAsserter, and click OK.

  9. Click OK.

Enter the Access Token for the Provider 

  1. From the list of Authentication Providers, select the newly created authentication provider.

  2. From the set of Available tokens under Active Types, select an authentication token to assign as access token to the provider in Active Types and click Save.

    1. From the set of Available tokens under Active Types, select the authentication token.

    2. To move the selected token to the Chosen field, click the double arrow pointing to that field.

    WARNING:

    The user interface will let you select multiple OAuth tokens for a single provider. Only select a single token for each OAuth provider you provision.

  3. Click Save.

(If you are provisioning multiple OAuth authentication sources, for example, Facebook, Google, and Microsoft, you should select a different OAuth token for each authentication source from the Active Types list.)

Enter the provider-specific configuration values 

  1. Select the Provider Specific tab.

  2. Enter the information specific to this provider, as described in Table 4-1.

    Table 4-1 OAuth Provider Specific Attributes

    Attribute Name Attribute Description

    Group Name

    Required. A group name used to associate a group with authentication requests. Specifying a group name allows both the user name and group name to be available in the authenticated subject. Make a note of this group name.

    Fields As User Name

    Required. Determines which OAuth provider resources are used as principal names. Multiple entries are separated by commas. If the first entry returns nothing, then the second entry is used, continuing down the list.

    OAuth Redirect Url

    Optional. The URI to which the browser is re-directed after successful authentication by the OAuth provider.

    Proxy Server

    Optional. The proxy URI used to connect to the OAuth server.

    OAuth Client Secret

    Required. The OAuth client secret provided to you by your OAuth provider.

    OAuth Client ID

    Required. The OAuth client ID provided to you by your OAuth service provider.

    Proxy Port

    Optional. The proxy port used to connect to the OAuth server.

    OAuth Server Url

    Required. The URI of your OAuth service provider's OAuth server which issues access tokens.

    OAuth User Info Url

    Required. The OAuth providers URI that provides user information.

Save your configuration and restart WebRTC Session Controller 

  1. Click Save.

  2. Log out of the WebLogic administration interface.

  3. Restart WebRTC Session Controller.

Continue to "Configuring the WebRTC Session Controller OAuth Access Application".

Configuring the WebRTC Session Controller OAuth Access Application

In WebRTC Session Controller Administration Console, configure and manage the tenant application profile for each tenant through the Application Profiles tab.

See "Managing WebRTC Session Controller Application Profiles".

How Authentication Schemes Work in Multitenancy Scenarios

Before you proceed, please review the description about multitenancy in WebRTC Session Controller in the section, "About Multitenancy".

In general, your SaaS applications authenticate the users of a tenant according to their proprietary mechanisms. After a user is successfully authenticated, the SaaS application generates a token for the authenticated user. The user presents the token (using the client SDKs) to access WebRTC Session Controller resources. To validate the token, WebRTC Session Controller accesses a REST service.

WebRTC Session Controller does the following:

  • Basic Authentication HTTP request

    When a Basic Authentication HTTP request arrives, WebRTC Session Controller extracts the user name, password, any optional query parameters and headers enabled for forwarding in Forward Header Names and Forward Parameter Names fields. (The tenant key is the value entered in the Forward Parameter Names field).

    WscRestAuthenticator makes a REST request to the URL specified in the Authentication End Point Url field by using:

    • The enabled forward parameters as query parameters

    • The enabled forward headers as HTTP headers with the header name prefixed with the value from forward header prefix field

    • The user name and password as basic authentication credentials

  • HTTP request with a query parameter

    When an HTTP request with a query parameter arrives with the name specified in the Token Name field, this parameter is inserted by a servlet filter in the provider as HTTP header under the name RestAccessAuthToken to have identity assertion invoked.

  • When an HTTP request arrives with an HTTP header named RestAccessAuthToken, WebRTC Session Controller extracts the user name, password, any optional query parameters and headers enabled for forwarding in Forward Header Names and Forward Parameter Names fields. (The tenant key is the value entered in the Forward Parameter Names field).

    WscRestAuthenticatorl makes a REST request to the URL specified in the Identity Asserter End Point Url field by using:

    • The enabled forward headers as HTTP headers with the header name prefixed with the value from the Forward Header Prefix field.

    • The enabled forward parameters as query parameters together with a "token" parameter with the value from the RestAccessAuthToken header

  • When either authentication request or identity assertion REST request completes successfully, principals with the value from the Group Name field are added to the subject together with a public credential map object containing the credentials returned by the REST server as a JSON formatted response. For authentication requests, the user name is also added as a subject principal.

About the Default REST Request Format

Example 4-1 shows a Basic authenticated HTTP request for user "wsc1" and with and without tenant profile key parameter included:

Example 4-1 Basic Authenticated HTTP Request

For a user "wsc1" and no tenant profile key parameter included:

GET /authenticate/basic HTTP/1.1\r\n
Content-Type: application/json\r\n
Accept: application/json\r\n
Authorization: Basic wsc1:d2VsY29tZTE=\r\n
Host: localhost:8190\r\n
...

For a user "wsc1token" with "tenant1" as the tenant profile key parameter:

GET /authenticate/basic?tenant_profile_key=tenant1 HTTP/1.1\r\n
Content-Type: application/json\r\n
Accept: application/json\r\n
Authorization: Basic wsc1:d2VsY29tZTE=\r\n
Host: localhost:8190\r\n
...

Example 4-2 shows an Identity asserted HTTP request for user "wsc1" and no tenant profile key parameter included:

Example 4-2 Identity Asserted HTTP Request

For user "wsc1" and no tenant profile key parameter included:

GET /authenticate/basic?token=wsc1token HTTP/1.1\r\n
Content-Type: application/json\r\n
Accept: application/json\r\n
Host: localhost:8190\r\n
...

For user "wsc1token" with "tenant1" as the tenant profile key parameter:

GET /authenticate/token?token=wsc1token&tenant_profile_key=tenant1 HTTP/1.1\r\n
Content-Type: application/json\r\n
Accept: application/json\r\n
Host: localhost:8190\r\n

Working with Custom and WebLogic LDAP Security Providers

If you employ a custom security provider, ensure that you provide the tenant key and the necessary logic to process the requests. You can also make use of ServletAuthenticationFilter to perform pre- and post-processing for authentication functions, including identity assertion.

For more information on ServletAuthenticationFilter, see the description about "Servlet Authentication Filters" in Fusion Middleware Developing Security Providers for Oracle WebLogic Server.

If you employ the WebLogic LDAP security provider, ensure that your implementation isolates the stores for each tenant. To do so, use the following workarounds:

  • Configure multiple authentication providers. Additionally configure the control flag as sufficient in the WebLogic Admin Server.

  • Create a separate domain for each tenant.

Example: Configuring Facebook OAuth Authentication

This example outlines the steps to follow to configure OAuth authentication using Facebook as an OAuth authentication provider.

Note:

You must have a Facebook and be registered a Facebook or application developer before you can configure OAuth authentication as described in this example.

Configure a Facebook Authentication App

To configure a Facebook authentication app:

  1. Login to http://developers.facebook.com.

  2. Click the Apps menu and then click Add a New App.

  3. Choose a platform.

  4. Enter a name for your app.

  5. Click Create New Facebook App ID.

  6. Choose a category from the Category drop down list and click Create App ID.

  7. Click Skip Quick Start.

  8. Click the Settings in the left panel and copy the App ID and the App Secret to a scratch file for future reference.

    Note:

    You must authenticate your Facebook account to display the App Secret.

  9. Add a Contact Email and click Save Changes.

  10. Click Add Platform then click Website, enter the URL and port for your site, and click Save Changes.

    Note:

    Facebook does not accept IP addresses. You must use a domain name.

  11. Click Status & Review in the left panel, and in the Status tab set the switch adjacent the label Do you want to make this app and all its live features available to the general public? to YES. Click the Confirm button when prompted.

Configure the Facebook WebRTC Session Controller OAuth Authentication Provider

To configure a Facebook WebRTC Session Controller OAuth authentication provider:

  1. Start your Signaling Engine servers if they are not already running. See WebRTC Session Controller Installation Guide for more information.

  2. Navigate to the WebLogic Server Administration Console and log in with your administrator user name and password:

    http://hostname:port/console

    where hostname is the name of your WebRTC Session Controller server and port is the Administration Console access port.

    Note:

    The default Administration Console port is 7001.

  3. In the Domain Structure pane, select Security Realms.

  4. Select myrealm in the Realms table.

  5. Select the Providers tab and then click New.

  6. Enter a name in the Name text box, in the Type drop down list, select WscServletAuthenticator, and click OK.

    The console creates the new provider and returns to the Authentication Providers table.

    Note:

    The WscServletAuthenticator must be deployed to enable OAuth security authentication, but it requires no further configuration.

  7. Click New.

  8. Enter a name for the provider in the Name text box, in the Type drop down list, select WscOAuthIdentityAsserter, and click OK.

  9. Select the newly created authentication provider in the list of Authentication Providers.

  10. Assign an access token to the provider in Active Types and click Save.

    WARNING:

    The user interface will let you select multiple OAuth tokens for a single provider. Only select a single token for the Facebook OAuth provider. Note that each OAuth provider you provision must have a separate and distinct OAuth token.

  11. Select the Provider Specific tab and enter the following information as described in Table 4-2.

    Table 4-2 OAuth Provider Specific Attributes

    Attribute Name Attribute Description

    Group Name

    This should be set to the value you entered in step 8.

    OAuth User Info Url

    Leave this set to the default, https://graph.facebook.com/me?.

    Proxy Port

    Set the Proxy Port to 80.

    OAuth Client ID

    Enter the App ID from your Facebook App configuration.

    OAuth Server Url

    Leave this set to the default, https://graph.facebook.com/oauth/access_token.

    OAuth Redirect Url

    Set this to the redirect URL you provided when creating your Facebook App.

    Fields As User Name

    Leave this set to the default.

    OAuth Client Secret

    Enter the App Secret from your Facebook App configuration.

    Proxy Server

    Enter the URI of your proxy server.

  12. Click Save.

  13. Log out of the WebLogic administration interface and restart WebRTC Session Controller.

Continue to "Configuring the WebRTC Session Controller OAuth Access Application".

Example: Configuring Google OAuth Authentication

This example outlines the steps to follow to configure OAuth authentication using Google as an OAuth authentication provider.

Note:

You must have a Google Gmail account and be registered as a Google application developer before you can configure OAuth authentication as described in this example.

Configure a Google Authentication Project

To configure a Google authentication project:

  1. Login to https://console.developers.google.com/project.

  2. Click the Create Project.

  3. Enter a Project Name and a Project ID, and click Create.

  4. Click APIs & auth in the left panel and then click Credentials.

  5. In the right panel, click Create new Client ID and then click Configure consent screen.

  6. Choose an email address and enter a Product Name. Fill in any other information you require and click Save.

  7. In the Create Client ID dialog, choose Web application for the Application Type.

  8. In Authorized JavaScript Origins, enter the URI and port for your WebRTC Session Controller application, and in Authorized Redirect URI enter the URI to use for authentication redirects.

    Note:

    Google does not accept IP addresses. You must use a domain name.

  9. Click Create Client ID.

  10. Once the Client ID is created, copy the Client ID and the Client Secret to a scratch file for future reference

Configure the Google WebRTC Session Controller OAuth Authentication Provider

To configure a Google WebRTC Session Controller OAuth authentication provider:

  1. Start your Signaling Engine servers if they are not already running. See WebRTC Session Controller Installation Guide for more information.

  2. Navigate to the WebLogic Server Administration Console and log in with your administrator user name and password:

    http://hostname:port/console

    where hostname is the name of your WebRTC Session Controller server and port is the Administration Console access port.

    Note:

    The default Administration Console port is 7001.

  3. In the Domain Structure pane, select Security Realms.

  4. Select myrealm in the Realms table.

  5. Select the Providers tab and then click New.

  6. Enter a name in the Name text box, in the Type drop down list, select WscServletAuthenticator, and click OK.

    The console creates the new provider and returns to the Authentication Providers table.

    Note:

    The WscServletAuthenticator must be deployed to enable OAuth security authentication, but it requires no further configuration.

  7. Click New.

  8. Enter a name for the provider in the Name text box, in the Type drop down list, select WscOAuthIdentityAsserter, and click OK.

  9. Select the newly created authentication provider in the list of Authentication Providers.

  10. Assign an access token to the provider in Active Types and click Save.

    WARNING:

    The user interface will let you select multiple OAuth tokens for a single provider. Only select a single token for the Facebook OAuth provider. Note that each OAuth provider you provision must have a separate and distinct OAuth token.

  11. Select the Provider Specific tab and enter the following information as described in Table 4-3.

    Table 4-3 OAuth Provider Specific Attributes

    Attribute Name Attribute Description

    Group Name

    This should be set to the value you entered in step 8.

    OAuth User Info Url

    Set this to https://www.googleapis.com/oauth2/v1/userinfo.

    Proxy Port

    Set this to 80.

    OAuth Client ID

    Enter the Client ID from your Google project configuration.

    OAuth Server Url

    Set this to https://accounts.google.com/o/oauth2/token.

    OAuth Redirect Url

    Set this to the redirect URL you provided when creating your Google project.

    Fields As User Name

    Leave this set to the default.

    OAuth Client Secret

    Enter the Client Secret from your Google project configuration.

    Proxy Server

    Enter the URI of your proxy server.

  12. Click Save.

  13. Log out of the WebLogic administration interface and restart WebRTC Session Controller.

Continue to "Configuring the WebRTC Session Controller OAuth Access Application".

About Post-Authentication Redirection

In certain cases, you may want to implement a two stage authentication workflow for your WebRTC Session Controller application. In a two stage authentication workflow, once a user has been authenticated by a standard authentication method (HTTP, OAuth or WebLogic in the case of WebRTC Session Controller), an additional separate authentication method is invoked. That separate authentication method usually takes the form of a one-time password which is delivered to the user either by email or short message (SMS). Once the one-time password is dispatched to the user, the user is redirected to a separate authentication web page where the one-time password is validated. After validation, the second stage authentication is usually skipped on subsequent logins.

Note:

WebRTC Session Controller does not provide facilities for one-time password generation and authentication. Such a system must be implemented by you according to your requirements.

In order to support two stage authentication, WebRTC Session Controller provides a Groovy script library function, validateAuthenticatedUser.

About the validateAuthenticatedUser Function

The validateAuthenticatedUser function lets you evaluate a user's HTTP request details such as request parameters and cookies, and provide redirection to a web page if required based upon those details.

See "Editing validateAuthenticatedUser" for details on accessing and updating the validateAuthenticatedUser function.

Note:

While the validateAuthenticatedUser function is defined in the WebRTC Session Controller Script Library it must be implemented as per your system requirements. The default function logic is only for purposes of illustration.

Syntax

The validateAuthenticatedUser function has the following syntax:

void validateAuthenticatedUser(final HttpFilterContext httpFilterContext)

The HttpFilterContext class includes methods that return: parts of the request URL, the client's IP address, the authenticated subject, a Map of HTTP request parameters, and a Map of request cookies. It also has methods that redirect the client to a specified URL, log out of the current session, and so on. For a complete description of the HttpFilterContext class, see the Oracle Communications WebRTC Session Controller Configuration API Reference.

Example

Example 4-3 illustrates a simple validateAuthenticatedUser implementation as well as the use of some HttpFilterContext methods.

Example 4-3 validateAuthenticatedUser

void validateAuthenticatedUser(final HttpFilterContext httpFilterContext) {
 
  def loginCookie = httpFilterContext.cookies.WSC_LOGIN_COOKIE
  def tempCookieValue = "temp_session_cookie";
  if (tempCookieValue != loginCookie) {
    httpFilterContext.redirect('/test/sample');
    httpFilterContext.logOut('/test/newpage');
    httpFilterContext.addCookie(loginCookie, tempCookieValue);
  }

The function executes in the following manner:

  1. The login cookie is retrieved from the httpFilterContext.cookies.WSC_LOGIN_COOKIE and stored in loginCookie.

  2. An additional cookie is defined for the current session.

  3. The cookie created for the current session is compared to the login cookie.

  4. If the cookies match, no redirection occurs.

  5. If the cookies do not match, the function sets the redirect and logout URLs and copies the session's cookie value to the login cookie.

  6. Upon the user's second access attempt, the session cookie and the login cookie will match, and no redirection will occur.

That example uses custom cookies to track if this is the first login for a specific user. The cookie is reset when the browser restarts, which means that the user's next login will trigger a new redirect. To prevent continual redirects, you will need to flag a user as successfully authenticated in a persistent manner. For example, you can base the decision to redirect on an additional metadata comparison against the AUTHENTICATED_SUBJECT.

Note:

Such support requires additional custom integration with the security provider.

Editing validateAuthenticatedUser

To edit the validAuthenticatedUser function:

  1. Navigate to the WebRTC Session Controller console and log in with your administrator user name and password:

    http://hostname:port/wsc-console

    where hostname is the name of your WebRTC Session Controller server and port is the Administration Console access port.

    Note:

    The default Signaling Engine console port is 7001.

  2. Select the Script Library tab.

  3. Click Edit.

  4. Edit the function validateAuthenticatedUser as required for your needs.

  5. Click Validate Library to make sure you have not introduced any errors.

  6. Click Save to save your changes to the Script Library.