node.jshtmlwebrtcturn

Is 'long-term credentials' authentication mechanism *required* for WebRTC to work with TURN servers?


I'm intending to run my own TURN service for a WebRTC app with coturn - https://code.google.com/p/coturn/. The manual says this about authentication and credentials:

   ...

   -a, --lt-cred-mech
          Use long-term credentials mechanism (this one you need for WebRTC usage).  This option can be used with
          either flat file user database or PostgreSQL DB or MySQL DB or MongoDB or Redis for user keys storage.

   ...

This client code example also suggests that credentials are required for TURN:

// use google's ice servers
var iceServers = [
  { url: 'stun:stun.l.google.com:19302' }
  // { url: 'turn:192.158.29.39:3478?transport=udp',
  //   credential: 'JZEOEt2V3Qb0y27GRntt2u2PAYA=',
  //  username: '28224511:1379330808'
  // },
  // { url: 'turn:192.158.29.39:3478?transport=tcp',
  //   credential: 'JZEOEt2V3Qb0y27GRntt2u2PAYA=',
  //   username: '28224511:1379330808'
  // }
];

Solution

  • After testing it seems that passing credentials is required for clientside code to work (you get an error in the console otherwise).

    Leaving the "no-auth" option enabled in Coturn (or leaving both lt-cred-mech and st-cred-mech commented) but still passing credentials in the application JS also doesn't work, as the TURN messages are somehow signed using the password credential. Maybe Coturn isn't expecting the clients to send authentication details if it's running in no-auth mode, so it doesn't know how to interpret the messages.

    Solution

    Turning on lt-cred-mech and hard-coding the username and password into both the Coturn config file, and the JS for the application, seems to work. There are commented out "static user" entries in the Coturn configuration file - use the plain password format as opposed to key format.

    Coturn config (this is the entire config file I got it working with):

    fingerprint
    lt-cred-mech
    #single static user details for long-term authentication:
    user=username1:password1
    #your domain here:
    realm=mydomain.com
    

    ICE server list from web app JS:

    var iceServers = [
        {
             url: 'turn:123.234.123.23:3478', //your TURN server address here
             credential: 'password1', //actual hardcoded value
             username: 'username1' //actual hardcoded value
        }
    ];
    

    Obviously this offers no actual security for the TURN server, as the credentials are visible to anyone (so anyone can use up bandwidth and processor time using it as a relay).

    In summary: