Hi, Our company is going to use Janus, so I am given this task to setup janus-sip-gateway plugin which will act as a gateway between web browser agents and clients on sip platform.
I need to do two things- Allow clients to directly join an ongoing conference call in freeswitch without registering.
Authenticate with JWT token.
Can you please guide me how the code flow works in janus, and in which files do I need to make the changes to achieve this?
By going through the documentation and code, what this is what I understood so far.
I am using janus-sip-gateway plugin.
So my entrypoint was sip.js.
Here Janus session is created where we specify the URI of the janus server, the plugin to attach and other important things.
Then register event is triggered when from the web client user clicks register button.
After that actuallyDoCall() methods calls the janus api with the SDP and the call URI.
After this things are blurred.
I believe it now goes to janus.c which is main entrypoint of janus core server.
it communicates to janus-sip.c(plugin server) via janus transports package codes.
in janus_sip.c
/* Thread to handle incoming messages */
static void *janus_sip_handler(void *data) {
…} this method must handle the making of registration and call.
And to call without registration I think I need to pass all the necessary information in the headers and INVITE message, which currently might be pulled from some state which janus server maintains while registering.
If you don’t want to register, you’ll need the guest mode in the SIP plugin. The documentation explains how you do that. I don’t know what you mean by JWT authentication in this context, but if this involves SIP messaging, it means you’ll need to manually insert SIP headers in your requests (again the docs explain how).
Thanks for replying, I am trying to connect to freeswitch from janus, in freeswitch i have registered few users with username and password.
From PSTN I am able to make calls to Freeswitch directly, digest authentication is happening.
First PSTN(sip trunk via Bandwidth) is sending SDP, freeswitch is challenging with 407 Proxy authentication required, then PSTN is sending updated INVITE with auth details in SPD, then it is getting accepted.
But from Janus if we do guest login, when freeswitch challenges with 407, the janus sip gateway does not pass the userId and pass, since it does not have it, as we did not register.
So I want this capability to be able to provide auth details in the INVITE call to freeswitch from janus. Hope I am able to explain my use case.
I am thinking to write a java client service which will talk to janus, do a register, and only expose the api to make calls to the web client. So it will look like the clients are directly calling. This is the last resort.
The JWT is a separate task, all requests to janus needs to be authenticated.
As of now I am trying to bypass registration and pass the username and password in SIP INVITE message so that authentication will take place as a part of request response between janus web client and freeswitch via janus server. I wanted to understand, for this what changes do I need to make?
We don’t support that yet. Authentication is automatically provided only if you’re registered first, so your idea of the service that registers in the background would probably be the way to do it.
Okay, see now if I do a guest registration, and pass username and pass in the Sip call INVITE, I am able to place a call to freeswitch via janus. This is working now.
Now I want all the calls made to janus to be authenticated with JWT token.
As per Janus doc- “Janus does not do any form of authorization/authentication itself: it’s up to you to provide it with valid tokens users can use, e.g., as part of your server-side application handling users.”
So, can you please tell me what is the concept of authentication in janus, if an external service should take care of validating the token.
Does it mean, I need to implement a service which will intercept the calls to janus extract the token and validate it and then allow the calls to janus?
does janus provide any api, or can we write any plugin in jnaus to do the auth in jnaus itself?
It means tokens are opaque to Janus. If you enable tokens, Janus will not let you use the API unless you provide a string that was marked as a valid token before via the Admin API. Whether that string is a JWT token or something else, Janus doesn’t care: it’s just used to check if you know a “secret” to get in or not.
Got it, thank you for the reply.
So I need to write an auth service, which will sit in between janus web client and janus server. And this service will intercept the calls from janus client and validate the token? And then again this service needs to forward the request to janus. Is this the standard way to implement authentication of janus apis?
Or is there any simpler way, using the admin api(can we configure it to call an external service which will do the token validation and attach it back).
Please let me know, this will really help me a lot.
Yeah without guest registraion, it says wrong state, register first. While janus server sends the call invite it expects some user details which it takes from its internal state which is created when registration was done
I went through all the docs, what I understood is, we have to do two things-
enable auth token in janus.jcfg
pass token by making use of the admin API( I am still not clear how to do it, but will figure out)
So, there is no way we can validate a token from within janus, as the doc says the token value can be anything, janus just will expect a token, validation should be handled by us. Thus, in this case there is only one option, we have to write a proxy service in between which will intercept all the requests from UI to janus server, extract, validate and send the token(any string) to janus.
I am concerned about the additional websocket connections that my proxy service have to handle, and also the latency it might introduce.
Are there any better way to achieve this? Any inputs from you will be highly appreciated!