<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hello,<br>
</p>
<br>
<div class="moz-cite-prefix">On 17/01/2017 14:38, Steve Davies
wrote:<br>
</div>
<blockquote
cite="mid:CABFTEGWs-dkXaFLFXfkU1_sQ0T6Hc9uxc_B6khLkaF2u_vsHKw@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Daniel,<br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 17 January 2017 at 14:15,
Daniel-Constantin Mierla <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:miconda@gmail.com"
target="_blank">miconda@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>I guess you can use other modules such as http_client
to interact with the web service. The jansson module
can be used to parse the result.<br>
</p>
<p>Also, it should be possible to do it without
interacting with the web service, because you can
compute the password using the shared secret key. So,
in this case, Kamailio doesn't need to interact with
the web service.<br>
</p>
<p><br>
</p>
</div>
</blockquote>
<div>Thanks for that, and to Carsten who also sent
explanation.</div>
<div><br>
</div>
<div>It seems like all that documentation about the web
service is indeed a red-herring since the module is
neither a client nor a provider of such a service. There
is no obligation to implement such a service as documented
- since in any event auth_ephemeral neither implements nor
consumes this web service.</div>
<div><br>
</div>
<div>All auth_ephemeral does it to authenticate clients
using a secret (password) that is encrypted using a shared
key. auth_ephemeral I guess decrypts the secret which is
structured so that auth_ephemeral can tell that it is
legit and unexpired.</div>
<div><br>
</div>
<div>Do I have this right?</div>
<div><br>
</div>
<div>Gotta say that the docs really don't make this clear.</div>
<div><br>
</div>
</div>
</div>
</div>
</blockquote>
The password used for SIP authentication is not decrypted. It is
about how the password is generated, so that the same value results
when done by web service and the sip server. The javascript relies
on the webservice to provides an short-term valid password.
auth_ephemeral does the same kind of processing as the webservice
and should get the same password. Using this password it computes
the Digest response and if there is match, then authentication is
ok.<br>
<br>
I guess you can still fetch the password through a web service in
kamailio.cfg (using http_client) and then use it with:<br>
<br>
<a class="moz-txt-link-freetext" href="https://www.kamailio.org/docs/modules/stable/modules/auth_ephemeral.html#auth_eph.f.autheph_authenticate">https://www.kamailio.org/docs/modules/stable/modules/auth_ephemeral.html#auth_eph.f.autheph_authenticate</a><br>
<br>
If you can make the documentation more clear, contributions are
welcome -- the easiest would be pull request on github.<br>
<br>
Cheers,<br>
Daniel<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Kamailio World Conference - May 8-10, 2017 - <a class="moz-txt-link-abbreviated" href="http://www.kamailioworld.com">www.kamailioworld.com</a></pre>
</body>
</html>