Metrics with authMethod: jwt ?

[MatthewABrantley]

Question

Server Version: 1.8.3
Instructions summary: Enable JWT auth, add mediamtx scope to JWT following auth0 docs, pass in JWT while trying to scrape metrics.
Server Logs: Below

Using Auth0, I wrote in the mediamtx_permissions.

exports.onExecutePostLogin = async (event, api) => {
  const permissions = [
    {
      "action": "read",
      "path": ""
    },
    {
      "action": "playback",
      "path": ""
    },
    {
      "action": "metrics",
      "path": ""
    }
  ];
  
  if (event.authorization) {
    api.idToken.setCustomClaim(`mediamtx_permissions`, permissions);
    api.accessToken.addScope("mediamtx_permissions");
  }

If I fetch my token and decode it, it seems to have the correct scope, and works for the read/playback.

{
"https://api.website.com/email": "[email protected]",
"mediamtx_permissions": [
  {
    "action": "read",
    "path": ""
  },
  {
    "action": "playback",
    "path": ""
  },
  {
    "action": "metrics",
    "path": ""
  }
],

Server logs (Debug enabled) show the token coming across, and then the system says 401.

2024/06/26 21:17:12 DEB [metrics] [conn 10.68.1.71:43932] [c->s] GET /metrics HTTP/1.1                                                                                                                                                                                                                                   │
│ Host: mtxmetricsdev.website.com                                                                                                                                                                                                                                                                                              │
│ Accept: application/openmetrics-text;version=1.0.0;q=0.5,application/openmetrics-text;version=0.0.1;q=0.4,text/plain;version=0.0.4;q=0.3,*/*;q=0.2                                                                                                                                                                       │
│ Accept-Encoding: gzip                                                                                                                                                                                                                                                                                                    │
│ Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ik5CY2JaVGI1TER2b25IcXJPeWpxNyJ9.eyJodHRwczovL2FwaS5haXB4LmNvL2VtYWlsIjoibWJyY<redacted>eyJhY3Rpb24iOiJyZWFkIiwicGF0aCI6IiJ9LHsiYWN0aW9uIjoicGxheWJhY2siLCJwYXRoIjoiIn0seyJhY3Rpb24iOiJtZ │
│ Referer: http://mtxmetricsdev.website.com:80/metrics                                                                                                                                                                                                                                                                         │
│ User-Agent: Prometheus/2.51.2                                                                                                                                                                                                                                                                                            │
│ X-Forwarded-For: 10.68.1.1                                                                                                                                                                                                                                                                                               │
│ X-Forwarded-Host: mtxmetricsdev.website.com                                                                                                                                                                                                                                                                      │
│ X-Forwarded-Port: 443                                                                                                                                                                                                                                                                                                    │
│ X-Forwarded-Proto: https                                                                                                                                                                                                                                                                                                 │
│ X-Forwarded-Server: traefik-7d9448df6b-7dpht                                                                                                                                                                                                                                                                             │
│ X-Prometheus-Scrape-Timeout-Seconds: 10                                                                                                                                                                                                                                                                                  │
│ X-Real-Ip: 10.68.1.1                                                                                                                                                                                                                                                                                                     │
│                                                                                                                                                                                                                                                                                                                          │
│                                                                                                                                                                                                                                                                                                                          │
│ 2024/06/26 21:17:12 DEB [metrics] [conn 10.68.1.71:43932] [s->c] HTTP/1.1 401 Unauthorized                                                                                                                                                                                                                               │
│ Access-Control-Allow-Credentials: true                                                                                                                                                                                                                                                                                   │
│ Access-Control-Allow-Origin: *                                                                                                                                                                                                                                                                                           │
│ Server: mediamtx                                                                                                                                                                                                                                                                                                         │
│ Www-Authenticate: Basic realm="mediamtx"           

Here's my sections from mediamtx.yml

###############################################
# Global settings -> Authentication

# Authentication method. Available values are:
# * internal: users are stored in the configuration file
# * http: an external HTTP URL is contacted to perform authentication
# * jwt: an external identity server provides authentication through JWTs
authMethod: jwt

# JWT-based authentication.
# Users have to login through an external identity server and obtain a JWT.
# This JWT must contain the claim "mediamtx_permissions" with permissions,
# for instance:
# {
#  ...
#  "mediamtx_permissions": [
#     {
#       "action": "publish",
#       "path": "somepath"
#     }
#   ]
# }
# Users are expected to pass the JWT in the Authorization header or as a query parameter.
# This is the JWKS URL that will be used to pull (once) the public key that allows
# to validate JWTs.

authJWTJWKS: https://<redacted>.us.auth0.com/.well-known/jwks.json


# Enable Prometheus-compatible metrics.
metrics: yes
# Address of the metrics listener.
metricsAddress: 0.0.0.0:9998

Prometheus job, to show that I am passing a bearer in my requests,

  - job_name: 'mtx-dev-metrics'
    scheme: http
    bearer_token: eyJhbGciOiJSUzI1<redacted>OiJtZXRyaWNz>
    static_configs:
      - targets: ['mtxmetricsdev.website.com']

Did I do anything wrong? Turning Auth back to internal and I can curl it on my PC, or feed it into prometheus/grafana no problem as shown here, when I have lines, JWT auth is disabled. When I don't have lines, JWT auth is enabled.

[aler9]

Hello, the problem is that the server currently supports passing the JWT through query parameters only, not through the Authentication header. This is the way to use the JWT to pull metrics:

http://mtxmetricsdev.website.com/metrics?jwt=MY_JWT

The ability to use the Authorization Header is being tracked here: #3630