Exclude actions when using JWT authentication

internal/auth/manager.go

@@ -109,6 +109,7 @@ type Manager struct {
 	HTTPAddress     string
 	HTTPExclude     []conf.AuthInternalUserPermission
 	JWTJWKS         string
+	JWTExclude      []conf.AuthInternalUserPermission
 	ReadTimeout     time.Duration
 	RTSPAuthMethods []auth.ValidateMethod
 
@@ -255,6 +256,10 @@ func (m *Manager) authenticateHTTP(req *Request) error {
 }
 
 func (m *Manager) authenticateJWT(req *Request) error {
+	if matchesPermission(m.JWTExclude, req) {
+		return nil
+	}
+
 	keyfunc, err := m.pullJWTJWKS()
 	if err != nil {
 		return err

internal/conf/conf.go

@@ -177,6 +177,7 @@ type Conf struct {
 	ExternalAuthenticationURL *string                     `json:"externalAuthenticationURL,omitempty"` // deprecated
 	AuthHTTPExclude           AuthInternalUserPermissions `json:"authHTTPExclude"`
 	AuthJWTJWKS               string                      `json:"authJWTJWKS"`
+	AuthJWTExclude            AuthInternalUserPermissions `json:"authJWTExclude"`
 
 	// Control API
 	API               bool       `json:"api"`
@@ -323,6 +324,17 @@ func (conf *Conf) setDefaults() {
 			Action: AuthActionPprof,
 		},
 	}
+	conf.AuthJWTExclude = []AuthInternalUserPermission{
+		{
+			Action: AuthActionAPI,
+		},
+		{
+			Action: AuthActionMetrics,
+		},
+		{
+			Action: AuthActionPprof,
+		},
+	}
 
 	// Control API
 	conf.APIAddress = ":9997"

internal/core/core.go

@@ -287,6 +287,7 @@ func (p *Core) createResources(initial bool) error {
 			HTTPAddress:     p.conf.AuthHTTPAddress,
 			HTTPExclude:     p.conf.AuthHTTPExclude,
 			JWTJWKS:         p.conf.AuthJWTJWKS,
+			JWTExclude:      p.conf.AuthJWTExclude,
 			ReadTimeout:     time.Duration(p.conf.ReadTimeout),
 			RTSPAuthMethods: p.conf.RTSPAuthMethods,
 		}
@@ -674,6 +675,7 @@ func (p *Core) closeResources(newConf *conf.Conf, calledByAPI bool) {
 		newConf.AuthHTTPAddress != p.conf.AuthHTTPAddress ||
 		!reflect.DeepEqual(newConf.AuthHTTPExclude, p.conf.AuthHTTPExclude) ||
 		newConf.AuthJWTJWKS != p.conf.AuthJWTJWKS ||
+		!reflect.DeepEqual(newConf.AuthJWTExclude, p.conf.AuthJWTExclude) ||
 		newConf.ReadTimeout != p.conf.ReadTimeout ||
 		!reflect.DeepEqual(newConf.RTSPAuthMethods, p.conf.RTSPAuthMethods)
 	if !closeAuthManager && !reflect.DeepEqual(newConf.AuthInternalUsers, p.conf.AuthInternalUsers) {

mediamtx.yml

@@ -44,7 +44,7 @@ runOnDisconnect:
 # * internal: users are stored in the configuration file
 # * http: an external HTTP URL is contacted to perform authentication
 # * jwt: an external identity server provides authentication through JWTs
-authMethod: internal
+authMethod: jwt
 
 # Internal authentication.
 # list of users.
@@ -120,7 +120,11 @@ authHTTPExclude:
 # Users are expected to pass the JWT in the Authorization header or as a query parameter.
 # This is the JWKS URL that will be used to pull (once) the public key that allows
 # to validate JWTs.
-authJWTJWKS:
+authJWTJWKS: https://localhost:7211/.well-known/openid-configuration/jwks
+# Actions to exclude from JWT-based authentication.
+# Format is the same as the one of user permissions.
+authJWTExclude:
+- action: publish
 
 ###############################################
 # Global settings -> Control API