MOQ Authentication
MOQ authentication uses two independent layers. Both must pass for a client to publish or subscribe.
Architecture
Client Relay Red5 Pro Plugin
| | |
|-- SUBSCRIBE/PUBLISH --------> | |
| (AUTHORIZATION_TOKEN) | |
| [Layer 1: Token Validation] |
| CAT or Simple Token check |
| | |
| |-- PublisherCreated Event ---> |
| | (includes authSubject) |
| | [Layer 2: JWT Validation]
| | claims: sig, expiry, roles
|<-- SUBSCRIBE_OK/PUBLISH_OK -- | |
Layer 1: Relay-Level Tokens
Validated during the MoQ control message exchange. The token is carried in the AUTHORIZATION_TOKEN parameter (0x03) of SUBSCRIBE, PUBLISH, and FETCH messages.
Token Wire Format
Per the MoQ Transport specification, the token structure supports aliasing:
| Alias Type | Value | Fields Present |
|---|---|---|
| DELETE | 0x0 | Alias only |
| REGISTER | 0x1 | Alias, Type, Value |
| USE_ALIAS | 0x2 | Alias only |
| USE_VALUE | 0x3 | Type, Value (most common) |
For typical use, send USE_VALUE (0x3) with Token Type and Token Value.
CAT Token (Common Access Token)
HMAC-SHA256 signed CBOR Web Token with MoQ-specific claims.
# conf/moq-plugin.properties
# Enable CAT authentication
auth.cat.enabled=true
# Base64-encoded shared secret for HMAC-SHA256 signature verification
auth.cat.shared.secret=YOUR_BASE64_SECRET
# Allow clients that send no token (useful during testing)
auth.cat.allow.anonymous=false
# Clock skew tolerance in seconds
auth.cat.expiration.tolerance=60
Simple Token
Shared secret passed as a plain string — negotiated out of band.
auth.simple.token.enabled=false
auth.simple.token.secret=YOUR_SHARED_SECRET
Layer 2: Plugin-Level JWT
After relay-level validation, the plugin validates a JWT using Red5 Pro’s simple-auth-plugin integration. Validated claims include: signature, expiry, roles, transport, and room.
JWT validation is configured through the simple-auth-plugin, not in moq-plugin.properties. Refer to the Authentication documentation for setup instructions.