Skip to main content
Version: v2.8

Login and Auth

The topic of authentication and authorization comes up in the context of Tobira in several situations, each described in its own section in this document:

Tobira authenticating against Opencast

To synchronize data (about events and series), Tobira has to talk to Opencast. Of course, those requests need to be authenticated. The user login data used for those requests has to be configured in the [sync] section. That user currently has to have ROLE_ADMIN.

Authenticating Opencast against Tobira

If you happen to use Tobira's integration in the Opencast Admin-UI to directly mount newly created series, Opencast has to authenticate against Tobira as well. To do that, Tobira and Opencast share a secret, which Opencast sends to Tobira under the x-tobira-trusted-external-key-header. Note that this means that your reverse proxy must not remove this header. Don't worry, though! Tobira is going to verify the secret. However, you should make sure that it is never sent over an untrusted channel.

Note that this "backdoor" is "only" valid for any request that the current Opencast integration uses. To tell Tobira about this secret, put it under the key auth.trusted_key in your Tobira configuration. To tell Opencast, put it in etc/org.opencastproject.adminui.endpoint.SeriesEndpoint.cfg under the key tobira.mh_default_org.trustedKey (where you might have to replace mh_default_org by your organization ID in case you run a multitenant system).

Authenticating Tobira users against Opencast services

Users logged into Tobira don't automatically have a login session in Opencast. This is a problem, when they (or rather their browser) need to talk to Opencast directly (e.g. for the uploader, Studio or the editor): these requests might be unauthenticated. As a solution, Tobira can cross-authenticate those users against Opencast. This basically means that Tobira tells Opencast to "trust that this user is legit" so that the human user does not have to login again.

This is done via JSON Web Tokens (JWTs). Setting that up is explained in this document.

This cross-authentication is required for the uploader. For Studio and Editor, it's only required if you don't have a single sign-on (SSO) solution. If you don't (and thus want to use cross-auth for those two services), you have to set auth.pre_auth_external_links to true in the configuration.