Can't make JWT auth work via url password (original) (raw)

Which version are you using?

1.15.5

Which operating system are you using?

Linux amd64 standard

Describe the issue

Trying to stream local file to media server using ffmpeg via RTSPS. Works fine with internal auth mode and JWT mode w/ ?jwt=. However, it fails with username:password@host.

For JWT provider, I am using Better Auth. Key set at url seems correct.

JWT is valid, 3 segments, able to validate with public key (with jwt.io online tool), payload:

{
  "sub": "xxx",
  "exp": 1780923259,
  "mediamtx_permissions": [
    {
      "action": "publish",
      "path": "demo"
    }
  ],
  "iss": "https://***",
  "aud": "https://***"
}

Describe how to replicate the issue

ffmpeg -re -stream_loop -1 -i "C:\Users\...\test.mp4" -an -c:v libx264 -preset veryfast -tune zerolatency -profile:v baseline -level 3.1 -f rtsp -rtsp_transport tcp "rtsps://publish:<jwt>@ms.company.com:8322/demo"

Returns 401 unauthorized

MediaMTX configuration

# Authentication method. Available values are:
# * internal: credentials are stored in the configuration file
# * http: an external HTTP URL is contacted to perform authentication
# * jwt: an external identity server provides authentication through JWTs
authMethod: jwt

# JWT-based authentication.
# Users have to login through an external identity server and obtain a JWT.
# This JWT must contain the claim "mediamtx_permissions" with permissions,
# for instance:
# {
#  "mediamtx_permissions": [
#     {
#       "action": "publish",
#       "path": "somepath"
#     }
#   ]
# }
# Users are expected to pass the JWT in the Authorization header or as password.
# This is the JWKS URL that will be used to pull (once) the public key that allows
# to validate JWTs.
authJWTJWKS: 'https://auth.company.com/api/auth/jwks'
# If the JWKS URL has a self-signed or invalid certificate,
# you can provide the fingerprint of the certificate in order to
# validate it anyway. It can be obtained by running:
# openssl s_client -connect jwt_jwks_domain:443 </dev/null 2>/dev/null | sed -n '/BEGIN/,/END/p' > server.crt
# openssl x509 -in server.crt -noout -fingerprint -sha256 | cut -d "=" -f2 | tr -d ':'
authJWTJWKSFingerprint:
# name of the claim that contains permissions.
authJWTClaimKey: mediamtx_permissions
# Actions to exclude from JWT-based authentication.
# Format is the same as the one of user permissions.
authJWTExclude: []
# allow passing the JWT through query parameters of HTTP requests (i.e. ?jwt=JWT).
# This is a security risk and will be disabled by default in the future.
authJWTInHTTPQuery: false

MediaMTX logs

Dec 10 13:33:24 do-vm-msmediamtx[8405]: 2025/12/10 13:33:24 INF [RTSPS] [conn ***:47214] opened
Dec 10 13:33:24 do-vm-ms mediamtx[8405]: 2025/12/10 13:33:24 INF [RTSPS] [session a3b47ff5] created by ***:47214
Dec 10 13:33:26 do-vm-ms mediamtx[8405]: 2025/12/10 13:33:26 INF [RTSPS] [conn ***:47214] closed: authentication failed: token is malformed: token contains an invalid number of segments
Dec 10 13:33:26 do-vm-ms mediamtx[8405]: 2025/12/10 13:33:26 INF [RTSPS] [session a3b47ff5] destroyed: not in use

Network dump

No response