Update the token-based authentication mechanism
If you integrate the Chat SDK and Agora Video SDK at the same time, Agora recommends you update the token-based authentication mechanism from AccessToken to AccessToken2.
This document uses the JAVA server and the Web client as examples to guide you how to build and update the token-based authentication mechanism step-by-step.
Prerequisites
-
You have built a token server based on Spring Framework and a Web client using Chat according to Authenticate Your Users with Tokens.
-
You have added the Video SDK Token service based on AccessToken to the token server of Chat. To do this, in
AgoraChatTokenController.java
file, import theRtcTokenBuilder
withimport com.agora.chat.token.io.agora.media.RtcTokenBuilder;
and add the following method: -
You have added the authentication logic to the client using the using the Video SDK. To do this, create a
agoraRtcTokenClient
folder with the following two files:-
index.html
: -
client.js
. Replace<Your app ID>
with your App ID.
-
-
To test the AccessToken server, open index.html with a supported browser to perform the following actions:
- Successfully joining a channel.
- Renewing a token every 10 seconds.
Implementation
To upgrade your authentication mechanism to AccessToken 2, use the following procedure.
Upgrade the token server to AccessToken2
This section shows you how to upgrade the token server to AccessToken2.
-
Import
RtcTokenBuilder2
with the following code: -
Replace the code for
getRtcToken
method with the following logic:
No extra action is required for the client to get compatible with AccessToken2.
Test the AccessToken2 server
Open index.html
with a supported browser to perform the following actions:
- Successfully joining a channel.
- Renewing a token every 10 seconds.
Reference
This section introduces token generator libraries, version requirements, and related documents about AccessToken2.
SDK compatibility for AccessToken2
AccessToken2 supports the following versions of the Agora Video SDK:
SDK | First SDK version to support AccessToken2 |
---|---|
Video SDK Native SDK | 3.5.2 |
Video SDK ELectron SDK | 3.5.2 |
Video SDK Unity SDK | 3.5.2 |
Video SDK React Native SDK | 3.5.2 |
Video SDK Flutter SDK | 4.2.0 |
Video SDK Web SDK | 4.8.0 |
Video SDK WeChat Mini Program SDK | Not supported |
Video SDK SDKs that use AccessToken2 can interoperate with Video SDK SDKs that use AccessToken. Also, the Video SDK that supports AccessToken2 also supports AccessToken.
Token generator libraries
Agora provides an open-source AgoraDynamicKey repository on GitHub, which enables you to generate AccessToken2 on your server with programming languages such as C++, Java, and Go.
Language | Algorithm | Core Method | Sample Code |
---|---|---|---|
C++ | HMAC-SHA256 | buildTokenWithUid | RtcTokenBuilder2Sample.cpp |
Go | HMAC-SHA256 | buildTokenWithUid | sample.go |
Java | HMAC-SHA256 | buildTokenWithUid | RtcTokenBuilder2Sample.java |
Node.js | HMAC-SHA256 | buildTokenWithUid | RtcTokenBuilder2Sample.js |
PHP | HMAC-SHA256 | buildTokenWithUid | RtcTokenBuilder2Sample.php |
Python | HMAC-SHA256 | buildTokenWithUid | RtcTokenBuilder2Sample.py |
Python3 | HMAC-SHA256 | buildTokenWithUid | RtcTokenBuilder2Sample.py |
API reference
Taking Java as an example, this section introduces the parameters and descriptions for the method to generate an AccessToken2.
Parameter | Description |
---|---|
appId | The App ID of your Agora project. |
appCertificate | The App Certificate of your Agora project. |
channelName | The channel name. The string length must be less than 64 bytes. Supported character scopes are:
|
uid | The user ID of the user to be authenticated. A 32-bit unsigned integer with a value range from 1 to (2³² - 1). It must be unique. Set uid as 0, if you do not want to authenticate the user ID, that is, any uid from the app client can join the channel. |
role | The privilege of the user, either as a publisher or a subscriber. This parameter determines whether a user can publish streams in the channel.
|
expire | The Unix timestamp (in seconds) when an AccessToken expires. Set this parameter as the current timestamp plus the valid period of AccessToken2. For example, if you set expire as the current timestamp plus 600, the AccessToken2 expires in 10 minutes. An AccessToken2 is valid for 24 hours at most. If you set it to a period longer than 24 hours, the AccessToken2 is still valid for 24 hours. |
API for privilege-level expiration configuration
To facilitate privilege-level configuration in a channel, Agora provides an overloaded method to support configuring the expiration of the AccessToken2 and related privileges:
- Join a channel
- Publish audio
- Publish video
- Publish data stream
Take Java as an example:
This method generates an Video SDK AccessToken2 and supports configuring the following privileges:
- The expiration time of AccessToken2
- Joining an Video SDK channel
- Publishing audio in an Video SDK channel
- Publishing video in an Video SDK channel
- Publishing data stream in an Video SDK channel
The privileges of publishing audio in an Video SDK channel, publishing video in an Video SDK channel, and publishing data stream in an Video SDK channel only take effect after enabling co-host authentication.
You can assign multiple privileges to a user. The maximum valid period of each privilege is 24 hours. When a privilege is about to expire or has expired, the Video SDK triggers the onTokenPriviegeWillExpire
callback or the onRequestToken
callback. You need to take the following actions in your own app logic:
- Tag the type of privilege which is about to expire or has expired in your app logic.
- The app fetches a new AccessToken2 from the token server.
- The SDK calls
renewToken
to renew the AccessToken2, orjoinChannel
to rejoin the channel.
You need to set an appropriate expiration timestamp. For example, if the expiration time of joining a channel is earlier than that of publishing audio in the channel, when the privilege of joining a channel expires, the user is kicked out of the Video SDK channel. Even if the privilege of publishing audio is still valid, the privilege does not mean anything for the user.
Parameter | Description |
---|---|
tokenExpire | Number of seconds passed from the generation of AccessToken2 to the expiration of AccessToken2. Set this parameter as the current timestamp plus the valid period of AccessToken2. For example, if you set tokenExpire as the current timestamp plus 600, the AccessToken2 expires in 10 minutes. An AccessToken2 is valid for 24 hours at most. If you set it to 0 or a period longer than 24 hours, the AccessToken2 is still valid for 24 hours. |
joinChannelPrivilegeExpire | Number of seconds passed from the generation of AccessToken2 to the expiration of the privilege of joining a channel. Set this parameter as the current timestamp plus the valid period of the privilege of joining a channel. For example, if you set joinChannelPrivilegeExpire as the current timestamp plus 600, the privilege expires 10 minutes after generation. |
pubAudioPrivilegeExpire | Number of seconds passed from the generation of AccessToken2 to the expiration of the privilege of publishing audio in a channel. Set this parameter as the current timestamp plus the valid period of publishing audio in a channel. For example, if you set pubAudioPrivilegeExpire as the current timestamp plus 600, the privilege expires 10 minutes after generation. If you do not want to enable this privilege, set this parameter to the current timestamp. |
pubVideoPrivilegeExpire | Number of seconds passed from the generation of AccessToken2 to the expiration of the privilege of publishing video in a channel. Set this parameter as the current timestamp plus the valid period of publishing video in a channel. For example, if you set pubVideoPrivilegeExpire as the current timestamp plus 600, the privilege expires 10 minutes after generation. If you do not want to enable this privilege, set this parameter to the current timestamp. |
pubDataStreamPrivilegeExpire | Number of seconds passed from the generation of AccessToken2 to the expiration of the privilege of publishing data stream in a channel. Set this parameter as the current timestamp plus the valid period of publishing video in a channel. For example, if you set pubDataStreamPrivilegeExpire as the current timestamp plus 600, the privilege expires 10 minutes after generation. If you do not want to enable this privilege, set this parameter to the current timestamp. |
Enable co-host authentication
Refer to the following steps to enable this function in Agora Console:
- Log on to Agora Console. Under Projects, choose a project for which you want to enable co-host authentication, click the Edit icon, and enter the Edit Project page.
- In the Features area, click Enable authentication.
- Follow the on-screen instructions to know more about this function, check the box, and click Enable.
Co-host authentication takes effect in 5 minutes.
Once you have enabled co-host authentication, a user using your app must meet both of the following requirements to publish streams in a channel:
- The
role
insetClientRole
is set as"BROADCASTER"
. - The
role
in the code for generating tokens is set asROLE_PUBLISHER
.