To avoid unauthorized service access or operations, ZEGOCLOUD uses digital Tokens to verify user identity, control and validate user privileges. You will need to pass a Token when you log in to a room.
Currently, ZEGOCLOUD supports validating the following:
To improve business security, we recommend you enable the room login and stream publishing privilege validation for all scenarios. In particular:
Before you start to implement user privilege authentication in your app, make sure you complete the following steps:
If you need the Room ID and Published stream ID authentication feature, contact ZEGOCLOUD Technical Support to enable it.
Integrate the ZEGO Express SDK (version 2.17.0 or later) into your project and implement the basic audio and video features. For details, see Getting started - Integration and Getting started - Implementation.
Your app clients request Tokens from your app server and provide the Token for privilege validation when logging in to a room.
The following diagram shows the process of room login privilege validation:
Go to ZEGOCLOUD Admin Console to get the App ID and ServerSecret of your project.
After getting your AppID and ServerSecret, you can define the validation rules on your app server or client based on your business requirements.
Upon request from your app clients, your app server generates Tokens and sends the Tokens to the corresponding app clients.
ZEGOCLOUD provides an open-source Token generator plug-in on GitHub, which you can use to generate Tokens on your app server using different programming languages such as Go, C++, Java, Python, PHP,.NET, and Node.js.
Currently, the Token generator we provided supports generating the following two Tokens:
payload
field.payload
field needs to be generated based on the following validation rules:token04
of the Token generator to generate a Token.Language | Supported version | Core function | Code base | Sample code | |
---|---|---|---|---|---|
User identity Token | User privilege Token | ||||
Go |
Go 1.14.15 or later |
GenerateToken04 |
|||
C++ |
C++ 11 or later |
GenerateToken04 |
|||
Java |
Java 1.8 or later |
generateToken04 |
|||
Python |
Python 3.6.8 or later |
generate_token04 |
|||
PHP |
PHP 5.6 or later |
generateToken04 |
|||
.NET |
.NET Framework 3.5 or later |
GenerateToken04 |
|||
Node.js |
Node.js 8 or later |
generateToken04 |
Take Go language as an example, you can do the following steps to generate a Token:
GenerateToken04
method to generate a Token.The following code shows how to generate a user identity Token:
package main
import (
"fmt"
"github.com/ZEGOCLOUD/zego_server_assistant/token/go/src/token04"
)
/*
Sample code for generating a user identity Token:
*/
func main() {
var appId uint32 = 1
userId := "demo"
serverSecret := "fa94dd0f974cf2e293728a526b028271"
var effectiveTimeInSeconds int64 = 3600
var payload string = ""
token, err := token04.GenerateToken04(appId, userId, serverSecret, effectiveTimeInSeconds, payload)
if err != nil {
fmt.Println(err)
return
}
fmt.Println(token)
}
The following code shows how to generate a user privilege Token:
package main
import (
"encoding/json"
"fmt"
"github.com/ZEGOCLOUD/zego_server_assistant/token/go/src/token04"
)
/*
Sample code for generating a user privilege Token:
*/
//Token-based business logic: RTC room-related authentication property
type RtcRoomPayLoad struct {
RoomId string `json:"room_id"` //Room ID: used to to validate the room.
Privilege map[int]int `json:"privilege"` //User privilege authentication control list: used to validate user privileges
StreamIdList []string `json:"stream_id_list"` //Stream list: used to validate the stream. This value can be null, and no stream will be validated if it is null.
}
func main() {
var appId uint32 = 1
roomId := "demo"
userId := "demo"
serverSecret := "fa94dd0f974cf2e293728a526b028271"
var effectiveTimeInSeconds int64 = 3600
privilege := make(map[int]int)
privilege[token04.PrivilegeKeyLogin] = token04.PrivilegeEnable
privilege[token04.PrivilegeKeyPublish] = token04.PrivilegeEnable
payloadData := &RtcRoomPayLoad{
RoomId: roomId,
Privilege: privilege,
StreamIdList: nil,
}
payload, err := json.Marshal(payloadData)
if err != nil {
fmt.Println(err)
return
}
token, err := token04.GenerateToken04(appId, userId, serverSecret, effectiveTimeInSeconds, string(payload))
if err != nil {
fmt.Println(err)
return
}
fmt.Println(token)
}
To make it easier for you to try and test the user authentication feature, ZEGOCLOUD Admin Console provides a tool for generating temporary Tokens, which you can use directly in a testing environment. In production, you must generate Tokens on your app server.
If you can't generate the Token on your app server, you can try to generate it on your client.
When your app is ready to go live, remember not to generate the Token on your client; Otherwise, there is a risk of the ServerSecret being exposed.
ZEGOCLOUD provides an open-source Token generator plug-in on GitHub, which you can use to generate Tokens on your app server using different programming languages such as C++ and Java.
Language | Supported version | Core function | Description |
---|---|---|---|
C++ |
C++ 11 or later |
GenerateToken04 |
|
Java |
Java 1.8 or later |
generateToken04 |
When logging in to a room, you need to pass the Token, user, and roomID to the LoginRoom
method. Otherwise, the login will fail.
The userID you used for room login (loginRoom
) must be the same with that of you used for generating Tokens.
string roomID = "xxx"; // roomID to login
ZegoUser user = new ZegoUser();
user.userID = "xxxx";
user.userName = "xxxx";
ZegoRoomConfig config = new ZegoRoomConfig();
config.token = "xxxxxxxxxx"; // Token from your app server
engine.LoginRoom(roomID, user, config);
If you need to modify the stream publishing privilege of a user after the user logged in to a room, call the RenewToken
method to renew the Token. The updated privileges will take effect for the next stream publishing, but will not affect the current streams being published (if any).
string token = "xxxxxxxxxx"; // Get a new token
engine.RenewToken(token);
30 seconds before a Token expires, the SDK sends out a notification through the OnRoomTokenWillExpire
callback.
Upon receiving this callback, you need to get a new Token from your app server first, and then pass the new token to the RenewToken
method.
If the Token is not renewed, different SDK versions handle the Token expiration differently:
If the version of the ZEGO Express SDK you integrated is 2.8.0 - 2.12.0, and when your Token is expired:
If the version of the ZEGO Express SDK you integrated is 2.13.0 or later, and when your Token is expired:
If you enabled the room login privilege authentication (by validating the roomID), you must pass a new Token when logging in to a room.
void OnRoomTokenWillExpire(string roomID, int remainTimeInSecond){
string token = "xxxxxxxxxx"; // Get a new token
engine.RenewToken(roomID, token);
}