After testing, it seems that credential transfer is required for client code to work (otherwise, you will receive an error message in the console).
Leaving the "no-auth" parameter enabled in Coturn (or leaving comments of both lt-cred-mech and st-cred-mech), but still sending credentials in the JS application also does not work, as TURN messages somehow signed using password credentials. Perhaps Coturn does not expect clients to send authentication data if it works in non-authorization mode, so it does not know how to interpret the messages.
Decision
Including lt-cred-mech and hard-coded username and password in the Coturn and JS configuration file for the application seems to work. The static user entries are commented out in the Coturn configuration file - use the plain password format, not the key format.
Coturn config (this is the whole configuration file I worked with):
fingerprint lt-cred-mech
List of ICE servers from the JS web application:
var iceServers = [ { url: 'turn:123.234.123.23:3478', //your TURN server address here credential: 'password1', //actual hardcoded value username: 'username1' //actual hardcoded value } ];
Obviously, this does not provide any real protection for the TURN server, since the credentials are visible to anyone (so everyone can use the processor bandwidth and time, using this as a relay).
In short:
- yes, long-term authentication is required to use TURN WebRTC.
- yes, it seems that you can just hardcode one set of credentials for everyone to use - coturn didn’t worry that two clients receive distributions simultaneously with the same credentials.
- One possible security solution with minimal problems would be the TURN REST API , which supports Coturn.