§13.3.

Authorization

MOQT supports authorization via mutual TLS for node-level identification and token-based schemes for fine-grained access control.

Mutual TLS is expected to be widely used for node level identification between relays, especially within one organization. However, in some deployments mutual TLS can also be used for end subscribers or original publishers. However, as only node level authentication is provided, what a particular identified node is allowed to do is not provided at TLS level.

MOQT has functionality to carry Authorization tokens as message parameters. These tokens can vary based on the application requirements. Two variants of authorization tokens have already been defined for MOQT, and more are expected in the future. The current tokens are Privacy Pass Authentication for Media over QUIC [PPA] and Authentication scheme for MOQT using Common Access Tokens [CAT].

Tokens are expected to contain information about which actions and which resources the endpoint providing the token is authorized to perform and access. Relays will verify the token to ensure that the request is authorized.

13.3.1. Replay Attacks

Replay protection for authorization tokens is the responsibility of the specific token scheme used. Token schemes such as [CAT] and [PPA] include requirements for relays when processing tokens and requests.

This is one section of the MoQT specification, rendered per-section for quick reference and citation. The authoritative text is draft-ietf-moq-transport-18 at the IETF.