Being a happy user of SOGo, I early on activated Turn configuration with long-term credentials. Problem is: the secret password of my turn user was visible and downloadable from the js script. Not optimal. I learnt that ephemeral credentials was the way to go to solve that issue.
JSXC's github community helped me understand how to set it up and test it.
There is already a PHP script included with jsxc (might not be up-to-date on sjsxc) which enables dynamic creation of ephemeral credentials (timestamp is part of the equation, so it has to be on-demand).
SOGo being objective-C, the server I got it running on has no PHP installed on it.
This was the perfect opportunity to write a little python script and install uwsgi to be able to call that script through nginx.
Some extra info :
integration of jsxc in SOGo (sjsxc) documentation can be found on jsxc's github Wiki under Install sjsxc (SOGo)
a coturn server's configuration example can also be found on jsxc's github Wiki WebRTC How To
How it works
The cgi-bin directory contains all python-related files. Actual python files as well as the config files for uswgi and TURN authentication. Once everything is set up, anything reaching /cgi-bin/* will invariably result in a call to the python script wsgi.py, which itself is a callable for getturncredentials.py.
In the meantime, might be good to protect your config files from outsiders by adding in your nginx SOGo's configuration file :