Allow site-wide moderators

Hi there,

is there a way for configuring Jitsi so that anyone can create rooms (like standard) but that moderator rights are still tied to user accounts (that you create with prosodyctl register…, like in the secured domain config)?

I.e., anyone can open a room, but if I jump into it later on, I can still enter username and password and become moderator?

Thanks and best wishes,

Florian

PS: Usecase - a school’s own, dedicated server, where rooms can be created, but when a teacher enters, they can always become moderator…

This is possible with JWT authentication (the jitsi-meet-tokens package).

  • guest can connect without token (allow_empty_token = true )

  • teachers connect using a token and become always moderator (the mod_token_affiliation module)

Dear emrah,

many thanks for getting back on this so quickly.

However, I’m a tiny bit lost. Could you give me a few more clues, as to how to implement this?

Or is there an alternative way, without JWT (which looks like quite a big extra thing for a novice like me).

Thank!

There is an official document about the token authentication. If this is complicated for you, I can help you to install it.

After activating the JWT auth:

  • Students will use a link like this: https://myschool.edu/myclass
    They can’t gain the moderator rights in any conditions

  • Teachers will use a link like this: https://myschool.edu/myclass?jwt=very-long-jwt-string
    They became moderators in all circumstances

Hi there,

Thanks again for your help. I’ve dabbled a bit further. So JWT seems to work, somewhat, as I can set my username and avatar via appropriately generated tokens. However, if I use an incorrect secret in the token jitsi doesn’t seem to bother…? So something is still amiss

Anyway, I’ve also downloaded an enabled mod_token_affiliation, it seems to work as I see output in the debug log.

However,

Here’s (parts of) my prosody conf, I hope this is sufficient:

VirtualHost "meet.asdf.org"
        authentication = "token"
        allow_empty_token = true
        app_id="meet.asdf.org"
        app_secret="<redacted>"
        ssl = {
                key = "/etc/prosody/certs/meet.asdf.org.key";
                certificate = "/etc/prosody/certs/meet.asdf.org.crt";
        }

        https_certificate = "/etc/prosody/certs/meet.asdf.org.crt";
        https_key =  "/etc/prosody/certs/meet.asdf.org.key";

        speakerstats_component = "speakerstats.meet.asdf.org"
        conference_duration_component = "conferenceduration.meet.asdf.org"
        -- we need bosh
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping"; -- Enable mod_ping
            "speakerstats";
            "turncredentials";
            "conference_duration";
            "log_auth";
            "presence_identity";
        }
        c2s_require_encryption = false

Component "conference.meet.asdf.org" "muc"
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        "token_verification";
        "token_affiliation";
    }
...
VirtualHost "guest.meet.asdf.org"
    authentication = "token"
    allow_empty_token = true
    --authentication = "anonymous"
    c2s_require_encryption = false
    modules_enabled = {
            "muc_lobby_rooms";
    }
    lobby_muc = "lobby.meet.asdf.org"
    main_muc = "conference.meet.asdf.org"

This is the /etc/jitsi/jicofo/sip-communicator.properties file:

org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.meet.asdf.org
#org.jitsi.jicofo.auth.URL=XMPP:meet.asdf.org
org.jitsi.jicofo.DISABLE_AUTO_OWNER=true

Here’s the toke I used:

 {
   "aud": "meet.asdf.org",
   "iss": "meet.asdf.org",
   "sub": "meet.asdf.org",
   "exp": 1925739151,
   "room": "*",
   "context": {
     "user": {
       "name": "bSmurf",
       "email": "asmurf@asdf.org",
       "affiliation": "owner",
       "avatar": "https://www.bla-asdf.com/wp-content/uploads/2009/05/huzza_290x290@2x.jpg"
     }
   }
 }

And in the log I get then:

conference.meet.asdf.org:muc	debug	no occupant found for blablubroom@conference.meet.asdf.org/a23db05d; creating new occupant object for a23db05d-c8c0-4fb7-bdb4-c8ebd59dc62f@meet.asdf.org/vvWhU3T5
conference.meet.asdf.org:token_verification	debug	pre join: MUC room (blablubroom@conference.meet.asdf.org) <presence to='blablubroom@conference.meet.asdf.org/a23db05d' xml:lang='en' from='a23db05d-c8c0-4fb7-bdb4-c8ebd59dc62f@meet.asdf.org/vvWhU3T5'><x xmlns='http://jabber.org/protocol/muc'/><stats-id>Beulah-Isz</stats-id><videomuted xmlns='http://jitsi.org/jitmeet/video'>false</videomuted><c hash='sha-1' ver='cvjWXufsg4xT62Ec2mlATkFZ9lk=' xmlns='http://jabber.org/protocol/caps' node='http://jitsi.org/jitsimeet'/><avatar-id>daa457b6ef2c1c114a3597031c89f12b</avatar-id><avatar-url>https://www.bla-asdf.com/wp-content/uploads/2009/05/huzza_290x290@2x.jpg</avatar-url><email>asmurf@asdf.org</email><nick xmlns='http://jabber.org/protocol/nick'>bSmurf</nick><audiomuted xmlns='http://jitsi.org/jitmeet/audio'>false</audiomuted><x xmlns='vcard-temp:x:update'><photo/></x><occupant-id xmlns='urn:xmpp:occupant-id:0' id='neNR48bEf1jmHYMyQwLZmWsxb7pB5Vv3XVhlwY8hWh4='/></presence>
conference.meet.asdf.org:token_verification	debug	Session token: nil, session room: nil
conference.meet.asdf.org:token_verification	debug	Will verify token for user: a23db05d-c8c0-4fb7-bdb4-c8ebd59dc62f@meet.asdf.org/vvWhU3T5, room: blablubroom@conference.meet.asdf.org/a23db05d
conference.meet.asdf.org:token_verification	debug	Skipped room token verification - empty tokens are allowed
conference.meet.asdf.org:token_verification	debug	allowed: a23db05d-c8c0-4fb7-bdb4-c8ebd59dc62f@meet.asdf.org/vvWhU3T5 to enter/create room: blablubroom@conference.meet.asdf.org/a23db05d
...
conference.meet.asdf.org:token_affiliation	debug	skip affiliation, no token

I wonder if the “Skipped room token verification - empty tokens are allowed” has anything to do with it?

But if I set allow_empty_token on the main virtualhost to false, it’s no longer “open” (and the jwt also doesn’t work…).

Thanks for any pointers! Feels like I’m close, but still no cigar :frowning:

Remove this virtualhost block. AFAIK the JWT authentication uses “allow_empty_token” to manage the guests.

What is the prosody version? It should be newer than 11.2

Hi emrah,

Prosody version is:

Jan 09 15:56:49 startup info    Hello and welcome to Prosody version trunk nightly build 1377 (2021-01-05, 919e7b962f0b)

Completely commenting out the guest vhost makes no difference either :frowning:

Any other pointers as to why it is stating “Skipped room token verification”? Feels like it never actually looks at the token contents (although, as I said, the token is still honoured for things like username and avatar…)?

When there is no token, the skipping token verification is normal (since allow_empty_token=true). But if it’s skipping while there is an invalid token, this is not normal.

Are you sure it’s skipping the verification while there is an invalid token (I don’t mean empty token)

How would I know that? Is there a way to debug the token-handling some more? As I said, I’m trying to send as “correct” tokens as I can (see post further up for structure). And it is getting parsed to some degree, as username and avatar-information is indeed drawn from it…

I can’t guess why. If it’s OK for you, I can connect through SSH and check the server.

Thanks for sharing useful post here.