Authenticated users with JWT, first participant as moderator and other as participants

Hi all,

I want to share and check the solution for making the one who first enters the conference be Moderator(have Moderator rights) and all connected after first one being Participants(not having Moderator rights), by using JWT authentification.

What we have done is that we are using JWT auth for all participants so all of them are authenticated. I can confirm they are acting as moderators if org.jitsi.jicofo.auth.URL=SOME_DOMAIN is configured in jicofo configuration.

What we have done is to just comment (remove) the line
jicofo org.jitsi.jicofo.auth.URL=<domain> and now we do have that only first participant is moderator and all others are participants.

I was trying to check if there are any negative implications and couldn’t see any.

Difference in console log is that when that line is present we do have :

[modules/xmpp/moderator.js] <Ls.parseConfigOptions>: Authentication enabled: true

and when the line is not present we have

[modules/xmpp/moderator.js] <Ls.parseConfigOptions>: Authentication enabled: false

Can anyone confirm that this is how it is supposed to be configured in case we do want to have only first participant as moderator.

I am aware that we can use prosody plugins for this but this looks like it is working properly.

Regards,
Srdjan I.

What you want is to have moderators with guests, right?

Note that the config you are using is deprecated. I’d recommend you use the new syntax in jicofo.conf. You need this:

jicofo {
    authentication {
        enabled = true
        type = JWT
        login-url = SOME_DOMAIN
    }
}

Then in your config.js

hosts: {
    domain: 'SOME_DOMAIN',
    anonymousdomain: 'guest.SOME_DOMAIN',
    authdomain: 'auth.SOME_DOMAIN',
}

I suspect the behavior you get currently it’s sort of an accident.

I want to have first user being moderator but without allowing anyone to connect anonymously (being a guest). So basically i want first authenticated user to be moderator and all others authenticated users to be only participants without moderator rights.

I know that we were using deprecated config, we can use the new one as well and its the same.
When

    authentication {
    }

is removed from jicofo config we have the behavior that we want, only the first user that connect is moderator.

That is what i wanted to check, are we hitting a bug or this is expected behavior ?

Regards,
Srdjan I.

That matches our observations too. Things don’t work (can’t remember what the side-effects are) if we set jicofo.authentication block to JWT. Which makes sense, since JWT auth is handled in prosody not Jicofo.

This is briefly discussed in the following thread, but no definitive conclusion.

Re your use case where you want all guests to have valid JWT and only first becomes moderator, sounds like you already have it working? For the record, the approach would be to:

  1. Set up JWT auth as documented
  2. In prosody config under the main virtualhost, set allow_empty_token = false so all guests will require JWT token
  3. In jicofo config, set enable-auto-owners = true so jicofo will automatically promote first joiner as moderator, and the next in line if the moderator leaves.

Correct, it is working if it is set like this.
It would be good to know if we can keep this solution or it is going to be changed in future jicofo/prosody updates.

Thanks for response.

Regards,
Srdjan I.

Nothing is set in stone, so always retest the scenario on every upgrade. But this particular setup (without auth block in jicofo) has worked for us for a very long time across many many upgrades.

It would however be nice to have a definitive answer on what the jicofo.authentication.type=JWT is meant to do, especially since that is mentioned in Secure Domain docs. @damencho sorry to pull you in; any ideas?

That is how it should be. Removing the auth block is what I’m not sure about.

The jwt setting in jicofo is used when there is an external login URL for jwt.

Used with: jitsi-meet/do_external_connect.js at d388a7bd3c756bcb0fdc0040a2e8cbc16a628f91 · jitsi/jitsi-meet · GitHub

Interesting.

But not sure I understand how that works. Does it behave like Secure Domain auth, but instead of username/password you instead get sent to an external URL that will handle token generation and redirect back?

Would enable-auto-login still work when this? (I’m trying to figure out when to use this instead of tokenAuthUrl config).

I think so :slight_smile: I have never used that and it is an old feature not really used …

Really, I don’t know :slight_smile: I would guess so.

:smiley:

Thanks for the info. Maybe I will experiment with it some day.

Till then, I guess it is safe to say we don’t need to set jicofo.authentication.type=JWT when deploying a “standard” JWT auth scenario.

:+1:

Remember that we also use it for the normal JWT flow in Docker.