Authenticated users with JWT, first participant as moderator and other as participants

Srdjan_Ilic · May 18, 2022, 9:01am

Hi all,

I want to share and check the solution for making the one who first enters the conference be Moderator(have Moderator rights) and all connected after first one being Participants(not having Moderator rights), by using JWT authentification.

What we have done is that we are using JWT auth for all participants so all of them are authenticated. I can confirm they are acting as moderators if org.jitsi.jicofo.auth.URL=SOME_DOMAIN is configured in jicofo configuration.

What we have done is to just comment (remove) the line
jicofo org.jitsi.jicofo.auth.URL=<domain> and now we do have that only first participant is moderator and all others are participants.

I was trying to check if there are any negative implications and couldn’t see any.

Difference in console log is that when that line is present we do have :

[modules/xmpp/moderator.js] <Ls.parseConfigOptions>: Authentication enabled: true

and when the line is not present we have

[modules/xmpp/moderator.js] <Ls.parseConfigOptions>: Authentication enabled: false

Can anyone confirm that this is how it is supposed to be configured in case we do want to have only first participant as moderator.

I am aware that we can use prosody plugins for this but this looks like it is working properly.

Regards,
Srdjan I.

saghul · May 19, 2022, 6:53am

What you want is to have moderators with guests, right?

Note that the config you are using is deprecated. I’d recommend you use the new syntax in jicofo.conf. You need this:

jicofo {
    authentication {
        enabled = true
        type = JWT
        login-url = SOME_DOMAIN
    }
}

Then in your config.js

hosts: {
    domain: 'SOME_DOMAIN',
    anonymousdomain: 'guest.SOME_DOMAIN',
    authdomain: 'auth.SOME_DOMAIN',
}

I suspect the behavior you get currently it’s sort of an accident.

Srdjan_Ilic · May 19, 2022, 8:21am

I want to have first user being moderator but without allowing anyone to connect anonymously (being a guest). So basically i want first authenticated user to be moderator and all others authenticated users to be only participants without moderator rights.

I know that we were using deprecated config, we can use the new one as well and its the same.
When

    authentication {
    }

is removed from jicofo config we have the behavior that we want, only the first user that connect is moderator.

That is what i wanted to check, are we hitting a bug or this is expected behavior ?

Regards,
Srdjan I.

shawn · May 19, 2022, 9:47am

That matches our observations too. Things don’t work (can’t remember what the side-effects are) if we set jicofo.authentication block to JWT. Which makes sense, since JWT auth is handled in prosody not Jicofo.

This is briefly discussed in the following thread, but no definitive conclusion.

Re your use case where you want all guests to have valid JWT and only first becomes moderator, sounds like you already have it working? For the record, the approach would be to:

Set up JWT auth as documented
In prosody config under the main virtualhost, set allow_empty_token = false so all guests will require JWT token
In jicofo config, set enable-auto-owners = true so jicofo will automatically promote first joiner as moderator, and the next in line if the moderator leaves.

Srdjan_Ilic · May 19, 2022, 9:56am

Correct, it is working if it is set like this.
It would be good to know if we can keep this solution or it is going to be changed in future jicofo/prosody updates.

Thanks for response.

Regards,
Srdjan I.

shawn · May 19, 2022, 9:59am

Nothing is set in stone, so always retest the scenario on every upgrade. But this particular setup (without auth block in jicofo) has worked for us for a very long time across many many upgrades.

It would however be nice to have a definitive answer on what the jicofo.authentication.type=JWT is meant to do, especially since that is mentioned in Secure Domain docs. @damencho sorry to pull you in; any ideas?

saghul · May 19, 2022, 9:59am

That is how it should be. Removing the auth block is what I’m not sure about.

damencho · May 19, 2022, 12:57pm

The jwt setting in jicofo is used when there is an external login URL for jwt.

github.com

jitsi/jicofo/blob/3936f654fc90d0aac9c109efc50d692ab3f457d6/src/main/java/org/jitsi/jicofo/auth/ExternalJWTAuthority.java#L25

      
        
            * See the License for the specific language governing permissions and
            * limitations under the License.
            */
            package org.jitsi.jicofo.auth;
            
            
import org.jxmpp.jid.*;
            
            
import java.time.*;
            
            
/**
            * Special case of <tt>XMPPDomainAuthAuthority</tt> where the user is
            * authenticated in Prosody with JWT token authentication method. The name of
            * XMPP domain should be passed to the constructor, which will happen when
            * {@link AuthConfig#getLoginUrl()} is set to
            * "EXT_JWT:auth.server.net", where 'auth.server.net' is the Prosody domain with
            * JWT token authentication enabled.
            * In order to obtain JWT, the user visits external "login" service from where
            * is redirected back to the app with the token. That's why
            * {@link #isExternal()} is overridden to return <tt>true</tt>.
            *
            * @author Pawel Domas

Used with: jitsi-meet/do_external_connect.js at d388a7bd3c756bcb0fdc0040a2e8cbc16a628f91 · jitsi/jitsi-meet · GitHub

shawn · May 19, 2022, 1:31pm

Interesting.

But not sure I understand how that works. Does it behave like Secure Domain auth, but instead of username/password you instead get sent to an external URL that will handle token generation and redirect back?

Would enable-auto-login still work when this? (I’m trying to figure out when to use this instead of tokenAuthUrl config).

damencho · May 19, 2022, 1:48pm

I think so I have never used that and it is an old feature not really used …

Really, I don’t know I would guess so.

shawn · May 19, 2022, 2:03pm

Thanks for the info. Maybe I will experiment with it some day.

Till then, I guess it is safe to say we don’t need to set jicofo.authentication.type=JWT when deploying a “standard” JWT auth scenario.

damencho · May 19, 2022, 2:04pm

saghul · May 19, 2022, 3:25pm

Remember that we also use it for the normal JWT flow in Docker.