Authenticating users in rooms

chamerling · March 20, 2020, 4:47pm

Hello,

Is there a way to authenticate users in rooms? I saw some messages about JWT in the forum but I can not find any information on how to setup things for this nor forge the token? Also, I can not find any documentation about it.

Thanks a lot for your help

damencho · March 20, 2020, 4:59pm

jwt is when you are embedding jitsi-meet in another app. You can use: https://github.com/jitsi/jicofo/blob/master/README.md#secure-domain

chamerling · March 20, 2020, 5:38pm

I want to embed it in another app, so can you point me to the right configuration/documentation for this?

damencho · March 20, 2020, 6:37pm

github.com

jitsi/lib-jitsi-meet/blob/master/doc/tokens.md

JWT token authentication Prosody plugin
==================

This plugin implements Prosody authentication provider that verifies client connection based on JWT token described in [RFC7519].
It allows to use any external form of authentication with lib-jitsi-meet. Once your user authenticates you need to
generate the JWT token as described in the RFC and pass it to your client app. Once it connects with valid token is considered authenticated by jitsi-meet system.

During configuration you will need to provide the *application ID* that identifies the client and a *secret* shared by both server and JWT token generator. Like described in the RFC, secret is used to compute HMAC hash value which allows to authenticate generated token. There are many existing libraries which can be used to implement token generator. More info can be found here: [http://jwt.io/#libraries-io]

JWT token authentication currently works only with BOSH connections.

[RFC7519]: https://tools.ietf.org/html/rfc7519
[http://jwt.io/#libraries-io]: http://jwt.io/#libraries-io

### Token structure

The following JWT claims are used in authentication token:
- 'iss' specifies *application ID* which identifies the client app connecting to the server. It should be negotiated with the service provider before generating the token.
- 'room' contains the name of the room for which the token has been allocated. This is *NOT* full MUC room address. Example assuming that we have full MUC 'conference1@muc.server.net' then 'conference1' should be used here.  Alternately, a '*' may be provided, allowing access to all rooms within the domain.
- 'exp' token expiration timestamp as defined in the RFC

This file has been truncated. show original

chamerling · March 20, 2020, 8:03pm

All right, thanks for the link. I will try to run it using your docker-compose based project. Will share the configuration and other information here as soon as I can.

chamerling · March 23, 2020, 1:31pm

OK it works with docker-compose and when using the jitsi meet external api
Now, how can we use this with the mobile application? Imagine that:

I have a website which embeds jitsi, deployed on its own domain with JWT auth enabled
When the user is on mobile, instead of using the mobile browser, I want to force him to open the mobile app with right parameters. Are there some ‘hooks’ on the mobile app I can use for this?

chamerling · March 23, 2020, 8:29pm

For the record, you can open the mobile application by forging an URL like org.jitsi.meet:http://host/room?jwt=token

geleeroyale · April 1, 2020, 1:35am

Hey there! Since you did this recently I really think others would benefit from your learnings with JWT and docker-compose

chamerling · April 2, 2020, 7:35am

@geleeroyale of course! Here is what I updated in the .env file:

# Enable authentication.
ENABLE_AUTH=1

# Enable guest access.
ENABLE_GUESTS=0

# Select authentication type: internal, jwt or ldap
AUTH_TYPE=jwt

# JWT auuthentication


# Application identifier.
JWT_APP_ID=my_jitsi_app_id

# Application secret known only to your token.
JWT_APP_SECRET=my_super_super_secret

# (Optional) Set asap_accepted_issuers as a comma separated list.
JWT_ACCEPTED_ISSUERS=linagora

# (Optional) Set asap_accepted_audiences as a comma separated list.
JWT_ACCEPTED_AUDIENCES=jitsi

Then I built a backend service which is able to generate a JWT token using the same information as defined in Jitsi. When a user wants to join a room, he first gets a JWT token from this new service and uses it in mobile or external API client.

cristiantod · May 6, 2020, 6:51am

Hello, can jwt and ldap authentication work at the same time?
Thank you!

vishwanath_nijampurk · May 20, 2020, 1:39pm

how could you open env file?