Authentication failed (Ubuntu, docker, jwt)

My Docker setup used to work fine (installation done in 2021), but when I updated to the recent version, the authentication no longer works.

I’m using Ubuntu 20.04, docker and jwt. Using the browser, I’m going to url Jitsi Meet (yes I realize the token is there). It shows the camera feed. But when I click the “Join meeting”, I get “Sorry! You are not allowed to be here :(”.

Prosody logs:

c2s556136a63330                                              info	Client connected
c2s556136a63330                                              info	Authenticated as 77ebf21a-0e24-4203-adc2-412ec72cd522@meet.jitsi
muc.meet.jitsi:token_verification                            error	Token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb250ZXh0Ijp7InVzZXIiOnsiYXZhdGFyIjoiLy9waWMuYWFtdS5hcHAvcC9jNzhkZTRiNC1jMWVkLTQxZTUtODNhZi1hMjczNTJjMTJjMzEvNjUyYzU1MTAtZGViZS00ZmZiLWE1YmMtODkzMzRiMDUzYzlmLzE2NzE1OTExMzI1MDkuanBnIiwibmFtZSI6Iklsa2thIEh1b3RhcmkiLCJpZCI6IjY1MmM1NTEwLWRlYmUtNGZmYi1hNWJjLTg5MzM0YjA1M2M5ZiJ9LCJncm91cCI6ImM3OGRlNGI0LWMxZWQtNDFlNS04M2FmLWEyNzM1MmMxMmMzMSJ9LCJhdWQiOiJhYW11YXBwIiwiaXNzIjoiYWFtdWFwcCIsInN1YiI6Im1lZXQuYWFtdS5hcHAiLCJyb29tIjoibmVhdHNwb3R0eWdhbGxpZm9ybSIsImlhdCI6MTY3MjAyMDk2Mn0.giPHy_tmcVPgHXKvagoUyhDqdrUOa4lbgYs66uDrmiA not allowed to join: neatspottygalliform@muc.meet.jitsi/77ebf21a
c2s556136a63330                                              info	Client disconnected: connection closed
speakerstats.meet.jitsi:speakerstats_component               warn	A module has been configured that triggers external events.
speakerstats.meet.jitsi:speakerstats_component               warn	Implement this lib to trigger external events.

Jicofo logs:

Jicofo 2022-12-26 03:25:47.590 INFO: [40] ConferenceIqHandler.handleConferenceIq#69: Focus request for room: neatspottygalliform@muc.meet.jitsi
Jicofo 2022-12-26 03:25:47.591 INFO: [40] AbstractAuthAuthority.createNewSession#158: Authentication session created for 019e96e9-e9d1-4e51-b672-bfdda24e8d51@meet.jitsi SID: 7a2092af-d12d-476d-8843-5712a23080cb
Jicofo 2022-12-26 03:25:47.591 INFO: [40] AbstractAuthAuthority.authenticateJidWithSession#431: Authenticated jid: 019e96e9-e9d1-4e51-b672-bfdda24e8d51@meet.jitsi/wCmKSWPYWwhJ with session: AuthSession[ID=019e96e9-e9d1-4e51-b672-bfdda24e8d51@meet.jitsi, JID=019e96e9-e9d1-4e51-b672-bfdda24e8d51@meet.jitsi/wCmKSWPYWwhJ, SID=7a2092af-d12d-476d-8843-5712a23080cb, MUID=251edfc643e0416f00a53cccb27d65e2, LIFE_TM_SEC=0, R=neatspottygalliform@muc.meet.jitsi]@2025475418
Jicofo 2022-12-26 03:25:47.591 INFO: [40] AbstractAuthAuthority.notifyUserAuthenticated#339: Jid 019e96e9-e9d1-4e51-b672-bfdda24e8d51@meet.jitsi/wCmKSWPYWwhJ authenticated as: 019e96e9-e9d1-4e51-b672-bfdda24e8d51@meet.jitsi
Jicofo 2022-12-26 03:25:47.592 INFO: [40] [room=neatspottygalliform@muc.meet.jitsi] JitsiMeetConferenceImpl.<init>#249: Created new conference.
Jicofo 2022-12-26 03:25:47.593 INFO: [40] [room=neatspottygalliform@muc.meet.jitsi] JitsiMeetConferenceImpl.joinTheRoom#429: Joining neatspottygalliform@muc.meet.jitsi

Web logs:

172.18.0.1 - - [26/Dec/2022:03:27:15 +0000] "GET /neatspottygalliform?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb250ZXh0Ijp7InVzZXIiOnsiYXZhdGFyIjoiLy9waWMuYWFtdS5hcHAvcC9jNzhkZTRiNC1jMWVkLTQxZTUtODNhZi1hMjczNTJjMTJjMzEvNjUyYzU1MTAtZGViZS00ZmZiLWE1YmMtODkzMzRiMDUzYzlmLzE2NzE1OTExMzI1MDkuanBnIiwibmFtZSI6Iklsa2thIEh1b3RhcmkiLCJpZCI6IjY1MmM1NTEwLWRlYmUtNGZmYi1hNWJjLTg5MzM0YjA1M2M5ZiJ9LCJncm91cCI6ImM3OGRlNGI0LWMxZWQtNDFlNS04M2FmLWEyNzM1MmMxMmMzMSJ9LCJhdWQiOiJhYW11YXBwIiwiaXNzIjoiYWFtdWFwcCIsInN1YiI6Im1lZXQuYWFtdS5hcHAiLCJyb29tIjoibmVhdHNwb3R0eWdhbGxpZm9ybSIsImlhdCI6MTY3MjAyMDk2Mn0.giPHy_tmcVPgHXKvagoUyhDqdrUOa4lbgYs66uDrmiA HTTP/1.0" 200 23895 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
172.18.0.1 - - [26/Dec/2022:03:27:16 +0000] "GET /libs/excalidraw-assets/vendor-220a1bb1bd422d754c5d.js HTTP/1.0" 200 553015 "https://meet.aamu.app/neatspottygalliform?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb250ZXh0Ijp7InVzZXIiOnsiYXZhdGFyIjoiLy9waWMuYWFtdS5hcHAvcC9jNzhkZTRiNC1jMWVkLTQxZTUtODNhZi1hMjczNTJjMTJjMzEvNjUyYzU1MTAtZGViZS00ZmZiLWE1YmMtODkzMzRiMDUzYzlmLzE2NzE1OTExMzI1MDkuanBnIiwibmFtZSI6Iklsa2thIEh1b3RhcmkiLCJpZCI6IjY1MmM1NTEwLWRlYmUtNGZmYi1hNWJjLTg5MzM0YjA1M2M5ZiJ9LCJncm91cCI6ImM3OGRlNGI0LWMxZWQtNDFlNS04M2FmLWEyNzM1MmMxMmMzMSJ9LCJhdWQiOiJhYW11YXBwIiwiaXNzIjoiYWFtdWFwcCIsInN1YiI6Im1lZXQuYWFtdS5hcHAiLCJyb29tIjoibmVhdHNwb3R0eWdhbGxpZm9ybSIsImlhdCI6MTY3MjAyMDk2Mn0.giPHy_tmcVPgHXKvagoUyhDqdrUOa4lbgYs66uDrmiA" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
172.18.0.1 - - [26/Dec/2022:03:27:18 +0000] "GET /pwa-worker.js HTTP/1.0" 200 3358 "https://meet.aamu.app/pwa-worker.js" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
172.18.0.1 - - [26/Dec/2022:03:27:18 +0000] "GET /libs/lib-jitsi-meet.e2ee-worker.js HTTP/1.0" 200 18355 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
172.18.0.1 - - [26/Dec/2022:03:27:18 +0000] "GET /xmpp-websocket?prefix=&room=neatspottygalliform&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb250ZXh0Ijp7InVzZXIiOnsiYXZhdGFyIjoiLy9waWMuYWFtdS5hcHAvcC9jNzhkZTRiNC1jMWVkLTQxZTUtODNhZi1hMjczNTJjMTJjMzEvNjUyYzU1MTAtZGViZS00ZmZiLWE1YmMtODkzMzRiMDUzYzlmLzE2NzE1OTExMzI1MDkuanBnIiwibmFtZSI6Iklsa2thIEh1b3RhcmkiLCJpZCI6IjY1MmM1NTEwLWRlYmUtNGZmYi1hNWJjLTg5MzM0YjA1M2M5ZiJ9LCJncm91cCI6ImM3OGRlNGI0LWMxZWQtNDFlNS04M2FmLWEyNzM1MmMxMmMzMSJ9LCJhdWQiOiJhYW11YXBwIiwiaXNzIjoiYWFtdWFwcCIsInN1YiI6Im1lZXQuYWFtdS5hcHAiLCJyb29tIjoibmVhdHNwb3R0eWdhbGxpZm9ybSIsImlhdCI6MTY3MjAyMDk2Mn0.giPHy_tmcVPgHXKvagoUyhDqdrUOa4lbgYs66uDrmiA HTTP/1.1" 101 6389 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
172.18.0.1 - - [26/Dec/2022:03:27:18 +0000] "GET /static/authError.html HTTP/1.0" 200 813 "https://meet.aamu.app/neatspottygalliform" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
172.18.0.1 - - [26/Dec/2022:03:27:20 +0000] "GET /pwa-worker.js HTTP/1.0" 200 3358 "https://meet.aamu.app/pwa-worker.js" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"

The token in the prosody logs seems to be the same as in the url (no error there).

Here is the jitsi-meet.cfg.lua (the secret taken away):
jitsi-meet.cfg.lua.txt (3.4 KB)

The customizations are only in the .env (I made this as bare bones as possible) and in the incoming nginx config (for meet.aamu.app domain). I am using “my own” Let’s Encrypt certificate for this domain, didn’t set it up in Jitsi .env.

Why does this happen?

Is there an error? The latter says just 77ebf21a.

I also tried with the docker-jitsi-meet tags stable-8138-1 and stable-8138 with the same result.

I have changed the web port 8000 to 18000 as there was something else in the port 8000:

app2@ubuntu-4gb-ash-2:~/docker-jitsi-meet$ docker ps
CONTAINER ID   IMAGE                         COMMAND   CREATED         STATUS         PORTS                                                                              NAMES
1c037e46fa39   jitsi/jvb:stable-8138-1       "/init"   2 minutes ago   Up 2 minutes   127.0.0.1:8080->8080/tcp, 0.0.0.0:10000->10000/udp, :::10000->10000/udp            docker-jitsi-meet-jvb-1
4586eb8e9ef1   jitsi/jicofo:stable-8138-1    "/init"   2 minutes ago   Up 2 minutes                                                                                      docker-jitsi-meet-jicofo-1
efa6215902f2   jitsi/web:stable-8138-1       "/init"   2 minutes ago   Up 2 minutes   0.0.0.0:18000->80/tcp, :::18000->80/tcp, 0.0.0.0:8443->443/tcp, :::8443->443/tcp   docker-jitsi-meet-web-1
8aa9cb09c1be   jitsi/prosody:stable-8138-1   "/init"   2 minutes ago   Up 2 minutes   5222/tcp, 5280/tcp, 5347/tcp                                                       docker-jitsi-meet-prosody-1

I tried the tag stable-6173 and it works.

The .env file was a little different (when copied from the env.example) and I tried that one with the newest tag stable-8138-1, but it didn’t help. The newest still doesn’t authenticate.

Tag stable-6726-2 works.

Tag stable-7001 works.

Tag stable-7287-2 works.

Tag stable-7577 doesn’t seem to work, but I get another kind of error.

Tag stable-7439-2 works.

Tag stable-7648-4 gives this which is the original problem.

image

Can you set enable_domain_verification as false in prosody

Ok, it took a while to find out how to do that (JWT_ENABLE_DOMAIN_VERIFICATION=false into the .env file) but after that everything works again. The latest version as well.

Thank you!

Maybe this will help the Jitsi team?