Authentication with JWT only works when using "meet.jitsi" as "sub"

neven.luetic · February 13, 2023, 2:51pm

I have a jitsi instance that I would like to use exclusively from rocketchat using authentication with JWTs.

My jitsi instance is set up using docker-compose according to the documentation.

When I try to authenticate without rocketchat with a handgenerated token from jwt.io, this only works, when the component “sub” of the jwt is “meet.jitsi”. I am not able to use my real domain “mydomain.mytld”.

When I try to authenticate with rocketchat, prosody gives an error, saying
muc.meet.jitsi:token_verification error Token **** not allowed to join: 3e9f37643db79a029258710@muc.meet.jitsi/d6622762

In the client I see the error message “Sorry, you are not allowed to be here”.

When I decipher the jwt passed from rocketchat, I can see, that it uses the complete fqdn of the rocketchat instance as the “sub”, which is chat.mydomain.mytld.

Unfortunately there is no separate setting for the “sub” of the JWT in Rocketchat.

As far as I understand the jitsi documentation, it should be possible to use any “sub” in the JWT for jitsi.

If I set XMPP_MUC_DOMAIN to mydomain.mytld everything does work (both, rocketchat and jitsi use the same domain).

I would appreciate it, if somebody could clarify, if this actually is a solution or if I might have introduced other problems. Besides, it would be interesting to know, if this is an error in jitsi concerning the treatment of the “sub”. If not, the documentation should probably mention how to handle this situation. I imagine there are more applications like rocketchat, that generate JWTs based on some “sub” that is not easily configurable.

I have described this problem already in https://community.jitsi.org/t/jwt-tokens-install-guide, but did not get any reaction in the past 10 days, so I assumed it is not being monitored.

shawn · February 13, 2023, 4:20pm

That is not true if subdomain verification is enabled.

neven.luetic · February 13, 2023, 8:13pm

Thank you very much for this hint. Setting JWT_ENABLE_DOMAIN_VERIFICATION=false solved the problem!

So I will keep this solution. Also I take from this that XMPP_MUC_DOMAIN (or XMPP_DOMAIN) should not be changed in cases like this one.

It would surely be very helpful to add this to the documentation in two places:

the env.example for the docker setup (by just adding JWT_ENABLE_DOMAIN_VERIFICATION=true, so this default becomes visible)
the deployment guide for docker; the fact that “meet.jitsi” is the default domain is mentioned but it is not clear, what that means

shawn · February 13, 2023, 9:51pm

If it helps, as of the latest stable docker release (8252), JWT_ENABLE_DOMAIN_VERIFICATION now defaults to false.

github.com

jitsi/docker-jitsi-meet/blob/4a0b48c4118b9df5242dd2152303edb810e5b942/CHANGELOG.md?plain=1#L8


      
          ## stable-8252
          
          
Based on stable release 8252.
          
          
* 076dbf7 jibri: fix downloading new (>= 109) ChromeDriver
          * 8f40804 jibri: update Chrome to M109
          * 1cf8638 compose: fix whiteboard collab server variable name
          * 9e0305b prosody: set JWT_ENABLE_DOMAIN_VERIFICATION to false by default
          * ac551c3 base: update tpl
          * ec972ee base: update tpl
          * 8684b0b misc: working on unstable
          
          
## stable-8218
          
          
Based on stable release 8218.
          
          
* 8d7728b jibri: update Chrome to M108
          * 9cfbaf2 misc: drop JICOFO_AUTH_USER

It is however still enabled by default for non-docker installations.