I have discovered that Jitsi requires the “sub” field of a token to be the server name, which is quite odd to me. That field is always used to identify the user to whom the token refers, and as such Auth0 won’t even allow overriding that value. Does this mean that Jitsi is incompatible with Auth0 JWT Auth? Surely there is a way around this? map the need for “sub” onto another custom claim name?
Any help will be much appreciated, this is a major showstopper!
enable_domain_verification = false in prosody config. That should disable subdomain verification against the
Thanks a million shawn! Worked like a charm. I had not seen that in my various searchings on the subject. that would be very good info to put in the JWT docs!
Curious, why was it decided to use “sub” for a domain instead of a custom claim? I could see a future where we do need to define the server name but our auth provider does not allow for overriding the “sub” claim as that claim seems to be broadly used to identify the user.
I’m afraid I cannot comment on that. “sub” claim has been used in token checks since a long long time ago. It hasn’t caused much issue in the 5 years since (hence never revisited), but that might also be because
enable_domain_verification used to default to
false until fairly recently when it was enable by default.
My two cents on this is that while I agree with you that reappropriating “sub” (subject) here is not ideal, changing it may break deployments that’s been relying on that for years. It’s easy enough to disable that check, and to possibly write an extra plugin that does the domain verification against a different claim if required, so I’m not sure if there will be much appetite for changing this. But I could be wrong.
The usage “sub” is already documented here, but you’re right that it does not currently mention that it could be disabled using
You could try raising a PR perhaps?