I tried to setup authentication using the token, first I enabled password and then JWT token-based. When I installed the following things it’s changed prosody configuration as required but not working for me.
Even username password login also stopped working, after some struggle and resolved the issue, at last, I faced the following issue, not getting where I made mistake.
-- Prosody XMPP Server Configuration
-- Information on configuring Prosody can be found on our
-- website at https://prosody.im/doc/configure
admins = { }
modules_enabled = {
-- Generally required
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
-- Not essential, but recommended
"private"; -- Private XML storage (for room bookmarks, etc.)
"vcard"; -- Allow users to set vCards
-- These are commented by default as they have a performance impact
--"blocklist"; -- Allow users to block communications with other users
--"compression"; -- Stream compression (requires the lua-zlib package installed)
-- Nice to have
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"pep"; -- Enables users to publish their mood, activity, playing music and more
"register"; -- Allow users to register on this server using a client and change passwords
-- Admin interfaces
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
-- HTTP modules
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
--"http_files"; -- Serve static files from a directory over HTTP
-- Other specific functionality
--"groups"; -- Shared roster support
--"announce"; -- Send announcement to all online users
--"welcome"; -- Welcome users who register accounts
--"watchregistrations"; -- Alert admins of registrations
--"motd"; -- Send a message to users when they log in
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
}
-- These modules are auto-loaded, but should you want
-- to disable them then uncomment them here:
modules_disabled = {
-- "offline"; -- Store offline messages
-- "c2s"; -- Handle client connections
-- "s2s"; -- Handle server-to-server connections
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
}
-- Disable account creation by default, for security
-- For more information see https://prosody.im/doc/creating_accounts
allow_registration = false
-- These are the SSL/TLS-related settings. If you don't want
-- to use SSL/TLS, you may comment or remove this
ssl = {
key = "/etc/prosody/certs/localhost.key";
certificate = "/etc/prosody/certs/localhost.crt";
}
-- consider_bosh_secure = true
c2s_require_encryption = false
s2s_secure_auth = false
-- s2s_insecure_domains = { "gmail.com" }
--s2s_secure_domains = { "jabber.org" }
-- Required for init scripts and prosodyctl
pidfile = "/var/run/prosody/prosody.pid"
storage = "none" -- Default is "internal"
-- Logging configuration
-- For advanced logging see https://prosody.im/doc/logging
log = {
info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
error = "/var/log/prosody/prosody.err";
"*syslog";
}
Include "conf.d/*.cfg.lua"
/etc/prosody/conf.d/vconf.vidoly.us.cfg.lua
-- Plugins path gets uncommented during jitsi-meet-tokens package install - that's where token plugin is located
plugin_paths = { "/usr/lib/prosody/modules/" }
VirtualHost "xxx.xxxxx.xx"
-- enabled = false -- Remove this line to enable this host
authentication = "token"
c2s_require_encryption=false
-- VirtualHost "guest.xxx.xxxxx.xx"
-- authentication = "token"
-- c2s_require_encryption = false
-- Properties below are modified by jitsi-meet-tokens package config
-- and authentication above is switched to "token"
app_id="xxxx_app"
app_secret="xxxx_app_secret"
allow_empty_token = false
-- Assign this host a certificate for TLS, otherwise it would use the one
-- set in the global section (if any).
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
-- use the global one.
ssl = {
key = "/etc/prosody/certs/xxx.xxxxx.xx.key";
certificate = "/etc/prosody/certs/xxx.xxxxx.xx.crt";
}
-- we need bosh
modules_enabled = {
"bosh";
"pubsub";
"ping"; -- Enable mod_ping
}
consider_bosh_secure = true
VirtualHost "guest.xxx.xxxxx.xx"
authentication = "anonymous"
-- c2s_require_encryption=false
Component "conference.xxx.xxxxx.xx" "muc"
storage = "none"
modules_enabled = { "token_verification" }
admins = { "focus@auth.xxx.xxxxx.xx" }
Component "jitsi-videobridge.xxx.xxxxx.xx"
component_secret = "6JDMWI95"
VirtualHost "auth.xxx.xxxxx.xx"
ssl = {
key = "/etc/prosody/certs/auth.xxx.xxxxx.xx";
certificate = "/etc/prosody/certs/auth.xxx.xxxxx.xx.crt";
}
authentication = "internal_plain"
Component "focus.xxx.xxxxx.xx"
component_secret = "gQIXxX5J"
Component "callcontrol.xxx.xxxxx.xx" component_secret = "d2wrhrVL"
Component "internal.auth.xxx.xxxxx.xx" "muc"
modules_enabled = {
"ping";
}
storage = "none"
muc_room_cache_size = 1000
VirtualHost "recorder.xxx.xxxxx.xx"
modules_enabled = {
"ping";
}
authentication = "internal_plain"
You are mixing jwt signing, so you had configured jwt with a shared secret app_secret="xxxx_app_secret"
So you need to use that secret to sign it HS256. If you use RS256 you need to configure asap_key_server and use kid.