CONNECTION FAILED: connection.passwordRequired JWT token based authantication

Hello,

I tried to setup authentication using the token, first I enabled password and then JWT token-based. When I installed the following things it’s changed prosody configuration as required but not working for me.

sudo dpkg -i prosody-trunk_1nightly747-1~trusty_amd64.deb
apt-get install jitsi-meet-tokens

Even username password login also stopped working, after some struggle and resolved the issue, at last, I faced the following issue, not getting where I made mistake.

Plase paste your prosody configuration.

Sure,
You can check follow

prosody.cfg.lua

 -- Prosody XMPP Server Configuration
 -- Information on configuring Prosody can be found on our
 -- website at https://prosody.im/doc/configure

   admins = { }
   modules_enabled = {
    -- Generally required
            "roster"; -- Allow users to have a roster. Recommended ;)
            "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
            "tls"; -- Add support for secure TLS on c2s/s2s connections
            "dialback"; -- s2s dialback support
            "disco"; -- Service discovery

    -- Not essential, but recommended
            "private"; -- Private XML storage (for room bookmarks, etc.)
            "vcard"; -- Allow users to set vCards

    -- These are commented by default as they have a performance impact
            --"blocklist"; -- Allow users to block communications with other users
            --"compression"; -- Stream compression (requires the lua-zlib package installed)

    -- Nice to have
            "version"; -- Replies to server version requests
            "uptime"; -- Report how long server has been running
            "time"; -- Let others know the time here on this server
            "ping"; -- Replies to XMPP pings with pongs
            "pep"; -- Enables users to publish their mood, activity, playing music and more
            "register"; -- Allow users to register on this server using a client and change passwords

    -- Admin interfaces
            "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
            --"admin_telnet"; -- Opens telnet console interface on localhost port 5582

    -- HTTP modules
            --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
            --"http_files"; -- Serve static files from a directory over HTTP

    -- Other specific functionality
            --"groups"; -- Shared roster support
            --"announce"; -- Send announcement to all online users
            --"welcome"; -- Welcome users who register accounts
            --"watchregistrations"; -- Alert admins of registrations
            --"motd"; -- Send a message to users when they log in
            --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
 }

-- These modules are auto-loaded, but should you want
-- to disable them then uncomment them here:
modules_disabled = {
	-- "offline"; -- Store offline messages
	-- "c2s"; -- Handle client connections
	-- "s2s"; -- Handle server-to-server connections
	-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
}
-- Disable account creation by default, for security
-- For more information see https://prosody.im/doc/creating_accounts
allow_registration = false

-- These are the SSL/TLS-related settings. If you don't want
-- to use SSL/TLS, you may comment or remove this
ssl = {
	key = "/etc/prosody/certs/localhost.key";
	certificate = "/etc/prosody/certs/localhost.crt";
}

-- consider_bosh_secure = true
c2s_require_encryption = false
s2s_secure_auth = false


-- s2s_insecure_domains = { "gmail.com" }
--s2s_secure_domains = { "jabber.org" }

-- Required for init scripts and prosodyctl
pidfile = "/var/run/prosody/prosody.pid"

storage = "none" -- Default is "internal"

-- Logging configuration
-- For advanced logging see https://prosody.im/doc/logging
log = {
	info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
	error = "/var/log/prosody/prosody.err";
	"*syslog";
}

Include "conf.d/*.cfg.lua"

/etc/prosody/conf.d/vconf.vidoly.us.cfg.lua

      -- Plugins path gets uncommented during jitsi-meet-tokens package install - that's where token plugin is located
        plugin_paths = { "/usr/lib/prosody/modules/" }
	VirtualHost "xxx.xxxxx.xx"
	-- enabled = false -- Remove this line to enable this host
	authentication = "token"
	c2s_require_encryption=false
	-- VirtualHost "guest.xxx.xxxxx.xx"
	-- authentication = "token"
	-- c2s_require_encryption = false
	-- Properties below are modified by jitsi-meet-tokens package config
	-- and authentication above is switched to "token"
	app_id="xxxx_app"
	app_secret="xxxx_app_secret"
	allow_empty_token = false
	-- Assign this host a certificate for TLS, otherwise it would use the one
	-- set in the global section (if any).
	-- Note that old-style SSL on port 5223 only supports one certificate, and will always
	-- use the global one.
	ssl = {
	        key = "/etc/prosody/certs/xxx.xxxxx.xx.key";
	        certificate = "/etc/prosody/certs/xxx.xxxxx.xx.crt";
	}
	-- we need bosh
	modules_enabled = {
	    "bosh";
	    "pubsub";
	    "ping"; -- Enable mod_ping
	}
	consider_bosh_secure = true

VirtualHost "guest.xxx.xxxxx.xx"
authentication = "anonymous"
-- c2s_require_encryption=false

Component "conference.xxx.xxxxx.xx" "muc"
    storage = "none"
    modules_enabled = { "token_verification" }
admins = { "focus@auth.xxx.xxxxx.xx" }

Component "jitsi-videobridge.xxx.xxxxx.xx"
    component_secret = "6JDMWI95"

VirtualHost "auth.xxx.xxxxx.xx"
    ssl = {
	key = "/etc/prosody/certs/auth.xxx.xxxxx.xx";
	certificate = "/etc/prosody/certs/auth.xxx.xxxxx.xx.crt";
    }
    authentication = "internal_plain"

Component "focus.xxx.xxxxx.xx"
    component_secret = "gQIXxX5J"
Component "callcontrol.xxx.xxxxx.xx" component_secret = "d2wrhrVL"

Component "internal.auth.xxx.xxxxx.xx" "muc"
    modules_enabled = {
      "ping";
    }
    storage = "none"
    muc_room_cache_size = 1000
VirtualHost "recorder.xxx.xxxxx.xx"
  modules_enabled = {
    "ping";
  }
  authentication = "internal_plain"

jwt and username/password authentication cannot co-exist.

When you have configured token authentication, the error you see is because you have not provide token or correct token.

@damencho
Agree JWT and username/password auth cannot co-exist.

I’m using node.js jsonwebtoken module to generate token using following code. Let me know If I missed something from it.

var jwt = require('jsonwebtoken');
var privateKey = require("fs").readFileSync('/etc/prosody/certs/xxxx.xxxx.us.key');
jwt.sign({
                "aud": "*",
                "iss": "xxxx_app",
                "sub": "xxxx.xxxx.us",
                "room": "*",
                "exp": Math.floor(Date.now() + (24 * 60 * 60 * 1000))
        },
        privateKey,
        { algorithm: 'RS256' }, function(err, token) {
          console.log(token);
});

You are mixing jwt signing, so you had configured jwt with a shared secret app_secret="xxxx_app_secret"
So you need to use that secret to sign it HS256. If you use RS256 you need to configure asap_key_server and use kid.

@damencho

Thank you gotcha!

Now, something like following console printing and

  1. video won’t display.
  2. participant can’t see each other or even they can’t join room.

<d._allocateConferenceFocusSuccess>: Waiting for the focus… 64000

You can check prosody configuration in 3rd comment in same chain.

were you able to solve the issue? same here