Guest able to create room - JWT auth not working

Hi @damencho @corby @saghul ,

We are using JWT auth for Jitsi-meet. In previous version of Jitsi with prosody 0.11.7 JWT was working properly.

In recent one - host is able to use JWT for auth. but we want guest NOT to be able to create room/recording or join meeting until host starts the meeting.

Here is the config :

For Guest

VirtualHost “guest.mydomain.com
– enabled = false – Remove this line to enable this host
authentication = “token”
– Properties below are modified by jitsi-meet-tokens package config
– and authentication above is switched to “token”
– app_id=“Izyvid”
– app_secret=“Izyvidisawesome”
app_id = “appid”
– app_secret = “IzyVidMe”
app_secret = “appsecret”
c2s_require_encryption=true
allow_empty_token=true

For MainHost:

VirtualHost “mydomain.com
– enabled = false – Remove this line to enable this host
authentication = “token”
– Properties below are modified by jitsi-meet-tokens package config
– and authentication above is switched to “token”
app_id=“AppId”
app_secret=“AppSecret”
– Assign this host a certificate for TLS, otherwise it would use the one
– set in the global section (if any).
– Note that old-style SSL on port 5223 only supports one certificate, and will always
– use the global one.
ssl = {
key = “/etc/prosody/certs/mydomain.com.key”;
certificate = “/etc/prosody/certs/mydomain.com.crt”;
}
speakerstats_component = “speakerstats.mydomain.com
conference_duration_component = “conferenceduration.mydomain.com
– we need bosh
modules_enabled = {
“bosh”;
“pubsub”;
“ping”; – Enable mod_ping
“speakerstats”;
“external_services”;
“conference_duration”;
“muc_lobby_rooms”;
}
c2s_require_encryption = false
lobby_muc = “lobby.mydomain.com
main_muc = “conference.mydomain.com
– muc_lobby_whitelist = { “recorder.mydomain.com” } – Here we can whitelist jibri to enter lobby enabled rooms

is
enableUserRolesBasedOnToken: true,
set in /etc/jitsi/meet/DOMAIN-config.js ?

This was dropped from the code.

oops

@damencho please suggest where are we going wrong? We tried all possible things but things but none of them worked out.

As @keithbayer mentioned and your clarified, we had enableUserRolesBasedOnToken: true,
in previous version and was working fine then. In current Jitsi stable version putting guest restriction via JWT is a problem.

Requesting your advice.

The guest domain was implemented to be used with the secure domain setup, the fact that it worked in some form with jwt is a coincidence … I’m not sure where the problem is … you also havn’t described what is exactly what is not working? Any logs for the errors you see?

@damencho The problem is:

Guests users (without token) can also create Room, Recordings etc. Basically all the features of Jitsi, they don’t have a JWT token auth but they are access everything which is meant for registered users.

Earlier with JWT working, things were great. But with latest version, it has stopped working for Guests authentication.

Configuration of prosody was:

VirtualHost “guest.mydomain.com
– enabled = false – Remove this line to enable this host
authentication = “token”
– Properties below are modified by jitsi-meet-tokens package config
– and authentication above is switched to “token”
– app_id=“Izyvid”
– app_secret=“Izyvidisawesome”
app_id = “appid”
– app_secret = “IzyVidMe”
app_secret = “appsecret”
c2s_require_encryption=true
allow_empty_token=true

IIUC you don’t need a VirtualHost block for guests. Set allow_empty_token=true in the main VirtualHost block and use token_affiliation and token_owner_party Prosody modules

1 Like

This works, Thank you so much @emrah and @damencho .

1 Like