How to achieve a fine control of the authentification? (restrict room creation AND authenticate users AND map room to user))

Sylvain · March 27, 2020, 8:37pm

Dear all,
Firs thank you for this really good software that allows to maintain the professional activity even with this epidemy. Also, please excuse my engilsh level.

I’m setting a server using docker for professionals of education.
Ideally they would like to :

Restrict access to the service to the set of registered students
Restrict the creation of the room to the staff
Control which student can access which room on the basis of their credential

The idea would be to allow the staff to planify the room in advance and have the gurantee that only the student registered for this course can access it impeding an abusive use of the resources or pertubation of the lesson.

I think this situation appears to be common: in fine, it is the use-case addressed by at least the following topics:

=====

Here are the results of my investigations:

A. It seems to me that the third point is difficult to realize ; I didn’t see any option about it. I read about tokens, but do not know if it can address the issue and how to do it.

B. The first point may be achieved by setting authorization, providing any user an authorization and prohibiting guests. But in this case any student could create a room to its liking. Also they could put a password to the room, and block everyone, what has already happened.

C. The second point may be achieved by only creating credential for the staff and allowing guest. As mentionned here, Restrict_room_creation doesn't work -> https://github.com/jitsi/jicofo#secure-domain. Or, as I commented on the above topic, by simply authorizing both authentification and guest. But this option would allow anyone to join an existent room thus invalidating 1.

D. Last, this last solution could be incremented by adding a password to the room. But this would add a significant load to both the staff and the student as the passwords should be renewed sufficiently too not be leaked while not being able to filter by identifier and thus impeding some persons to use it in a non desired way.

=====

Hence, I can not find a way to achieve both 1 and 2, and worse, 3. Similarly to the OP of Restrict_room_creation doesn't work, I had identified the presence of administrators in the configuration of prosody and supposed that I could give to administrators additional right. But it seems that it does not work this way (as answered in the afformentioned post).

So, my question is the following:
Is there a way to achieve both 1 and 2 and even 3? Maybe the use of those tokens??

Thanks to anyone that will take the time to attend my problem.
And thanks again for this work that is already really cool!!

sparviere · April 3, 2020, 12:29pm

Hi there, I’m also trying to achieve the same thing. Have you been able to achieve something? Thanks!

Sylvain · April 6, 2020, 2:39pm

Not at all…
I think the best bet would be with the token thing, but currently I am with the simple authorisation.
If I go back to this issue and find a solution I will update here.

github.com

jitsi/lib-jitsi-meet/blob/master/doc/tokens.md

JWT token authentication Prosody plugin
==================

This plugin implements Prosody authentication provider that verifies client connection based on JWT token described in [RFC7519].
It allows to use any external form of authentication with lib-jitsi-meet. Once your user authenticates you need to
generate the JWT token as described in the RFC and pass it to your client app. Once it connects with valid token is considered authenticated by jitsi-meet system.

During configuration you will need to provide the *application ID* that identifies the client and a *secret* shared by both server and JWT token generator. Like described in the RFC, secret is used to compute HMAC hash value which allows to authenticate generated token. There are many existing libraries which can be used to implement token generator. More info can be found here: [http://jwt.io/#libraries-io]

JWT token authentication currently works only with BOSH connections.

[RFC7519]: https://tools.ietf.org/html/rfc7519
[http://jwt.io/#libraries-io]: http://jwt.io/#libraries-io

### Token structure

The following JWT claims are used in authentication token:
- 'iss' specifies *application ID* which identifies the client app connecting to the server. It should be negotiated with the service provider before generating the token.
- 'room' contains the name of the room for which the token has been allocated. This is *NOT* full MUC room address. Example assuming that we have full MUC 'conference1@muc.server.net' then 'conference1' should be used here.  Alternately, a '*' may be provided, allowing access to all rooms within the domain.
- 'exp' token expiration timestamp as defined in the RFC

This file has been truncated. show original

sparviere · April 6, 2020, 3:08pm

I implemented the JWT (token) authentication. Then by using the API you can implement your own application and try to restrict the room creation. You can check which user is trying to create the room and stop it. Also by using the token you can control which room the student can enter. If users can only access the room through your app, you don’t need the jitsi-meet landing page to be visible. You can hide it with an nginx directive, as suggested here:

Sylvain · April 6, 2020, 7:24pm

Thank you for your post.
What you are basically saying is that you did not found an integrated solution for this problem and developped your own by implementing your own interface to the video room and using the API?

If you are willing to share what you did I will be glad.

sparviere · April 6, 2020, 8:39pm

Actually I didn’t look for an integrated solution. I developed a web application (for remote schooling purpose) and basically I was looking for a videochat to give my users another feature. I was worried that the students could manipulate the javascript to spoil the videochat, I still am. But since now every room can be open just from my web application (unless someone finds out the secret key and application id) and I also save the room name in database plus room names are strictly defined, I think I can worry now about the load on my server.
What do you have now and what are you looking for?

metebyte · April 7, 2020, 4:38am

Well I’m also developing something like virtual workstation for our company. But the only workaround I believe getting local copy of jitsi-meet and customize the whole project for your needs. I’m still trying to get used to the architecture of project… Probably after I get to know the basic architecture I’ll just need to build the library and integrate into my web application… A very detailed documentation would be super good.