How to achieve a fine control of the authentification? (restrict room creation AND authenticate users AND map room to user))

Dear all,
Firs thank you for this really good software that allows to maintain the professional activity even with this epidemy. Also, please excuse my engilsh level.

I’m setting a server using docker for professionals of education.
Ideally they would like to :

  1. Restrict access to the service to the set of registered students
  2. Restrict the creation of the room to the staff
  3. Control which student can access which room on the basis of their credential

The idea would be to allow the staff to planify the room in advance and have the gurantee that only the student registered for this course can access it impeding an abusive use of the resources or pertubation of the lesson.

I think this situation appears to be common: in fine, it is the use-case addressed by at least the following topics:




=====

Here are the results of my investigations:

A. It seems to me that the third point is difficult to realize ; I didn’t see any option about it. I read about tokens, but do not know if it can address the issue and how to do it.

B. The first point may be achieved by setting authorization, providing any user an authorization and prohibiting guests. But in this case any student could create a room to its liking. Also they could put a password to the room, and block everyone, what has already happened.

C. The second point may be achieved by only creating credential for the staff and allowing guest. As mentionned here, Restrict_room_creation doesn't work -> https://github.com/jitsi/jicofo#secure-domain. Or, as I commented on the above topic, by simply authorizing both authentification and guest. But this option would allow anyone to join an existent room thus invalidating 1.

D. Last, this last solution could be incremented by adding a password to the room. But this would add a significant load to both the staff and the student as the passwords should be renewed sufficiently too not be leaked while not being able to filter by identifier and thus impeding some persons to use it in a non desired way.

=====

Hence, I can not find a way to achieve both 1 and 2, and worse, 3. Similarly to the OP of Restrict_room_creation doesn't work, I had identified the presence of administrators in the configuration of prosody and supposed that I could give to administrators additional right. But it seems that it does not work this way (as answered in the afformentioned post).

So, my question is the following:
Is there a way to achieve both 1 and 2 and even 3? Maybe the use of those tokens??

Thanks to anyone that will take the time to attend my problem.
And thanks again for this work that is already really cool!!

1 Like

Hi there, I’m also trying to achieve the same thing. Have you been able to achieve something? Thanks!

Not at all…
I think the best bet would be with the token thing, but currently I am with the simple authorisation.
If I go back to this issue and find a solution I will update here.

I implemented the JWT (token) authentication. Then by using the API you can implement your own application and try to restrict the room creation. You can check which user is trying to create the room and stop it. Also by using the token you can control which room the student can enter. If users can only access the room through your app, you don’t need the jitsi-meet landing page to be visible. You can hide it with an nginx directive, as suggested here:

1 Like

Thank you for your post.
What you are basically saying is that you did not found an integrated solution for this problem and developped your own by implementing your own interface to the video room and using the API?

If you are willing to share what you did I will be glad.

Actually I didn’t look for an integrated solution. I developed a web application (for remote schooling purpose) and basically I was looking for a videochat to give my users another feature. I was worried that the students could manipulate the javascript to spoil the videochat, I still am. But since now every room can be open just from my web application (unless someone finds out the secret key and application id) and I also save the room name in database plus room names are strictly defined, I think I can worry now about the load on my server.
What do you have now and what are you looking for?

Well I’m also developing something like virtual workstation for our company. But the only workaround I believe getting local copy of jitsi-meet and customize the whole project for your needs. I’m still trying to get used to the architecture of project… Probably after I get to know the basic architecture I’ll just need to build the library and integrate into my web application… A very detailed documentation would be super good.