How to configure RS256 algorithm for jwt

keda82 · October 14, 2022, 7:43am

Trying to figure out how to configure Jitsi to allow RS256 in jwt. Where is private and public key defined?

mentions RS256 but there is no reference to how it is configured

shawn · October 14, 2022, 7:55am

That’s the JWT docs for JaaS. If you’re using JaaS, you can use the console to generate the key pair then download the private key to use for signing tokens. Or you can generate your own and upload the public key to JaaS.

If you’re self hosting, you want to look at this doc instead:

github.com

jitsi/lib-jitsi-meet/blob/master/doc/tokens.md

JWT token authentication Prosody plugin
==================

This plugin implements a Prosody authentication provider that verifies a client connection based on a JWT token described in [RFC7519].
It allows use of an external form of authentication with lib-jitsi-meet. Once your user authenticates you need to
generate the JWT token as described in the RFC and pass it to your client app. Once it connects with a valid token it is considered authenticated by the jitsi-meet system.

During configuration you will need to provide the *application ID* that identifies the client and a *secret* shared by both server and JWT token generator. Like described in the RFC, the secret is used to compute a HMAC hash value which allows authentication of the generated token. There are many existing libraries which can be used to implement token generation. More info can be found here: [http://jwt.io/#libraries-io]

JWT token authentication works with BOSH and websocket connections.

[RFC7519]: https://tools.ietf.org/html/rfc7519
[http://jwt.io/#libraries-io]: http://jwt.io/#libraries-io

### Token structure

The following JWT claims are used in the authentication token:
- 'iss' specifies the *application ID* which identifies the client app connecting to the server. It should be negotiated with the service provider before generating the token.
- 'room' contains the name of the room for which the token has been allocated. This is *NOT* the full MUC room address. An example assuming that we have full MUC 'conference1@muc.server.net' would be that 'conference1' should be used here.  Alternately, a '*' may be provided, allowing access to all rooms within the domain.
- 'exp' token expiration timestamp as defined in the RFC

This file has been truncated. show original

In this case you would host the public key somewhere accessible by your server then specify the location using asap_key_server var in your prosody config.

keda82 · October 14, 2022, 2:28pm

@shawn thanks appreciate it! This is self hosted scenario

Trying to get my head around how it works

{
“kid”: “jitsi/custom_key_name”,
“typ”: “JWT”,
“alg”: “RS256”
}

Then point either have a shared secret or point to a public key via asap_key_server = “https://keyserver.example.com/asap”;

But where is the private key, do you put it in the signature of the jwt when it is generated?

damencho · October 14, 2022, 2:40pm

You use it to sign your jwt. The server uses a public key by downloading it from some server to verify the signature.