How to control moderator rights in JWT-AUTH-enabled jitsi docker-compose setup

Hi jitsi community,

I’m running a jitsi server with docker-compose, version stable-7287.
In .env I have enabled JWT based authentication.

Moreover, in jitsi-meet container: /config/config.js I’ve set:

enableFeatureBasedOnToken: true
enableUserRolesBasedOnToken: true

The JWT-body I’m using for a non-moderator participant looks like this:

{
“aud”: “my_server”,
“iss”: “my_web_client”,
“sub”: “meet.jitsi”,
“context”: {
“user”: {
“moderator”: false,
“name”: “example@mail.com
}
},
“moderator”: false,
“room”: “*”,
“exp”: 1654100324
}

However, every participant is still granted moderator rights. How can I configure jitsi to assign only specific participants moderator rights by setting flags in their JWT?

Thanks for the quick reply.

Is it possible to simply activate the module via the .env file?

my .env file has the following configuration:

#XMPP password for Jicofo client connections
JICOFO_AUTH_PASSWORD=b825b58…

#XMPP password for JVB client connections
JVB_AUTH_PASSWORD=81d1f6…

#XMPP password for Jigasi MUC client connections
JIGASI_XMPP_PASSWORD=120b3…

#XMPP recorder password for Jibri client connections
JIBRI_RECORDER_PASSWORD=8140…

#XMPP password for Jibri client connections
JIBRI_XMPP_PASSWORD=83a9…

#Basic configuration options

#Directory where all configuration will be stored
CONFIG=.jitsi-meet-cfg

#Exposed HTTP port
HTTP_PORT=127.0.0.1:180 http://127.0.0.1:180

#Exposed HTTPS port
HTTPS_PORT=127.0.0.1:1443 http://127.0.0.1:1443

#Public URL for the web service (required)
PUBLIC_URL=https://meet.example.com

#IP address of the Docker host
DOCKER_HOST_ADDRESS=102.198.46.137

#Control whether the lobby feature should be enabled or not
ENABLE_LOBBY=1

#Show a prejoin page before entering a conference
ENABLE_PREJOIN_PAGE=1

#Enable breakout rooms
ENABLE_BREAKOUT_ROOMS=1

#Name your etherpad instance!
ETHERPAD_TITLE=Video Chat

#The default text of a pad
ETHERPAD_DEFAULT_PAD_TEXT=“Welcome to Web Chat!\n\n”

#Name of the skin for etherpad
ETHERPAD_SKIN_NAME=colibris

#Skin variants for etherpad
ETHERPAD_SKIN_VARIANTS=“super-light-toolbar super-light-editor light-background full-width-editor”

#Authentication configuration (see handbook for details)

#Enable authentication
ENABLE_AUTH=1

#Enable guest access
#ENABLE_GUESTS=1

#Select authentication type: internal, jwt, ldap or matrix
AUTH_TYPE=jwt

#JWT authentication

#Application identifier
JWT_APP_ID=myJitsiAppId

#Application secret known only to your token generator
JWT_APP_SECRET=myJitsiAppSecret

#(Optional) Set asap_accepted_issuers as a comma separated list
JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client

#(Optional) Set asap_accepted_audiences as a comma separated list

JWT_ACCEPTED_AUDIENCES=my_server1,my_server2

JWT_ALLOW_EMPTY=0

JWT_TOKEN_AUTH_MODULE=token_verification

#Advanced configuration options (you generally don’t need to change these)

#Internal XMPP domain
XMPP_DOMAIN=meet.jitsi

#Internal XMPP server
XMPP_SERVER=xmpp.meet.jitsi

#Internal XMPP server URL
XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280

#Internal XMPP domain for authenticated services
XMPP_AUTH_DOMAIN=auth.meet.jitsi

#XMPP domain for the MUC
XMPP_MUC_DOMAIN=muc.meet.jitsi

#XMPP domain for the internal MUC used for jibri, jigasi and jvb pools
XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi

#XMPP domain for unauthenticated users
XMPP_GUEST_DOMAIN=guest.meet.jitsi

#Custom Prosody modules for XMPP_DOMAIN (comma separated)
XMPP_MODULES=

#Custom Prosody modules for MUC component (comma separated)
XMPP_MUC_MODULES=

#Custom Prosody modules for internal MUC component (comma separated)
XMPP_INTERNAL_MUC_MODULES=

#MUC for the JVB pool
JVB_BREWERY_MUC=jvbbrewery

#XMPP user for JVB client connections
JVB_AUTH_USER=jvb

#STUN servers used to discover the server’s public IP
JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443 http://meet-jit-si-turnrelay.jitsi.net:443

#Media port for the Jitsi Videobridge
JVB_PORT=10000

#XMPP user for Jicofo client connections.
#NOTE: this option doesn’t currently work due to a bug
JICOFO_AUTH_USER=focus

#Base URL of Jicofo’s reservation REST API
#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com

#XMPP user for Jigasi MUC client connections
JIGASI_XMPP_USER=jigasi

#MUC name for the Jigasi pool
JIGASI_BREWERY_MUC=jigasibrewery

#Minimum port for media used by Jigasi
JIGASI_PORT_MIN=20000

#Maximum port for media used by Jigasi
JIGASI_PORT_MAX=20050

#XMPP domain for the jibri recorder
XMPP_RECORDER_DOMAIN=recorder.meet.jitsi

#XMPP recorder user for Jibri client connections
JIBRI_RECORDER_USER=recorder

#Directory for recordings inside Jibri container
JIBRI_RECORDING_DIR=/config/recordings

#The finalizing script. Will run after recording is complete
#JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh

#XMPP user for Jibri client connections
JIBRI_XMPP_USER=jibri

#MUC name for the Jibri pool
JIBRI_BREWERY_MUC=jibribrewery

#MUC connection timeout
JIBRI_PENDING_TIMEOUT=90

#When jibri gets a request to start a service for a room, the room
JIBRI_STRIP_DOMAIN_JID=muc

#Directory for logs inside Jibri container
JIBRI_LOGS_DIR=/config/logs

#Container restart policy

#Defaults to unless-stopped
RESTART_POLICY=unless-stopped

#Configure toolbar buttons. Add the buttons name separated with comma(no spaces between comma)
#TOOLBAR_BUTTONS=

#Hide the buttons at pre-join screen. Add the buttons name separated with comma
#HIDE_PREMEETING_BUTTONS=

I’m not familiar with Dockerized setup but It don’t think it is possible to activate it via env because it’s a third-party module.

JWT_TOKEN_AUTH_MODULE=token_verification should work the same way but IMO the main problem is to set ENABLE_AUTH. If it’s set, all participants with a token (regardless of moderator value) will be moderators

NO, that module is not included in the default installation.

Do I need to include this module: GitHub - nvonahsen/jitsi-token-moderation-plugin: Lua plugin for jitsi which determines whether users are moderator or not based on token contents ? Are there other options?

See the first response in this post. That module is also available from the jitsi-contrib repo: prosody-plugins/token_affiliation at main · jitsi-contrib/prosody-plugins · GitHub

Whichever module you choose to use, they’re not part of default jitsi install so you’ll need to include them yourself.