How to control moderator rights in JWT-AUTH-enabled jitsi docker-compose setup

korbi · May 31, 2022, 11:34am

Hi jitsi community,

I’m running a jitsi server with docker-compose, version stable-7287.
In .env I have enabled JWT based authentication.

Moreover, in jitsi-meet container: /config/config.js I’ve set:

enableFeatureBasedOnToken: true
enableUserRolesBasedOnToken: true

The JWT-body I’m using for a non-moderator participant looks like this:

{
“aud”: “my_server”,
“iss”: “my_web_client”,
“sub”: “meet.jitsi”,
“context”: {
“user”: {
“moderator”: false,
“name”: “example@mail.com”
}
},
“moderator”: false,
“room”: “*”,
“exp”: 1654100324
}

However, every participant is still granted moderator rights. How can I configure jitsi to assign only specific participants moderator rights by setting flags in their JWT?

Freddie · May 31, 2022, 11:40am

korbi · May 31, 2022, 12:34pm

Thanks for the quick reply.

Is it possible to simply activate the module via the .env file?

my .env file has the following configuration:

#XMPP password for Jicofo client connections
JICOFO_AUTH_PASSWORD=b825b58…

#XMPP password for JVB client connections
JVB_AUTH_PASSWORD=81d1f6…

#XMPP password for Jigasi MUC client connections
JIGASI_XMPP_PASSWORD=120b3…

#XMPP recorder password for Jibri client connections
JIBRI_RECORDER_PASSWORD=8140…

#XMPP password for Jibri client connections
JIBRI_XMPP_PASSWORD=83a9…

#Basic configuration options

#Directory where all configuration will be stored
CONFIG=.jitsi-meet-cfg

#Exposed HTTP port
HTTP_PORT=127.0.0.1:180 http://127.0.0.1:180

#Exposed HTTPS port
HTTPS_PORT=127.0.0.1:1443 http://127.0.0.1:1443

#Public URL for the web service (required)
PUBLIC_URL=https://meet.example.com

#IP address of the Docker host
DOCKER_HOST_ADDRESS=102.198.46.137

#Control whether the lobby feature should be enabled or not
ENABLE_LOBBY=1

#Show a prejoin page before entering a conference
ENABLE_PREJOIN_PAGE=1

#Enable breakout rooms
ENABLE_BREAKOUT_ROOMS=1

#Name your etherpad instance!
ETHERPAD_TITLE=Video Chat

#The default text of a pad
ETHERPAD_DEFAULT_PAD_TEXT=“Welcome to Web Chat!\n\n”

#Name of the skin for etherpad
ETHERPAD_SKIN_NAME=colibris

#Skin variants for etherpad
ETHERPAD_SKIN_VARIANTS=“super-light-toolbar super-light-editor light-background full-width-editor”

#Authentication configuration (see handbook for details)

#Enable authentication
ENABLE_AUTH=1

#Enable guest access
#ENABLE_GUESTS=1

#Select authentication type: internal, jwt, ldap or matrix
AUTH_TYPE=jwt

#JWT authentication

#Application identifier
JWT_APP_ID=myJitsiAppId

#Application secret known only to your token generator
JWT_APP_SECRET=myJitsiAppSecret

#(Optional) Set asap_accepted_issuers as a comma separated list
JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client

#(Optional) Set asap_accepted_audiences as a comma separated list

JWT_ACCEPTED_AUDIENCES=my_server1,my_server2

JWT_ALLOW_EMPTY=0

JWT_TOKEN_AUTH_MODULE=token_verification

#Advanced configuration options (you generally don’t need to change these)

#Internal XMPP domain
XMPP_DOMAIN=meet.jitsi

#Internal XMPP server
XMPP_SERVER=xmpp.meet.jitsi

#Internal XMPP server URL
XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280

#Internal XMPP domain for authenticated services
XMPP_AUTH_DOMAIN=auth.meet.jitsi

#XMPP domain for the MUC
XMPP_MUC_DOMAIN=muc.meet.jitsi

#XMPP domain for the internal MUC used for jibri, jigasi and jvb pools
XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi

#XMPP domain for unauthenticated users
XMPP_GUEST_DOMAIN=guest.meet.jitsi

#Custom Prosody modules for XMPP_DOMAIN (comma separated)
XMPP_MODULES=

#Custom Prosody modules for MUC component (comma separated)
XMPP_MUC_MODULES=

#Custom Prosody modules for internal MUC component (comma separated)
XMPP_INTERNAL_MUC_MODULES=

#MUC for the JVB pool
JVB_BREWERY_MUC=jvbbrewery

#XMPP user for JVB client connections
JVB_AUTH_USER=jvb

#STUN servers used to discover the server’s public IP
JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443 http://meet-jit-si-turnrelay.jitsi.net:443

#Media port for the Jitsi Videobridge
JVB_PORT=10000

#XMPP user for Jicofo client connections.
#NOTE: this option doesn’t currently work due to a bug
JICOFO_AUTH_USER=focus

#Base URL of Jicofo’s reservation REST API
#JICOFO_RESERVATION_REST_BASE_URL=http://reservation.example.com

#XMPP user for Jigasi MUC client connections
JIGASI_XMPP_USER=jigasi

#MUC name for the Jigasi pool
JIGASI_BREWERY_MUC=jigasibrewery

#Minimum port for media used by Jigasi
JIGASI_PORT_MIN=20000

#Maximum port for media used by Jigasi
JIGASI_PORT_MAX=20050

#XMPP domain for the jibri recorder
XMPP_RECORDER_DOMAIN=recorder.meet.jitsi

#XMPP recorder user for Jibri client connections
JIBRI_RECORDER_USER=recorder

#Directory for recordings inside Jibri container
JIBRI_RECORDING_DIR=/config/recordings

#The finalizing script. Will run after recording is complete
#JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/config/finalize.sh

#XMPP user for Jibri client connections
JIBRI_XMPP_USER=jibri

#MUC name for the Jibri pool
JIBRI_BREWERY_MUC=jibribrewery

#MUC connection timeout
JIBRI_PENDING_TIMEOUT=90

#When jibri gets a request to start a service for a room, the room
JIBRI_STRIP_DOMAIN_JID=muc

#Directory for logs inside Jibri container
JIBRI_LOGS_DIR=/config/logs

#Container restart policy

#Defaults to unless-stopped
RESTART_POLICY=unless-stopped

#Configure toolbar buttons. Add the buttons name separated with comma(no spaces between comma)
#TOOLBAR_BUTTONS=

#Hide the buttons at pre-join screen. Add the buttons name separated with comma
#HIDE_PREMEETING_BUTTONS=

emrah · May 31, 2022, 1:33pm

I’m not familiar with Dockerized setup but It don’t think it is possible to activate it via env because it’s a third-party module.

JWT_TOKEN_AUTH_MODULE=token_verification should work the same way but IMO the main problem is to set ENABLE_AUTH. If it’s set, all participants with a token (regardless of moderator value) will be moderators

saghul · May 31, 2022, 1:33pm

NO, that module is not included in the default installation.

korbi · May 31, 2022, 2:03pm

Do I need to include this module: GitHub - nvonahsen/jitsi-token-moderation-plugin: Lua plugin for jitsi which determines whether users are moderator or not based on token contents ? Are there other options?

shawn · May 31, 2022, 2:25pm

See the first response in this post. That module is also available from the jitsi-contrib repo: prosody-plugins/token_affiliation at main · jitsi-contrib/prosody-plugins · GitHub

Whichever module you choose to use, they’re not part of default jitsi install so you’ll need to include them yourself.