How to enable multi-tenant

@damencho I have setup jitsi meet on a server with JWT. And now I want to enable multi-tenant but I did not get proper documentation, how can I achieve this. I searched this thing on the community but there are very few links and the thing which I get is there are some Nginx settings. Can anyone help me to setup it step by step? what should be the Nginx settings? and what should be the changes on jitsi configuration?

This comes by default configured with default installation. Have you tried it?

Could you please share the basic structure of JWT for this? Because I’m little confused should I add group property in it or not, if yes then what should be the value. I also want branding for every group how can I achieve it please help me with this as well

So you can use links as https://meet.jit.si/groupA/someroom and if you enable jwt you can add "group": "groupA" to the context of the token as shown here: https://github.com/jitsi/lib-jitsi-meet/blob/master/doc/tokens.md#payload
And if "room": "*", then this will make the token valid only for https://meet.jit.si/groupA/....anyroom

I’m generating a JWT with given payload:-

{
“context”: {
“user”: {
“name”: “example”,
“email”: “example@gmail.com
},
“group”: “group1”
},
“iss”: “my_app_id”,
“room”: “*”,
“sub”: “meet.example.com”,
“aud”: “my_app_id”
}

but this JWT is working for every group means I can initiate the meeting with URL https://meet.jit.si/group1/someroom and https://meet.jit.si/group2/someroom

Its not blocking group2 URL while I set “group”: “group1” in payload

Do you have token verification module enabled https://github.com/jitsi/jitsi-meet/blob/master/resources/prosody-plugins/mod_token_verification.lua ?

yes, In /etc/prosody/config.d/meet.mydomain.com.cfg.lua its including

Component "conference.meet.mydomain.com" "muc"
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        "token_verification";
        "token_moderation";
    }
    admins = { "focus@auth.meet.mydomain.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true

and in /usr/share/jitsi-meet/prosody-plugins/ this mod_token_verification.lua is present

Hum, then it sounds to me like a bug …

You can add some prints here to debug it: https://github.com/jitsi/jitsi-meet/blob/master/resources/prosody-plugins/token/util.lib.lua#L373

Please clarify one thing first, that in this way we can branding particular groups or not. I’m talking about below settings

 /**
     External API url used to receive branding specific information.
     If there is no url set or there are missing fields, the defaults are applied.
     None of the fields are mandatory and the response must have the shape:
     {
         // The hex value for the colour used as background
         backgroundColor: '#fff',
         // The url for the image used as background
         backgroundImageUrl: 'https://example.com/background-img.png',
         // The anchor url used when clicking the logo image
         logoClickUrl: 'https://example-company.org',
         // The url used for the image used as logo
         logoImageUrl: 'https://example.com/logo-img.png'
     }
    */

Yep.

I have good news as well as bad news.

Good news: - I have achieved branding via External API

Bad news:-

  1. This problem is still exist
  2. and a unique problem I’m facing, in above payload I used
    “room”: “*”
    its working but if I’m passing some roomname instead of * like
    “room”: “testroom”
    and hitting URL https://meet.mydomain.com/group1/testroom?jwt=jwtToken its giving below page

What the nginx config to enable it? I try in my installation https://sample.domai.com/groupA/someroom , the room is not found. I did my jitsi installation manually, not from a package.

Regards

Here it was enabled by default for the debian packages https://github.com/jitsi/jitsi-meet/pull/4923/files

Thanks @damencho. Now I can create room https://sample.domain.com/groupA/someroom. But I have a problem with the same room.

https://sample.domai.com/groupA/someroom
https://sample.domai.com/groupB/someroom

Those will be joined in the same room. How to make groupA and groupB join in a different room but the room name is same? Is any config ? I was enabled “muc_domain_mapper” in my component conference prosody.

in config.js I can’t get value subdomain.

if (subdomain) {
    subdomain = subdomain.substr(0,subdomain.length-1).split('.').join('_').toLowerCase() + '.';
}

I solved my issue. I need to complete declare var subdomain like this

var subdomain = "<!--# echo var="subdomain" default="" -->";

I have question @damencho

I don’t know this is a bug or not.

For example
I create jwt with payload

"group": "groupA"
"room": "nameofroom"

I have JWT with tenant “groupA” and room “nameofroom”. I use that JWT in another tenant (groupB) and another room. I can join a room in tenant groupB . Is the expectation like that? or it should not join in tenantB?

I was enable token_verification in my prosody.

same issue like @shubham

Regards

Should not join there

means this is a bug?

I try

{
  "context": {
    "user": {
      "name": "",
      "avatar": "",
      "email": ""
    },
    "group": "tenantA"
  },
  "aud": "meetcall",
  "iss": "meetcall",
  "sub": "call.domain.com",
  "room": "myroom",
  "exp": 1599278253
}

I try https://call.domain.com/tenantA/myroom
it will be direct to page Sorry! You are not allowed to be here :(

but if I join https://call.domain.com/myroom, it can be

is there I missing something config in my jwt or prosody?