How to JWT (with Google Firebase Authentication)

I have set up https://gid-learn-study.web.app using Google Firebase Authentication to get JWT tokens, but reading https://github.com/jitsi/docker-jitsi-meet#authentication-using-jwt-tokens I’m not super clear yet what the JWT_APP_SECRET is … even after reading https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library - can someone shed some light on what’s what here?

Also, even once I’ve figured out the server side, I’m missing a few pieces… how can Jitsi Meet web be configured to redirect to such a login page? And how would one pass the JWT token back to Jitsi Meet?


I think this might help… though I have not enougfh knowlege and experience using it… But I tried some with docker version and it worked fine…

I’m afraid I have never heard of anyone ddoing that setup, but let’s try to figure it out together.

That is the secret key used to sign the tokens. Both the issuer and Jitsi need to have it. Jitsi will validate the token. I believe there is an option use a key / cert pair, but the Docker setup doesn’t support it yet.

The typical sscenario here is to have your own login portal / website. Then you’d use the Jitsi iframe API (https://github.com/jitsi/jitsi-meet/blob/master/doc/api.md) to load a conference and pass the JWT in the options object.

hey for anyone googling this: you can NOT use firebase auth JWTs or firebase custom JWTs because they comply with the OpenID Connect JWT spec, meaning the sub claim has to be the firebase account’s email address, but jitsi token auth needs the sub claim to be the the domain of your jitsi host.

instead:

  • generate some secret string to share between your server and your hosted jitsi (JWT_APP_SECRET in docker-jitsi-meet)
  • choose a third party JWT library and generate a token for your users with the claims that jitsi token auth needs (check this), using the secret your choose.
  • save that token to your firebase user’s data.
  • retrieve that token from your users’ firebase data and use it to allow them to authenticate with your hosted jitsi.

NOTE:
if you encrypt your JWTs with public/private keys, you’ll have to handle JWT_ACCEPTED_ISSUERS, JWT_ACCEPTED_AUDIENCES, and JWT_ASAP_KEYSERVER as well i believe. just use a shared secret to get started.

Hi,

So just to confirm, firebase is a no-no for Jitsi? Did I get that right?

1 Like

correct. make your own jwts and store them in firebase