How to use external website to authenticate Jitsi users

I have inherited a Jitsi installation which was not secured in any way.

I have followed the excellent instructions at https://github.com/jitsi/jicofo#secure-domain and set up basic authentication to only allow authenticated users to create meetings.

However, I would like to go much further. I would like all users to have to login, ideally via an external website which I also control. Only certain users would be allowed to create meetings, and others to join them. The website already provides OAuth login for other sites, and that’s the kind of thing I’m looking for. I am quite capable of coding a new OAuth or similar system in the authentication website (and I am thinking of implementing reservations via this site).

I have read https://github.com/jitsi/lib-jitsi-meet/blob/master/doc/tokens.md but I am none the wiser, as it assumes a lot of knowledge I don’t have.

Can anyone guide me on whether what I want is possible, and how to get it working?

Thanks in advance.

So the best way to achieve what you want is to enable tokens on your deployment and allow only participants with tokens to have access to it. Then your app at server-side can generate tokens for the logged in user, and also can add in the token information like display name and avatar url and with that token your app can open jitsi-meet in an iframe, using iframeAPI.

Tokens are just digital signature to verify users identity. There is common shared secret option shared between jitsi’s component validating the token and your service generating them. Or the other option is to use public/private key, where your service that generates tokens has the private key to sign the token, and the public key is in a https accessible location where jitsi’s component that does verifications fetches it.

Thanks very much.

All I need to find out now is

  • how to generate a token to allow someone to create a meeting
  • how to generate one to allow someone to join that meeting
  • how to pass that token to my jitsi
  • whether this can be done without an iframe

There is no such notion when using tokens, you either allowed to enter a meeting or you are not.
The only mode with something like host that creates the meeting and the rest are waiting for him to join is the secure-domain one.
In all others the first to join creates the conference, the last to leave and that conference is destroyed.

There is an option to allow empty token, then guests without token can join a meeting, that meeting can be with just guests with no authenticated user. If that is no enable you just need a valid token to enter a conference, otherwise you cannot join.

You can test it in the browser you just need to add ?jwt=… the token.

Not sure how you will do that … maybe in electron … or if in your web app you are showing the links with jwt added and by clicking on them participants will be presented in the meeting in a new tab.

Thanks for your help. It’s great that you are so responsive.

As I said, I have set up secure-domain. It would be nice if I could control permission to create meetings from my app, rather than having to log into the server as root and create the account from the command line.

I still don’t know how to actually generate a token, and how jitsi knows whether the token is valid or not.

Is there some intelligible documentation on all this - e.g. that says you pass the token as a get query parameter (can it be a post parameter instead?), or that tells you how to generate a token, and how jitsi knows it is valid?

I guess I can provide a link in my app that sends the browser to a page in my app that runs code to generate a token for that user, then redirects the user to jitsi with the token in the query string.

There is no documentation as jwt tokens is a standard thing and the library you will use for that depends on the service, platform and coding language you will use.
This is the call that verifies it in prosody server we use: https://github.com/jitsi/jitsi-meet/blob/master/resources/prosody-plugins/token/util.lib.lua#L197

You don’t need to create a meeting in advance, those you just generate an URL and that is your meeting.

When youu are using the browser to open a page it is a GET and token is passed as a GET parameter in the query.

I guess, that will work.