How to use jet token with our back-end to authenticate users in jitsi meet

Hello guys,
I work on service with Jitsi meet. in my service, I need to handle authentication and handle which user can join which room and how long he/she can join the room, as I search we can use JWT token for this purpose. but I did not succeed to implement this flow. I read this: lib-jitsi-meet/tokens.md at master · jitsi/lib-jitsi-meet · GitHub
but still have a problem, for example where I must generate application Id and what is the audience. how to send generated JWT token inside my back-end and send into jitsi meet, and how jitsi meet with recognizing and decrypt JWT token and handle user have access to which room and how long?
may please guide me about this. thank you

  • You should have an authentication system. For example a custom web panel which can check your user database… (this part is not directly related with jitsi)

  • You should have a jitsi system with JWT authentication.

  • The auth panel will generate the JWT token for each user after a successful login and redirect the user to jitsi

  • When the JWT authentication is enabled, a valid meeting link should be as the following format:

https://your.jitsi-domain.com/roomname?jwt=the-token-value

  • A prosody module (mod_token_verification) will parse the token and if it’s valid, it will allow the user to connect to the meeting room

  • The token has a field which contains the allowed room name. So, this token is only valid for this room.

  • The token has a field which contains the expiration time. So, this token is only valid for this period

The following links may be helpful:

1 Like

thank you for your replay,
how I must generate an application id ? and after I put the application id into jwt token, how prosody can detect that application id is that one I created?
and same for ‘aud’ application identifier.
and if somebody with jwt.io, for example, watch my payload data inside jwt token and then create a new token with application id and aud then he/she can do sth like a middle man and create a fake token and have access to my jitsi server.
may please guide me about top issues?
thank you

You can choose any word as the application id. Nothing special for it. While installing the jitsi-meet-tokens package, it will be asked to choose an application ID.

It’s needed to set this application id as the value of aud and iss in the token content.

It’s in the prosody config too.

The token is not for storing the secrets. Everyone can see the token content but the server can verify if it’s created by a trusted one or not by checking the signature. The valid signature can only be created by the one who knows the shared secret.

1 Like

I set this value :

 "aud": "YOUR_AUDIENCE",

“iss”: “YOUR_ISSUER”,

with my application id that set when installing jitsi-meet-tokens dialog and set into a generated token. but I saw the prosody log, got this error:

 general warn    Error verifying token err:not-allowed, reason:Invalid issuer ('iss' claim)

did I anything wrong?
It’s needed to set this application id as the value of aud and iss in the token content.
I do this according to this, as you said

generated token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJteWFwcGlkIiwiaXNzIjoibXlhcHBpZCIsInN1YiI6Im1lZXQubmV0LXZlc3QuY29tIiwicm9vbSI6IioifQ.BZnQpdnXNRH36DHIyUN-doCC4Me3HX56MAjzEOpkJps

The token seems valid. Check your prosody config. app_id should be the same

1 Like

here is my config:
/etc/prosody/conf.avail/my.domain.com.cfg.lua

    turncredentials_secret = "dhvbvhfj2322j";

   asap_accepted_issuers = { "YOUR_APP_ID", "smash" }

   asap_accepted_audiences = { "YOUR_APP_ID", "smash" }

and

authentication = "token"
app_id="myappid"
app_secret="mysecretid"

did I miss something?

shall I put my app_id and app_secret_id in here:

 asap_accepted_issuers = { "YOUR_APP_ID", "smash" }

asap_accepted_audiences = { "YOUR_APP_ID", "smash" }

There are no asap_accepted_issuers and asap_accepted_audiences in my working config. I don’t know when these lines are needed but I have no issue without them

1 Like

after changing these values:

asap_accepted_issuers = { "myappid", "smash" }

asap_accepted_audiences = { "myappid", "smash" }

I can log in to jitsi , but after grant camera and microphone permission got this error:

Jan 30 18:25:05 bosh9acb1ad4-2845-4dc5-87d3-b292657feb88        info    BOSH client disconnected: session close
Jan 30 18:25:08 mod_bosh        info    New BOSH session, assigned it sid 'b3acfc70-cde6-478e-81ec-c51a22440167'
Jan 30 18:25:10 boshb3acfc70-cde6-478e-81ec-c51a22440167        info    Authenticated as 523d48de-8c61-4f25-af27-c487f4fb8e65@my.site.com
Jan 30 18:25:38 focus.my.site.com:component       warn    Component not connected, bouncing error for: <iq id='c7a76c79-16c2-41f9-a2ed-70c45180f53b:sendIQ' from='523d48de-8c61-4f25-af27-c487f4fb8e65@my.site.com/iRgiVeMj' type='set' to='focus.my.site.com'>
Jan 30 18:25:39 focus.my.site.com:component       warn    Component not connected, bouncing error for: <iq id='8567b816-d66c-4774-a62b-42fc2e921c0e:sendIQ' from='523d48de-8c61-4f25-af27-c487f4fb8e65@my.site.com/iRgiVeMj' type='set' to='focus.my.site.com'>
Jan 30 18:25:42 focus.my.site.com:component       warn    Component not connected, bouncing error for: <iq id='a97bcdda-04ca-4d69-8e1a-fad26a12c528:sendIQ' from='523d48de-8c61-4f25-af27-c487f4fb8e65@my.site.com/iRgiVeMj' type='set' to='focus.my.site.com'>
Jan 30 18:25:46 focus.my.site.com:component       warn    Component not connected, bouncing error for: <iq id='056e5abf-a34c-4bc4-bfb0-b932f2482a33:sendIQ' from='523d48de-8c61-4f25-af27-c487f4fb8e65@my.site.com/iRgiVeMj' type='set' to='focus.my.site.com'>
Jan 30 18:25:55 focus.my.site.com:component       warn    Component not connected, bouncing error for: <iq id='76567437-4657-4b95-b87b-584011cbf4c9:sendIQ' from='523d48de-8c61-4f25-af27-c487f4fb8e65@my.site.com/iRgiVeMj' type='set' to='focus.my.site.com'>
Jan 30 18:26:06 boshb3acfc70-cde6-478e-81ec-c51a22440167        info    BOSH client disconnected: session close
Jan 30 18:26:07 mod_bosh        info    New BOSH session, assigned it sid 'b0dc3754-4cf5-4843-9bf6-8bcff0b0801d'
Jan 30 18:26:07 boshb0dc3754-4cf5-4843-9bf6-8bcff0b0801d        info    Authenticated as 4915f33c-79dd-4abc-94cb-3b8884399f2b@my.site.com
why this happened?
Jan 30 18:25:05 bosh9acb1ad4-2845-4dc5-87d3-b292657feb88        info    BOSH client disconnected: session close
Jan 30 18:25:08 mod_bosh        info    New BOSH session, assigned it sid 'b3acfc70-cde6-478e-81ec-c51a22440167'
Jan 30 18:25:10 boshb3acfc70-cde6-478e-81ec-c51a22440167        info    Authenticated as 523d48de-8c61-4f25-af27-c487f4fb8e65@my.site.com
Jan 30 18:25:38 focus.my.site.com:component       warn    Component not connected, bouncing error for: <iq id='c7a76c79-16c2-41f9-a2ed-70c45180f53b:sendIQ' from='523d48de-8c61-4f25-af27-c487f4fb8e65@my.site.com/iRgiVeMj' type='set' to='focus.my.site.com'>
Jan 30 18:25:39 focus.my.site.com:component       warn    Component not connected, bouncing error for: <iq id='8567b816-d66c-4774-a62b-42fc2e921c0e:sendIQ' from='523d48de-8c61-4f25-af27-c487f4fb8e65@my.site.com/iRgiVeMj' type='set' to='focus.my.site.com'>
Jan 30 18:25:42 focus.my.site.com:component       warn    Component not connected, bouncing error for: <iq id='a97bcdda-04ca-4d69-8e1a-fad26a12c528:sendIQ' from='523d48de-8c61-4f25-af27-c487f4fb8e65@my.site.com/iRgiVeMj' type='set' to='focus.my.site.com'>
Jan 30 18:25:46 focus.my.site.com:component       warn    Component not connected, bouncing error for: <iq id='056e5abf-a34c-4bc4-bfb0-b932f2482a33:sendIQ' from='523d48de-8c61-4f25-af27-c487f4fb8e65@my.site.com/iRgiVeMj' type='set' to='focus.my.site.com'>
Jan 30 18:25:55 focus.my.site.com:component       warn    Component not connected, bouncing error for: <iq id='76567437-4657-4b95-b87b-584011cbf4c9:sendIQ' from='523d48de-8c61-4f25-af27-c487f4fb8e65@my.site.com/iRgiVeMj' type='set' to='focus.my.site.com'>
Jan 30 18:26:06 boshb3acfc70-cde6-478e-81ec-c51a22440167        info    BOSH client disconnected: session close
Jan 30 18:26:07 mod_bosh        info    New BOSH session, assigned it sid 'b0dc3754-4cf5-4843-9bf6-8bcff0b0801d'
Jan 30 18:26:07 boshb0dc3754-4cf5-4843-9bf6-8bcff0b0801d        info    Authenticated as 4915f33c-79dd-4abc-94cb-3b8884399f2b@my.site.com

why did this happen?

edit:
I follow this tutorial for jitsi and jwt:
https://doganbros.com/index.php/jitsi/jitsi-installation-with-jwt-support-on-ubuntu-20-04-lts/

Thanks for a marvelous posting!

1 Like