How to verify subject field when using JWT auth over Prosody?

avoidik · March 17, 2021, 5:33pm

Hello,

Would it be possible to enforce “sub” field verification when using JWT authentication over Prosody? We have two different deployments with the common “app_secret”, hosted on the same domain (e.g. “blahcom”), but on the different sub-domains (lets say “ablahcom” and “bblahcom”), unfortunately JWT token appears to be working for both deployments, authentication succeeded on both servers.

avoidik · April 16, 2021, 2:41pm

No answer here, I’d consider this as a security flaw

damencho · April 16, 2021, 2:47pm

Have you enabled enable_domain_verification in your deployment?

damencho · April 16, 2021, 2:47pm

github.com

jitsi/jitsi-meet/blob/afbd29f4a2154106fd709cd9dcd329566d769e0a/resources/prosody-plugins/token/util.lib.lua#L71


-- domain base, which is the main domain used in the deployment,
-- the main VirtualHost for the deployment
self.muc_domain_base = module:get_option_string("muc_mapper_domain_base");
-- The "real" MUC domain that we are proxying to
if self.muc_domain_base then
    self.muc_domain = module:get_option_string(
        "muc_mapper_domain",
        self.muc_domain_prefix.."."..self.muc_domain_base);
end
-- whether domain name verification is enabled, by default it is disabled
self.enableDomainVerification = module:get_option_boolean(
    "enable_domain_verification", false);


if self.allowEmptyToken == true then
    module:log("warn", "WARNING - empty tokens allowed");
end


if self.appId == nil then
    module:log("error", "'app_id' must not be empty");
    return nil;
end