Howto: Jitsi with oidc auth and forced moderator

Hi
I have a Jitsi running in production with a few tweaks, I thought I’d share here how I set it up, might give useful ideas to others struggling with the same challenges I’ve been having.

These were the requirements from my organization:

  • Anyone joining our Jitsi environment should login using e-identification so we know exactly who’s in there. Also their full name should be visible (and not changeable) in the conference.
  • Only the person organizing a meeting should be moderator in the meeting, regardless of who joins first.

And these are the basic conditions:

  • I already had an IDP solution set up (Nexus Smart ID Digital Access) with the needed authentication methods and support for SAML2 and OpenID Connect
  • Our organization uses Google Workspace, so all meetings are booked using Google Calendar

I dediced that Docker setup was the best way to go just following Self-Hosting Guide - Docker | Jitsi Meet.

Authentication
Jitsi in itself doesn’t have any built in support for neither SAML2 nor OpenID Connect, but I found this excellent component which acts as a middle layer, handling OpenID Connect tokens and transforming them to the jwt token that Jitsi needs. It took me a while to understand exactly how it works, but the developer is very helpful. I configured my idp to send the logged in users given_name, family_name and email in the corresponding fields, they are needed below. In my case the first and last name are retrieved from the e-identification so it’s secured information. The email address is retrieved from our Active Directory for internal users. External users can also log in, but will have an empty email attribute.

Also the users should not be able to change this information themselves after logging in, this is easily accomplished by adding “config.disableProfile = true;” to .jitsi-meet-cfg/web/custom-config.js.

Forcing moderator
This was the tricky part, since Jitsi normally have no idea who made a booking. I dediced that the best route is if the room name itself contains information about who should be moderator and that the easiest way to do this if every room name simply starts with the persons email address.

To achieve that I took the calendar addon and modified it a tiny bit, see my version here. It generates room names starting with the users email address, like john.doe@example.com_StickyDealersRewardAbsolutely.

Next step is to actually check if the user should be moderator in the room based on the email address. There is a nice module for controlling the affiliation based on the contents of the jwt token (more info here), I just needed to modify it to instead check the room name against the user email address. This means that when entering a room I become moderator if (and only if) the address in the jwt token matches the beginning of the room name. This also means that external users (that doesn’t exist in our AD) can enter rooms but they will never become moderator since they have no registered email address. You can find my modified code here. Place it in a file called .jitsi-meet-cfg/prosody/prosody-plugins-custom/mod_email_affiliation.lua and then edit the file .jitsi-meet-cfg/prosody/config/conf.d/jitsi-meet.cfg.lua and add a line saying “email_affiliation”; just below the line saying “token_verification”;. Also if you have problems (I did) with everybody becoming moderator anyway, take a look at this post, especially the point about adding “ENABLE_AUTH=0” to docker-compose.

I hope I didn’t miss any important part and that this is actually useful to someone. Don’t hesitate to ask if you’ve got questions!

5 Likes

Have you confirmed that users are not able to programmatically change their display name by running something like APP.conference.changeLocalDisplayName("bob") in dev console?

The last time I looked at this, disableProfile and readOnlyName configs only stop users changing it in the UI. Which means in a use case where you need to be sure displayed name matches secured information, you may need to block display name changes on the prosody side too.

Related conversation: feat(config): Add config option for making display name read only by vp8x8 · Pull Request #9835 · jitsi/jitsi-meet · GitHub

We currently use this to ensure display name always pinned to what is in JWT – prosody-plugins/frozen_nick at main · jitsi-contrib/prosody-plugins · GitHub

2 Likes

No, not really. Our reasoning this far has been that our target group is not tech savvy enough to do anything like that and also they don’t have any real motivation to do so. But if it’s as easy as activating another mod (haven’t seen that one earlier) I guess it’s a good idea. Thanks!