I have installed the token plugin. how to create users and groups?

xiran_li · August 27, 2019, 10:22am

I have installed the jitsi-meet-token and edited the config following below doc

jitsi/lib-jitsi-meet/blob/master/doc/tokens.md

JWT token authentication Prosody plugin
==================

This plugin implements Prosody authentication provider that verifies client connection based on JWT token described in [RFC7519].
It allows to use any external form of authentication with lib-jitsi-meet. Once your user authenticates you need to
generate the JWT token as described in the RFC and pass it to your client app. Once it connects with valid token is considered authenticated by jitsi-meet system.

During configuration you will need to provide the *application ID* that identifies the client and a *secret* shared by both server and JWT token generator. Like described in the RFC, secret is used to compute HMAC hash value which allows to authenticate generated token. There are many existing libraries which can be used to implement token generator. More info can be found here: [http://jwt.io/#libraries-io]

JWT token authentication currently works only with BOSH connections.

[RFC7519]: https://tools.ietf.org/html/rfc7519
[http://jwt.io/#libraries-io]: http://jwt.io/#libraries-io

### Token structure

The following JWT claims are used in authentication token:
- 'iss' specifies *application ID* which identifies the client app connecting to the server. It should be negotiated with the service provider before generating the token.
- 'room' contains the name of the room for which the token has been allocated. This is *NOT* full MUC room address. Example assuming that we have full MUC 'conference1@muc.server.net' then 'conference1' should be used here.  Alternately, a '*' may be provided, allowing access to all rooms within the domain.
- 'exp' token expiration timestamp as defined in the RFC

This file has been truncated. show original

I am not using a secret server but just use a common secret key.

now when I try to create a meeting, a username/pwd windows will popup.
I have tried to create a new user using:
prosodyctl register auth.jitsi.example
prosodyctl adduser

but the new users cannot login. I inspect the request/response:
request:
iq type=‘get’ to=‘jitsi.example.com’ id=’_auth_1’ xmlns=‘jabber:client’
query xmlns=‘jabber:iq:auth’
username

/username
/query
/iq

response:
service-unavailable xmlns=urn:ietf:params:xml:ns:xmpp-stanzas

so this looks like a config problem ?

and I want to ask:

how to register a new user to login ?
how to create group to do multi-tenant ? e.g. users in group1 will go to jitis.example.com/group1/room. group2 will go to jitsi.example.com/group2/room

damencho · August 27, 2019, 12:26pm

When you configure tokens when joining a conference you need to provide a correctly signed token as a parameter ?jwt=… Are you providing it? You can use https://jwt.io/ to generate tokens so you can test. When using tokens there are no users to create or anything. Creating and authenticating users is a responsibility of the service providing the tokens.

This is a setting in your webserver, you better use nginx when deploying so you can have more flexibility.

xiran_li · August 27, 2019, 1:36pm

I see the doc that there is an attribute “group” in JWT. that is set in webserver too ?

damencho · August 27, 2019, 1:50pm

No, its just you create a token for group ‘jitsi’ and the user using that token can connect to https://meet.jit.si/jitsi/someRoom and if the user tries to use the jwt with group ‘google’ access will be denied as token will not be verified against the URL.

xiran_li · August 27, 2019, 3:25pm

@damencho

I have generate a token on jwt.io. I copied the token from the left panel of the page (the encoded section)
header
{
“kid”: “my_app_shared_secret”,
“typ”: “JWT”,
“alg”: “RS256”
}

payload
{
“context”: {
“user”: {
“avatar”: “https:/gravatar.com/avatar/abc123”,
“name”: “John Doe”,
“email”: "jdoe@example.com",
“id”: “abcd:a1b2c3-d4e5f6-0abc1-23de-abcdef01fedcba”
}
},
“aud”: “my_app_id”,
“iss”: “my_app_id”,
“sub”: “jitis.example.com”,
“room”: “*”,
“exp”: 1500006923
}

the url is
https://jitis.example.com/room1?jwt=

I have installed the prosody-trunk_1nightly747-1_trusty_amd64

the virtual host defines:
VirtualHost “jitsi.example.com”
authentication = “token”
app_id=“my_app_id”
app_secret=“my_app_shared_secret”
allow_empty_token=false
ssl = {
key = “/etc/prosody/certs/jitsi.example.com.key”;
certificate = “/etc/prosody/certs/jitsi.example.com.crt”;
}
modules_enabled = {
“bosh”;
“pubsub”;
“ping”;
“presence_identity”; – not sure if this modules is needed
}
c2s_require_encryption = false

now when I try to create a room and login. the prosody log throw error:
Aug 27 15:18:55 general warn Error verifying token err:not-allowed, reason:Not a public PEM key

damencho · August 27, 2019, 3:29pm

Remove kid and try again. Kid is when signing with a certificate (not shared secret) and you need to configure prosody from where to fetch the public keys to verify it.

xiran_li · August 27, 2019, 3:51pm

in this doc

github.com

jitsi/lib-jitsi-meet/blob/master/doc/tokens.md

JWT token authentication Prosody plugin
==================

This plugin implements Prosody authentication provider that verifies client connection based on JWT token described in [RFC7519].
It allows to use any external form of authentication with lib-jitsi-meet. Once your user authenticates you need to
generate the JWT token as described in the RFC and pass it to your client app. Once it connects with valid token is considered authenticated by jitsi-meet system.

During configuration you will need to provide the *application ID* that identifies the client and a *secret* shared by both server and JWT token generator. Like described in the RFC, secret is used to compute HMAC hash value which allows to authenticate generated token. There are many existing libraries which can be used to implement token generator. More info can be found here: [http://jwt.io/#libraries-io]

JWT token authentication currently works only with BOSH connections.

[RFC7519]: https://tools.ietf.org/html/rfc7519
[http://jwt.io/#libraries-io]: http://jwt.io/#libraries-io

### Token structure

The following JWT claims are used in authentication token:
- 'iss' specifies *application ID* which identifies the client app connecting to the server. It should be negotiated with the service provider before generating the token.
- 'room' contains the name of the room for which the token has been allocated. This is *NOT* full MUC room address. Example assuming that we have full MUC 'conference1@muc.server.net' then 'conference1' should be used here.  Alternately, a '*' may be provided, allowing access to all rooms within the domain.
- 'exp' token expiration timestamp as defined in the RFC

This file has been truncated. show original

I find:
Alternately the token may be signed by a private key and authorized via public keyserver using RS256 tokens. In this mode, the ‘kid’ header of the JWT must be set to the name of the public key. The backend server must be configured to fetch and confirm keys from a pre-configured public keyserver.

is there any doc about “configured to fetch and confirm keys from a pre-configured public keyserver.”

damencho · August 27, 2019, 3:56pm

I don’t think we have any other doc for tokens. With public/private key you cannot use jwt.io, I think.

You just need to configure the asapKeyServer in your prosody instance. This is an http server from where prosody will try to download public keys with matching name of what you have in kid in sha256. … https://github.com/jitsi/jitsi-meet/blob/master/resources/prosody-plugins/token/util.lib.lua#L124

xiran_li · August 27, 2019, 4:10pm

thanks!
I am reading your other reply in topic

You can use a common secret used to sign the token and prosody will use the same secret to verify it: app_secret = "example_app_secret";

I am trying to use this one:
so the app_secret is not the one I input when install jitsi-meet-token ? I should use the public key generated on the jwt.io ?

do I understand correctly ?

damencho · August 27, 2019, 4:15pm

I think I got confused and probably confused you.
So what are you trying to use the shared secret (this is the one that is configured in prosody by default on install time) or the public-private key?

xiran_li · August 27, 2019, 4:18pm

sorry for making you confused. i am new to Jitsi and JWT. so sometime cannot express my question clearly.
I am trying the shared secret.

damencho · August 27, 2019, 4:20pm

Ok, then choose hs256 and remove the kid and when encoding the token on jwt.io input your shared secret:

In the field “your-256-bit-secret”.

damencho · August 27, 2019, 4:22pm

Here in the doc are explained both types, shared secret hs256 and rs256:

Secret is used to compute HMAC hash value and verify the token for HS256 tokens.

Alternately the token may be signed by a private key and authorized via public keyserver using RS256 tokens. In this mode, the 'kid' header of the JWT must be set to the name of the public key. The backend server must be configured to fetch and confirm keys from a pre-configured public keyserver.

xiran_li · August 27, 2019, 4:49pm

really thanks for your patient and great help.
finally I have pass it.

so to achieve the multi-tenant. the username/pwd mode is not supported ? we can only use the token ?
I can just create different token for different company ?
like “room” = “companyA” or “room” =“companyB”
the common secret is the same so I should distinguish user by user name and meeting room ?
or I should use “group” ?

damencho · August 27, 2019, 8:55pm

You can use ‘group’, but you need more setup on nginx probably you will need to write some modules in prosody …
You can see it on meet.jit.si, you can use the following links https://meet.jit.si/companyA/roomname1 and https://meet.jit.si/companyB/roomname1 …