I have installed the token plugin. how to create users and groups?

I have installed the jitsi-meet-token and edited the config following below doc


I am not using a secret server but just use a common secret key.

now when I try to create a meeting, a username/pwd windows will popup.
I have tried to create a new user using:
prosodyctl register auth.jitsi.example
prosodyctl adduser

but the new users cannot login. I inspect the request/response:
request:
iq type=‘get’ to=‘jitsi.example.com’ id=’_auth_1’ xmlns=‘jabber:client’
query xmlns=‘jabber:iq:auth’
username


/username
/query
/iq

response:
service-unavailable xmlns=urn:ietf:params:xml:ns:xmpp-stanzas

so this looks like a config problem ?

and I want to ask:

  1. how to register a new user to login ?
  2. how to create group to do multi-tenant ? e.g. users in group1 will go to jitis.example.com/group1/room. group2 will go to jitsi.example.com/group2/room

When you configure tokens when joining a conference you need to provide a correctly signed token as a parameter ?jwt=… Are you providing it? You can use https://jwt.io/ to generate tokens so you can test. When using tokens there are no users to create or anything. Creating and authenticating users is a responsibility of the service providing the tokens.

This is a setting in your webserver, you better use nginx when deploying so you can have more flexibility.

I see the doc that there is an attribute “group” in JWT. that is set in webserver too ?

No, its just you create a token for group ‘jitsi’ and the user using that token can connect to https://meet.jit.si/jitsi/someRoom and if the user tries to use the jwt with group ‘google’ access will be denied as token will not be verified against the URL.

@damencho

I have generate a token on jwt.io. I copied the token from the left panel of the page (the encoded section)
header
{
“kid”: “my_app_shared_secret”,
“typ”: “JWT”,
“alg”: “RS256”
}

payload
{
“context”: {
“user”: {
“avatar”: “https:/gravatar.com/avatar/abc123”,
“name”: “John Doe”,
“email”: "jdoe@example.com",
“id”: “abcd:a1b2c3-d4e5f6-0abc1-23de-abcdef01fedcba”
}
},
“aud”: “my_app_id”,
“iss”: “my_app_id”,
“sub”: “jitis.example.com”,
“room”: “*”,
“exp”: 1500006923
}

the url is
https://jitis.example.com/room1?jwt=

I have installed the prosody-trunk_1nightly747-1_trusty_amd64

the virtual host defines:
VirtualHost “jitsi.example.com
authentication = “token”
app_id=“my_app_id”
app_secret=“my_app_shared_secret”
allow_empty_token=false
ssl = {
key = “/etc/prosody/certs/jitsi.example.com.key”;
certificate = “/etc/prosody/certs/jitsi.example.com.crt”;
}
modules_enabled = {
“bosh”;
“pubsub”;
“ping”;
“presence_identity”; – not sure if this modules is needed
}
c2s_require_encryption = false

now when I try to create a room and login. the prosody log throw error:
Aug 27 15:18:55 general warn Error verifying token err:not-allowed, reason:Not a public PEM key

Remove kid and try again. Kid is when signing with a certificate (not shared secret) and you need to configure prosody from where to fetch the public keys to verify it.

in this doc


I find:
Alternately the token may be signed by a private key and authorized via public keyserver using RS256 tokens. In this mode, the ‘kid’ header of the JWT must be set to the name of the public key. The backend server must be configured to fetch and confirm keys from a pre-configured public keyserver.

is there any doc about “configured to fetch and confirm keys from a pre-configured public keyserver.”

I don’t think we have any other doc for tokens. With public/private key you cannot use jwt.io, I think.

You just need to configure the asapKeyServer in your prosody instance. This is an http server from where prosody will try to download public keys with matching name of what you have in kid in sha256. … https://github.com/jitsi/jitsi-meet/blob/master/resources/prosody-plugins/token/util.lib.lua#L124

thanks!
I am reading your other reply in topic

You can use a common secret used to sign the token and prosody will use the same secret to verify it: app_secret = "example_app_secret";

I am trying to use this one:
so the app_secret is not the one I input when install jitsi-meet-token ? I should use the public key generated on the jwt.io ?


do I understand correctly ?

I think I got confused and probably confused you.
So what are you trying to use the shared secret (this is the one that is configured in prosody by default on install time) or the public-private key?

sorry for making you confused. i am new to Jitsi and JWT. so sometime cannot express my question clearly.
I am trying the shared secret.

Ok, then choose hs256 and remove the kid and when encoding the token on jwt.io input your shared secret:


In the field “your-256-bit-secret”.

Here in the doc are explained both types, shared secret hs256 and rs256:

Secret is used to compute HMAC hash value and verify the token for HS256 tokens.

Alternately the token may be signed by a private key and authorized via public keyserver using RS256 tokens. In this mode, the 'kid' header of the JWT must be set to the name of the public key. The backend server must be configured to fetch and confirm keys from a pre-configured public keyserver.

really thanks for your patient and great help.
finally I have pass it.

so to achieve the multi-tenant. the username/pwd mode is not supported ? we can only use the token ?
I can just create different token for different company ?
like “room” = “companyA” or “room” =“companyB”
the common secret is the same so I should distinguish user by user name and meeting room ?
or I should use “group” ?

You can use ‘group’, but you need more setup on nginx probably you will need to write some modules in prosody …
You can see it on meet.jit.si, you can use the following links https://meet.jit.si/companyA/roomname1 and https://meet.jit.si/companyB/roomname1