Iframe api - how to secure configOverwrite and interfaceConfigOverwrite

luiru · May 18, 2023, 11:48am

I would like to use iFrame API with a self-hosted Jitsi installation.

I need to make sure that:

only people I decide should be able to participate to the meeting
people should have one of the following roles:

power user: can do a lot of things (I do not use the term “moderator” which is used by Jitsi, too)
simple participant: can do a few things

From my understanding (I am quite new to Jitsi):

I can make sure that only authenticated people can join the meeting:

setting ENABLE_GUESTS=false so that unknown people cannot join the room
using JWT authentication, so that I can set their username, and they cannot modify it
The main problem with this solution is that all the users authenticated using JWT are Jitsi moderators, am I missing something?

I can use iFrame API to customize UI based on their application role. The problem is that a user could potentially see the HTML source code and create an HTML page with the same code, modifying only certain parameters to customize their UI. For example, in my application I would like the “power user” to create breakout rooms and to add “simple participants” to the breakout room, while “simple participants” cannot create breakout rooms and cannot join autonomously breakout rooms. I can achieve that with iFrame API, but I cannot prevent a user from downloading the page and changing the parameters to allow himself to create and join breakout rooms.
Is there a way to enforce that configOverwrite and interfaceConfigOverwrite are not modified by the user? I think the ideal case would be to have them inside the JWT token

Freddie · May 18, 2023, 12:13pm

Not quite. You can allow/disallow certain privileges in JWT.

luiru · May 18, 2023, 12:37pm

These are all the parameters I can put in JWT, are there more? For example, can I disable for a particular user breakout room creation directly in JWT?

{
  "context": {
    "features": {
      "livestreaming": false,
      "outbound-call": false,
      "sip-outbound-call": false,
      "transcription": false,
      "recording": false
    },
    "user": {
      "hidden-from-recorder": false,
      "moderator": false,
      "name": "simple participant",
      "avatar": "",
      "email": "test.user@company.com"
    }
  },
  "aud": "my_jitsi_app_id",
  "iss": "my_jitsi_app_id",
  "sub": "my_jitsi_app_id",
  "room": "sampleroom2",
  "iat": 1684513860,
  "exp": 1684513860
}

also, “moderator”: false is not working.

damencho · May 18, 2023, 1:17pm

If you are getting these examples from JaaS documentation, those is how JaaS is configured and it is the token to use for jaas.

Not all features from JaaS come as it is with the self-hosted deployment without manual configuration.

For example, on your self hosted deployment you can use this module prosody-plugins/token_affiliation at main · jitsi-contrib/prosody-plugins · GitHub to control affiliation (moderator or not), similar to the example you posted above "moderator": true, but with that module it is "affiliation": "owner".

emrah · May 18, 2023, 2:10pm

FYI: it accepts also "moderator": true

github.com

jitsi-contrib/prosody-plugins/blob/main/token_affiliation/mod_token_affiliation.lua#L34-L37


      
          elseif context_user["moderator"] == "true" then
              affiliation = "owner"
          elseif context_user["moderator"] == true then
              affiliation = "owner"

emrah · May 18, 2023, 2:12pm

Most probably you enabled the external auth in jicofo. In this case, the participant will be moderator if she has a token.

luiru · May 22, 2023, 3:32pm

Thanks, now it makes perfectly sense.

luiru · May 25, 2023, 11:15am

I tried to use mod_token_affiliation, but it is not working. I just created a post with all the details.