Is jicofo assign moderator role to JWT authenticated user

Hi

I have just created custom prosody module and integrated into our instance. Custom prosody module work as its implementation.

The module is developed to set affiliation to occupant based JWT token field value. When JWT payload has moderator to true, then user become owner (moderator) else member.

By debugging the module, affiliation set successful based on token (checking prosody log).

The problem is that all user joining with JWT are being given permission of moderator irrespective of moderator field value in the payload.

Now i have checked xmpp websocket connection messages in the network tab of browser. I found that there are three incoming message received regarding the affiliation in the following order

  1. With affiliation none, role participant
  2. With affiliation member (i hope this is done my custom prosody module)
  3. With affiliation owner

Last message is considered for assigning in the role…

Who does that third stanaza. Is it jicofo… ?

How to prevent that ? Use only my custom module for assigning role based JWT token…

Thankyou

If that is the case you will see in jicofo logs: Electing new owner....
There is by default electing owner, but for the first participant and you can switch that off:

1 Like

actually jitsi-meet is using prosody, a software that is supposed to be conformant to a standard - XMPP -, and the particular implementation - MUC - requires an owner for a room, so the idea of a room without owner don’t seem a good idea.
Note that in Jitsi-meet documentation and code, ‘roles’ and ‘affiliations’ terms are used without much concern for the standard.

1 Like

@damencho @gpatel-fr

I’m using the following Lua script (of emrahcom) mod_token_affiliation.lua

local LOGLEVEL = "info"

local is_admin = require "core.usermanager".is_admin
local is_healthcheck_room = module:require "util".is_healthcheck_room
module:log(LOGLEVEL, "loaded")

local function _is_admin(jid)
    return is_admin(jid, module.host)
end

module:hook("muc-occupant-joined", function (event)
    local room, occupant = event.room, event.occupant

    if is_healthcheck_room(room.jid) or _is_admin(occupant.jid) then
        module:log(LOGLEVEL, "skip affiliation, %s", occupant.jid)
        return
    end

    if not event.origin.auth_token then
        module:log(LOGLEVEL, "skip affiliation, no token")
        return
    end

    local affiliation = "member"
    local context_user = event.origin.jitsi_meet_context_user

    if context_user then
        if context_user["affiliation"] == "owner" then
            affiliation = "owner"
        elseif context_user["affiliation"] == "moderator" then
            affiliation = "owner"
        end
    end

    module:log(LOGLEVEL, "affiliation: %s", affiliation)
    room:set_affiliation(true, occupant.bare_jid, affiliation)
end)

enabled above module in conference vhost. The module is running successfully.

Below is the order presence receiving from prosody (debugging through network tab)

<!-- First - I think this is jicofo focus user -->

<presence to="9c5e21b4-7937-4c81-8e54-a1ffd1c94676@jitsimeet.example.com/0trAgtvz" id="umJhd-334" xmlns="jabber:client" from="nay-kold-slo@conference.jitsimeet.example.com/focus">
	<etherpad xmlns="http://jitsi.org/jitmeet/etherpad">
		nay-kold-slo
	</etherpad>
	<versions xmlns="http://jitsi.org/jitmeet">
		<component name="focus">
			1.0.756
		</component>
	</versions>
	<conference-properties xmlns="http://jitsi.org/protocol/focus">
		<property key="support-terminate-restart" value="true" />
	</conference-properties>
	<c node="http://jitsi.org/jicofo" hash="sha-1" xmlns="http://jabber.org/protocol/caps" ver="Lg0vhCNhxjoeKJi2/hukdsizNWA=" />
	<x xmlns="vcard-temp:x:update">
		<photo />
	</x>
	<x xmlns="http://jabber.org/protocol/muc#user">
		<item role="moderator" affiliation="owner" jid="focus@auth.jitsimeet.example.com/focus" />
	</x>
</presence>


<!-- Second -->

<presence from="nay-kold-slo@conference.jitsimeet.example.com/9c5e21b4" xmlns="jabber:client" to="9c5e21b4-7937-4c81-8e54-a1ffd1c94676@jitsimeet.example.com/0trAgtvz">
	<stats-id>
		Hilma-nyV
	</stats-id>
	<c node="http://jitsi.org/jitsimeet" hash="sha-1" xmlns="http://jabber.org/protocol/caps" ver="ZYz/Bk0YZmQuoeSFs25VOxJYXf4=" />
	<features>
		<feature var="https://jitsi.org/meet/e2ee" />
	</features>
	<jitsi_participant_codecType>
		vp8
	</jitsi_participant_codecType>
	<avatar-url>
		https://ahcompany.example.net/account/api/meeting/profile/image?email=tom.cruise@ahcompany.com&amp;height=640&amp;width=640&amp;room_id=nay-kold-slo
	</avatar-url>
	<email>
		tom.cruise@ahcompany.com
	</email>
	<nick xmlns="http://jabber.org/protocol/nick">
		Tom Cruise
	</nick>
	<jitsi_participant_e2ee.idKey>
		yjDHlxBXCa4nOCf5L3ZBO8/H2+1aenc6hgedYfgkT0U
	</jitsi_participant_e2ee.idKey>
	<x xmlns="vcard-temp:x:update">
		<photo />
	</x>
	<identity>
		<user>
			<affiliation>
				member
			</affiliation>
			<name>
				Tom Cruise
			</name>
			<avatar>
				https://ahcompany.example.net/account/api/meeting/profile/image?email=tom.cruise@ahcompany.com&amp;height=640&amp;width=640&amp;room_id=nay-kold-slo
			</avatar>
			<id>
				tom.cruise
			</id>
			<email>
				tom.cruise@ahcompany.com
			</email>
		</user>
	</identity>
	<x xmlns="http://jabber.org/protocol/muc#user">
		<status code="100" />
		<item role="participant" affiliation="none" jid="9c5e21b4-7937-4c81-8e54-a1ffd1c94676@jitsimeet.example.com/0trAgtvz" />
		<status code="110" />
	</x>
</presence>


<!-- Third - I think this is from mod_token_affiliation and this is what i needed -->

<presence from="nay-kold-slo@conference.jitsimeet.example.com/9c5e21b4" xmlns="jabber:client" to="9c5e21b4-7937-4c81-8e54-a1ffd1c94676@jitsimeet.example.com/0trAgtvz">
	<stats-id>
		Hilma-nyV
	</stats-id>
	<c node="http://jitsi.org/jitsimeet" hash="sha-1" xmlns="http://jabber.org/protocol/caps" ver="ZYz/Bk0YZmQuoeSFs25VOxJYXf4=" />
	<features>
		<feature var="https://jitsi.org/meet/e2ee" />
	</features>
	<jitsi_participant_codecType>
		vp8
	</jitsi_participant_codecType>
	<avatar-url>
		https://ahcompany.example.net/account/api/meeting/profile/image?email=tom.cruise@ahcompany.com&amp;height=640&amp;width=640&amp;room_id=nay-kold-slo
	</avatar-url>
	<email>
		tom.cruise@ahcompany.com
	</email>
	<nick xmlns="http://jabber.org/protocol/nick">
		Tom Cruise
	</nick>
	<jitsi_participant_e2ee.idKey>
		yjDHlxBXCa4nOCf5L3ZBO8/H2+1aenc6hgedYfgkT0U
	</jitsi_participant_e2ee.idKey>
	<x xmlns="vcard-temp:x:update">
		<photo />
	</x>
	<identity>
		<user>
			<affiliation>
				member
			</affiliation>
			<name>
				Tom Cruise
			</name>
			<avatar>
				https://ahcompany.example.net/account/api/meeting/profile/image?email=tom.cruise@ahcompany.com&amp;height=640&amp;width=640&amp;room_id=nay-kold-slo
			</avatar>
			<id>
				tom.cruise
			</id>
			<email>
				tom.cruise@ahcompany.com
			</email>
		</user>
	</identity>
	<x xmlns="http://jabber.org/protocol/muc#user">
		<item role="participant" affiliation="member" jid="9c5e21b4-7937-4c81-8e54-a1ffd1c94676@jitsimeet.example.com/0trAgtvz" />
		<status code="110" />
	</x>
</presence>


<!-- Foruth - Unexpected presence comming, now user become moderator -->

<presence from="nay-kold-slo@conference.jitsimeet.example.com/9c5e21b4" xmlns="jabber:client" to="9c5e21b4-7937-4c81-8e54-a1ffd1c94676@jitsimeet.example.com/0trAgtvz">
	<stats-id>
		Hilma-nyV
	</stats-id>
	<c node="http://jitsi.org/jitsimeet" hash="sha-1" xmlns="http://jabber.org/protocol/caps" ver="ZYz/Bk0YZmQuoeSFs25VOxJYXf4=" />
	<features>
		<feature var="https://jitsi.org/meet/e2ee" />
	</features>
	<jitsi_participant_codecType>
		vp8
	</jitsi_participant_codecType>
	<avatar-url>
		https://ahcompany.example.net/account/api/meeting/profile/image?email=tom.cruise@ahcompany.com&amp;height=640&amp;width=640&amp;room_id=nay-kold-slo
	</avatar-url>
	<email>
		tom.cruise@ahcompany.com
	</email>
	<nick xmlns="http://jabber.org/protocol/nick">
		Tom Cruise
	</nick>
	<jitsi_participant_e2ee.idKey>
		yjDHlxBXCa4nOCf5L3ZBO8/H2+1aenc6hgedYfgkT0U
	</jitsi_participant_e2ee.idKey>
	<x xmlns="vcard-temp:x:update">
		<photo />
	</x>
	<identity>
		<user>
			<affiliation>
				member
			</affiliation>
			<name>
				Tom Cruise
			</name>
			<avatar>
				https://ahcompany.example.net/account/api/meeting/profile/image?email=tom.cruise@ahcompany.com&amp;height=640&amp;width=640&amp;room_id=nay-kold-slo
			</avatar>
			<id>
				tom.cruise
			</id>
			<email>
				tom.cruise@ahcompany.com
			</email>
		</user>
	</identity>
	<x xmlns="http://jabber.org/protocol/muc#user">
		<item role="moderator" affiliation="owner" jid="9c5e21b4-7937-4c81-8e54-a1ffd1c94676@jitsimeet.example.com/0trAgtvz">
			<actor nick="focus" />
		</item>
		<status code="110" />
	</x>
</presence>

From where does that Fourth presence coming, I just want to disable that behavior and third presence what I needed.

Here is my config in /etc/jitsi/jicofo/sip-communicator.properties

org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.jitsimeet.example.com

org.jitsi.jicofo.auth.URL=EXT_JWT:jitsimeet.example.com

org.jitsi.jicofo.DISABLE_AUTO_OWNER=true

org.jitsi.jicofo.auth.DISABLE_AUTOLOGIN=true

hmmm… do you use Docker ? there seems to be something murky going on with this config. I don’t use either @emrah’ module nor Docker myself.
Nonetheless, debugging Prosody exchange on the browser network tab seems difficult, since when an user (Jicofo is an user) is setting an affiliation, it’s done with an iq sent to the room, and you will see (I think) only the resulting presence, not the original message (since the user connected is not the room)
The debug log of Prosody (warning!! it’s huge and messy) seems more appropriate.

1 Like

@gpatel-fr

Not using docker.

So you are telling that jicofo set affiliation (owner) to the authenticated user (with jwt) joining in the room.

Could you point out the line of code that jicofo doing these things.

Thankyou

I am not so sure of that; what I am saying it’s not likely to say something definitive based on a workstation log. Looking back at your config data, I see that you have:

org.jitsi.jicofo.auth.URL=EXT_JWT:jitsimeet.example.com

while the how-to from the module says:

-- 4) If exists, remove or comment org.jitsi.jicofo.auth.URL line in
--    /etc/jitsi/jicofo/sip-communicator.properties
--
--    #org.jitsi.jicofo.auth.URL=...

Emrah mod_token_affiliation document instruct to remove

‘’’
org.jitsi.jicofo.auth.URL
‘’’

But it prevent built in features of jitsi meet like Waiting for the Host dialg…

I don’t think it’s prevented by module. There is no such scenario for making guests wait when JWT authentication is enabled

if you are deliberately not following instructions I think you should be prepared for side effects :slight_smile:

The following IQ stanza is pushed from Jicofo

<iq type="error" from="focus.jitsimeet.example.com" xmlns="jabber:client" id="69b94c5c-4170-4b1c-b374-2fb3aa894a4d:sendIQ" to="27eef23b-ed73-458e-8582-5c0cf18f9e0b@guest.jitsimeet.example.com/DIeXajxN">
	<error type="auth">
		<not-authorized xmlns="urn:ietf:params:xml:ns:xmpp-stanzas" />
		<text xmlns="urn:ietf:params:xml:ns:xmpp-stanzas" xml:lang="en">
			not authorized user domain
		</text>
	</error>
</iq>

Once Jitsi meet frontend receive kind of IQ stanza reply, then it shows Wait for the Host dialog.

But the thing is if i removed org.jitsi.jicofo.auth.URL from /etc/jitsi/jicofo/sip-communicator.properties. Jicofo doesn’t push such kind of IQ stanza, which means no more Wait for the Host dialog,

Now i’m thinking that why Jitsi sending IQ stanzas from Jicofo. They should have handles those cases in prosody itself (modules)

It seems that you are not the first searching for this kind of setup:

@gpatel-fr

I have accomplished these things. I mean Wait for the Host dialog shown when Guest user trying to join/create room without any moderator in it. I have deployed Jitsi meet with secure domain with JWT method.

But the thing is that everyone joining with JWT token are granted moderator privilege. I do want only grant moderator to JWT authenticated user with token payload having moderator field to true.

I have used that custom module for that, and module works as implementation, affiliation granted based on token payload. But Jicofo is interfering with authentication in it, which is overriding the affiliation of custom module. That is clearly described in this. with order of stanza comming.

Assuming you are talking about the token_owner_party module

You can change it at the following line but it doesn’t work

1 Like

@emrah

I have tried that module, it prevent room creation when guest join/create room without anyone (moderator) in it. But the thing is, it doesn’t shows Waiting for the Host dialog as response coming from token_owner_party is somewhat different from IQ stanza returned by Jicofo.

Current code in the Jitsi Meet frontend handle (shows) Waiting for the Host dialog when receiving the IQ stanza (below stanza is returned by Jicofo)

<iq type="error" from="focus.jitsimeet.example.com" xmlns="jabber:client" id="69b94c5c-4170-4b1c-b374-2fb3aa894a4d:sendIQ" to="27eef23b-ed73-458e-8582-5c0cf18f9e0b@guest.jitsimeet.example.com/DIeXajxN">
	<error type="auth">
		<not-authorized xmlns="urn:ietf:params:xml:ns:xmpp-stanzas" />
		<text xmlns="urn:ietf:params:xml:ns:xmpp-stanzas" xml:lang="en">
			not authorized user domain
		</text>
	</error>
</iq>

and presence stanza returned by that custom module is

<presence type="error" to="5fbbac73-7c07-4025-8495-1dee21edfe09@guest.jitsimeet.exmple.com/_qbSLagf" xmlns="jabber:client" from="qoc-3njv-e2f@conference.jitsimeet.exmple.com/5fbbac73">
	<error type="cancel">
		<not-allowed xmlns="urn:ietf:params:xml:ns:xmpp-stanzas" />
	</error>
</presence>

OK, change the stanzas in the code from cancel.not-allowed to auth.not-authorized.
But I meant this won’t make a difference

Yes exactly, It wont make any difference.

What i understood that lib-jitsi-meet send iq stanza (with unique id attribute in the xml) and this IQ stanza handled in the Jicofo, then it return <iq type="error" .......<not-authorized/>...</iq>. Now lib-jitsi-meet trigger Wait for the Host dialog.

Now I’m thinking, is it possible to intercept IQ stanza from custom prosody module ? So i can override jicofo IQ reply.