deben
September 12, 2022, 3:42pm
1
I have set webhooks jwt token but jibri is not sending on status update.
It looks like jwt is configured properly.
Logs from jibri.
MainKt.main#55: Jibri starting up with id i-0df5096ee9f8c0a2a
2022-09-12 15:37:56.504 INFO: [1] JwtInfo$Companion.fromConfig#176: got jwtConfig: {
# /etc/jitsi/jibri/jibri.conf: 56
"audience" : "aud1",
# /etc/jitsi/jibri/jibri.conf: 55
"issuer" : "jibri",
# /etc/jitsi/jibri/jibri.conf: 54
"kid" : "jibri/recorder",
# /etc/jitsi/jibri/jibri.conf: 53
"signing-key-path" : "/etc/jitsi/jibri/private.pem",
# /etc/jitsi/jibri/jibri.conf: 57
"ttl" : "10 minute"
}
I made sure that rsa key exists and valid.
Request made from jibri:
saghul
September 13, 2022, 12:20pm
2
Send it where? How did you configure jibri?
deben
September 13, 2022, 1:08pm
3
To the webhooks subscriber endpoints.
Ref: jibri/reference.conf at 260cee3a118462aa419ff3b2e0ca2ac4645b7a92 · jitsi/jibri · GitHub
You can see my screenshot above jibri is posting its states to the /v1/status
but authorization header is not present despite configured.
saghul
September 13, 2022, 2:13pm
4
deben
September 13, 2022, 5:22pm
5
Yeah, sadly it is not. Logs also show jwt configurations are loaded properly.
oianc
September 16, 2022, 1:11pm
7
@deben Can you share the Jibri logs? Also, does the webhook work without Auth header?
deben
September 16, 2022, 1:41pm
8
yes, it is sending webhooks but without Auth header.
As I was pointing out these are the logs jibri supposed to be loading jwt config.
MainKt.main#55: Jibri starting up with id i-0df5096ee9f8c0a2a
2022-09-12 15:37:56.504 INFO: [1] JwtInfo$Companion.fromConfig#176: got jwtConfig: {
# /etc/jitsi/jibri/jibri.conf: 56
"audience" : "aud1",
# /etc/jitsi/jibri/jibri.conf: 55
"issuer" : "jibri",
# /etc/jitsi/jibri/jibri.conf: 54
"kid" : "jibri/recorder",
# /etc/jitsi/jibri/jibri.conf: 53
"signing-key-path" : "/etc/jitsi/jibri/private.pem",
# /etc/jitsi/jibri/jibri.conf: 57
"ttl" : "10 minute"
}
deben
September 20, 2022, 3:48am
9
@oianc any update on this?
RalucaT
September 21, 2022, 2:36pm
10
Hi! We were able to reproduce this issue. The problem is that even if the JwtInfo config is read correctly, it is read after the JWT used in the request was initialised. We don’t know yet why this happens, will look more into it in the following days.
deben
October 12, 2022, 8:06am
11
@RalucaT @oianc
Any update on this we’re really scared someone can discover this bug and screw our system with forged payload and spin thousands of instances.
RalucaT
October 12, 2022, 8:31am
12
Hi! This is on our backlog and we are planning to work on addressing this in the following weeks, we will keep you posted.
1 Like
cbotiza
October 17, 2022, 6:46am
13
We’ve reproduced the issue and found a root cause.
Currently testing the fix.
1 Like
cbotiza
October 18, 2022, 6:39am
14
1 Like
deben
October 18, 2022, 9:03am
16
Thanks @cbotiza .
Any idea when it will land on stable repo?
cbotiza
October 19, 2022, 3:04pm
17
hi @deben , we’re aiming for sometime next week.
1 Like
The latest jibri is in stable since yesterday.
3 Likes
deben
November 1, 2022, 8:02am
19
I don’t know if I needed to create new topic, but I’m posting it here anyway, I guess it might have something to do with this behavior.
Jibri is sending expired JWT tokens not respecting the TTL from configuration, same token is being sent over and over without being refreshed.