Jibri is not sending webhook Authorization header

deben · September 12, 2022, 3:42pm

I have set webhooks jwt token but jibri is not sending on status update.

It looks like jwt is configured properly.

Logs from jibri.

MainKt.main#55: Jibri starting up with id i-0df5096ee9f8c0a2a
2022-09-12 15:37:56.504 INFO: [1] JwtInfo$Companion.fromConfig#176: got jwtConfig: {
    # /etc/jitsi/jibri/jibri.conf: 56
    "audience" : "aud1",
    # /etc/jitsi/jibri/jibri.conf: 55
    "issuer" : "jibri",
    # /etc/jitsi/jibri/jibri.conf: 54
    "kid" : "jibri/recorder",
    # /etc/jitsi/jibri/jibri.conf: 53
    "signing-key-path" : "/etc/jitsi/jibri/private.pem",
    # /etc/jitsi/jibri/jibri.conf: 57
    "ttl" : "10 minute"
}

I made sure that rsa key exists and valid.

Request made from jibri:

saghul · September 13, 2022, 12:20pm

Send it where? How did you configure jibri?

deben · September 13, 2022, 1:08pm

To the webhooks subscriber endpoints.

Ref: jibri/reference.conf at 260cee3a118462aa419ff3b2e0ca2ac4645b7a92 · jitsi/jibri · GitHub

You can see my screenshot above jibri is posting its states to the /v1/status but authorization header is not present despite configured.

saghul · September 13, 2022, 2:13pm

Hum, looks like that header should be there: jibri/WebhookClient.kt at 8f198ae2c7c44622ccca73914dcdce72c3162da8 · jitsi/jibri · GitHub

deben · September 13, 2022, 5:22pm

Yeah, sadly it is not. Logs also show jwt configurations are loaded properly.

saghul · September 15, 2022, 7:27am

@oianc any idea?

oianc · September 16, 2022, 1:11pm

@deben Can you share the Jibri logs? Also, does the webhook work without Auth header?

deben · September 16, 2022, 1:41pm

yes, it is sending webhooks but without Auth header.

As I was pointing out these are the logs jibri supposed to be loading jwt config.


MainKt.main#55: Jibri starting up with id i-0df5096ee9f8c0a2a
2022-09-12 15:37:56.504 INFO: [1] JwtInfo$Companion.fromConfig#176: got jwtConfig: {
    # /etc/jitsi/jibri/jibri.conf: 56
    "audience" : "aud1",
    # /etc/jitsi/jibri/jibri.conf: 55
    "issuer" : "jibri",
    # /etc/jitsi/jibri/jibri.conf: 54
    "kid" : "jibri/recorder",
    # /etc/jitsi/jibri/jibri.conf: 53
    "signing-key-path" : "/etc/jitsi/jibri/private.pem",
    # /etc/jitsi/jibri/jibri.conf: 57
    "ttl" : "10 minute"
}

deben · September 20, 2022, 3:48am

@oianc any update on this?

RalucaT · September 21, 2022, 2:36pm

Hi! We were able to reproduce this issue. The problem is that even if the JwtInfo config is read correctly, it is read after the JWT used in the request was initialised. We don’t know yet why this happens, will look more into it in the following days.

deben · October 12, 2022, 8:06am

@RalucaT @oianc
Any update on this we’re really scared someone can discover this bug and screw our system with forged payload and spin thousands of instances.

RalucaT · October 12, 2022, 8:31am

Hi! This is on our backlog and we are planning to work on addressing this in the following weeks, we will keep you posted.

cbotiza · October 17, 2022, 6:46am

We’ve reproduced the issue and found a root cause.
Currently testing the fix.

cbotiza · October 18, 2022, 6:39am

the fix: fix: Authorization header sending for webhooks by cristianbotiza · Pull Request #493 · jitsi/jibri · GitHub

saghul · October 18, 2022, 6:40am

Thanks a lot @cbotiza !

deben · October 18, 2022, 9:03am

Thanks @cbotiza .

Any idea when it will land on stable repo?

cbotiza · October 19, 2022, 3:04pm

hi @deben, we’re aiming for sometime next week.

damencho · October 19, 2022, 3:21pm

The latest jibri is in stable since yesterday.

deben · November 1, 2022, 8:02am

I don’t know if I needed to create new topic, but I’m posting it here anyway, I guess it might have something to do with this behavior.

Jibri is sending expired JWT tokens not respecting the TTL from configuration, same token is being sent over and over without being refreshed.

saghul · November 1, 2022, 1:13pm

Ping @cbotiza