Jicofo autologin not working

Hello,

We are hosting an instance of Jitsi Meet where everyone needs a shared password to access rooms (which means our Prosody main domain has authentication = "internal_plain").
It works correctly but users must reenter their password everytime they join a room, which is a bit annoying.

I read some threads about Jicofo autologin and if I understand correctly, it should be enabled by default?
It has never worked for us and it is not disabled in our config.
We only have this in /etc/jitsi/jicofo/sip-communicator.properties:

org.jitsi.jicofo.BRIDGE_MUC=xxx@internal.auth.example.com

Does anyone know why autologin would not work?

What does that mean? You have create one user and password and you are sharing it between all users?

Exactly, we only have one user shared between every member of our team.
Our use case is that we are a small team of only ~10 people and the login is only there to prevent random people from using our Jitsi instance.

I think you are talking about the following params:

If I understand the code correctly, autologin should be enabled by default if we don’t override this parameter?

Here is what we have in /etc/jitsi/jicofo/jicofo.conf:

# Jicofo HOCON configuration. See /usr/share/jicofo/jicofo.jar/reference.conf for
#available options, syntax, and default values.
jicofo {
  authentication: {
    enabled: true
    type: XMPP
    login-url: example.com
  }
  xmpp: {
    client: {
      client-proxy: focus.example.com
    }
    trusted-domains: [ "recorder.example.com" ]
  }
}

Edit: logs seem to confirm that autologin is enabled:

Jicofo 2022-11-02 12:43:49.026 INFO: [1] JicofoServices.createAuthenticationAuthority#180: Starting authentication service with config=AuthConfig[enabled=true, type=XMPP, loginUrl=visio.insite.coop, logoutUrl=null, authenticationLifetime=PT24H, enableAutoLogin=true].
Jicofo 2022-11-02 12:43:49.039 INFO: [1] AbstractAuthAuthority.<init>#112: Authentication lifetime: PT24H

Yep, it is by default and is based on an id that is generated on your local computer. But everyone from the team is clearing that id with a new value and prevent it from working.
You can try creating 10 credentials and everyone has its own …
Another option is to get inspired from jitsi-contrib modules, create your own module that will make every room being locked with the same key. This way you can share that key with everyone.

I tried creating a new Prosody user just for myself and it does not seem to work either.
It still asks me to login every time I try to create or join a room.

:frowning: I don’t know. This functionality is not used by the team and is community-driven, so any PRs are welcome.

Checkout this: Persistent Passwords on Self Hosted Rooms - #12 by osys

You can add:

module:hook("muc-room-created", function (event)
    local room = event.room;
    module:log("debug", "hooked room create for %s", tostring(room));

    local success = room:set_password("my super secret pass");

    if not success then
        module:log("warn", "Failed to set password '%s' for %s.", pass, tostring(room));
    end
    
    module:log("debug", "Set password '%s' for %s.", pass, tostring(room));
    return nil;
end, 0);

And all rooms will have the same password: “my super secret pass”.
Enable it under the conference much component.

Thanks but I’m not sure this will solve our problem. Isn’t the room password also asked every time?

Yep, but it is simpler than a username and password.

Just offering a simpler solution. If that does not work, you can try debugging with some prints jicofo and see why the auto-login does not work for you … It should be working for 24 hours, I think, it keeps track of the session-id in memory for 24 hours. If you restart jicofo between attempts it will not work.

Last time I tested Jicofo Auto Login was in Feb 2022, and back then it did work as advertised. Haven’t tried since so no idea if it has since broken.

If your goal is mainly to remove as much friction as possible for your users, another option would be to use JWT auth then build a simple app that generates the token and forwards users on to the meeting each time they visit.

You can then control who can access meetings by controlling who has access to your app.

Some benefits of this approach:

  1. Users never need to enter username/password in jitsi. Not even once daily as you’d need to with jicofo-auto-login.
  2. You can regularly rotate server secrets. As long as the app has access to the same secrets, this is painless and transparent to users as you won’t need to redistribute new credentials to users.
  3. You have lots of flexibility over how you control access, e.g.
    • make the app an internal to your organisation so only your colleagues has access. (Jitsi can still be publicly accessible).
    • you can use other auth mechanism that’s already available to your organisation e.g. Single-sign on, Auth0, Google, …
  4. You could invite guests to meetings without giving them any credentials. Just provide them a meeting link containing a JWT token that is limited to one room and valid only for a specified time period