[jitsi-dev] Restrict access to authorized users for Jitsi Meet


#1

Hi all.

I am thinking of using Jitsi Meet for the purpose of giving training
classes. For this I would like to restrict access only to the user who
will be the teacher and the students who have taken that course.

Is there any way to do this?

Investigating, I found this article [1], but I did not find the
moderator.js file on my installation from Jitsi Meet repositories for
Debian packages.

Thanks in advance.

Kind regards,
Daniel

[1]
http://www.tothenew.com/blog/authorizing-creationentrance-of-a-conference-in-jitsi/


#2

Hi again.

I am thinking of using Jitsi Meet for the purpose of giving training
classes. For this I would like to restrict access only to the user who
will be the teacher and the students who have taken that course.

Is there any way to do this?

Investigating, I found this article [1], but I did not find the
moderator.js file on my installation from Jitsi Meet repositories for
Debian packages.

[1] http://www.tothenew.com/blog/authorizing-creationentrance-of-a-conference-in-jitsi/

In the mentioned scenario I think it would be good to have:

a) Users who have permissions to create conference rooms.
b) Users who have permission to participate in a specific conference room.

Is this possible? Is there any documentation to accomplish this? I was
researching but I still have not found a way to implement it.

Thanks in advance.

Kind regards,
Daniel

···

On 05/01/17 19:17, Daniel Bareiro wrote:


#3

Hi again.

I am thinking of using Jitsi Meet for the purpose of giving training
classes. For this I would like to restrict access only to the user who
will be the teacher and the students who have taken that course.

Is there any way to do this?

Investigating, I found this article [1], but I did not find the
moderator.js file on my installation from Jitsi Meet repositories for
Debian packages.

[1] http://www.tothenew.com/blog/authorizing-creationentrance-of-a-conference-in-jitsi/

In the mentioned scenario I think it would be good to have:

a) Users who have permissions to create conference rooms.
b) Users who have permission to participate in a specific conference room.

Is this possible? Is there any documentation to accomplish this? I was
researching but I still have not found a way to implement it.

I have made some progress with this and now all users are prompted for
username and password. For this I have read this [1] document (Secure
Domain).

Now I just need to get some kind of permissions for each user. Users who
have permissions to create a new conference room, and users who can only
join to a specific conference room (for example, userA and userB can
only join to ConferenceX, and userC and userD can only join to ConferenceY).

Is this possible? I would appreciate any guidance/recommendation.

Thanks in advance.

Kind regards,
Daniel

[1] https://github.com/jitsi/jicofo

···

On 07/01/17 15:11, Daniel Bareiro wrote:


#4

Hi,

Hi again.

I am thinking of using Jitsi Meet for the purpose of giving training
classes. For this I would like to restrict access only to the user who
will be the teacher and the students who have taken that course.

Is there any way to do this?

Investigating, I found this article [1], but I did not find the
moderator.js file on my installation from Jitsi Meet repositories for
Debian packages.

[1] http://www.tothenew.com/blog/authorizing-creationentrance-of-a-conference-in-jitsi/

In the mentioned scenario I think it would be good to have:

a) Users who have permissions to create conference rooms.
b) Users who have permission to participate in a specific conference room.

Is this possible? Is there any documentation to accomplish this? I was
researching but I still have not found a way to implement it.

I have made some progress with this and now all users are prompted for
username and password. For this I have read this [1] document (Secure
Domain).

Now I just need to get some kind of permissions for each user. Users who
have permissions to create a new conference room, and users who can only
join to a specific conference room (for example, userA and userB can
only join to ConferenceX, and userC and userD can only join to ConferenceY).

Is this possible? I would appreciate any guidance/recommendation.

You can check this document for more info, maybe you will be able to
achieve what you want using an external reservation system that you
need to implement. Not sure though that everything you need is
possible.
https://github.com/jitsi/jicofo/blob/master/doc/reservation.md

Regards
damencho

···

On Wed, Jan 11, 2017 at 2:56 PM, Daniel Bareiro <daniel-listas@gmx.net> wrote:

On 07/01/17 15:11, Daniel Bareiro wrote:

Thanks in advance.

Kind regards,
Daniel

[1] https://github.com/jitsi/jicofo

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#5

Hi,

Hi, Damian.

I am thinking of using Jitsi Meet for the purpose of giving training
classes. For this I would like to restrict access only to the user who
will be the teacher and the students who have taken that course.

Is there any way to do this?

Investigating, I found this article [1], but I did not find the
moderator.js file on my installation from Jitsi Meet repositories for
Debian packages.

[1] http://www.tothenew.com/blog/authorizing-creationentrance-of-a-conference-in-jitsi/

In the mentioned scenario I think it would be good to have:

a) Users who have permissions to create conference rooms.
b) Users who have permission to participate in a specific conference room.

Is this possible? Is there any documentation to accomplish this? I was
researching but I still have not found a way to implement it.

I have made some progress with this and now all users are prompted for
username and password. For this I have read this [1] document (Secure
Domain).

Now I just need to get some kind of permissions for each user. Users who
have permissions to create a new conference room, and users who can only
join to a specific conference room (for example, userA and userB can
only join to ConferenceX, and userC and userD can only join to ConferenceY).

Is this possible? I would appreciate any guidance/recommendation.

You can check this document for more info, maybe you will be able to
achieve what you want using an external reservation system that you
need to implement. Not sure though that everything you need is
possible.
https://github.com/jitsi/jicofo/blob/master/doc/reservation.md

Very interesting. Thanks for the information.

From what I was reading, Jicofo expects from the reservation system some
of these replies:

1) HTTP 200 or 201: Conference created successfully.

2) HTTP 409: Conference already exists.

3) HTTP 4xx.

Here for example, if the user does not have permissions to create a
conference room, the reservation system could return HTTP 403
(Forbidden). Otherwise it could return an HTTP 200.

What is not clear to me here is:

a) I understood correctly, the purpose of the reservation system is to
allow or deny the creation of a new conference room without knowing if a
room already exists. So I'm not clear how this could return an HTTP 409.
Maybe I'm missing something.

b) How I could use this to allow certain users to be able to
specifically join a previously created conference room. Since the
reservation system seems to be oriented only to define some condition
for the creation of a new conference room.

Thanks for your reply.

Kind regards,
Daniel

···

On 11/01/17 18:22, Damian Minkov wrote:


#6

The reservation system is also notified for expired conferences. So
there you can have a state of all conferences.

···

On Fri, Jan 13, 2017 at 9:17 AM, Daniel Bareiro <daniel-listas@gmx.net> wrote:

On 11/01/17 18:22, Damian Minkov wrote:

Hi,

Hi, Damian.

I am thinking of using Jitsi Meet for the purpose of giving training
classes. For this I would like to restrict access only to the user who
will be the teacher and the students who have taken that course.

Is there any way to do this?

Investigating, I found this article [1], but I did not find the
moderator.js file on my installation from Jitsi Meet repositories for
Debian packages.

[1] http://www.tothenew.com/blog/authorizing-creationentrance-of-a-conference-in-jitsi/

In the mentioned scenario I think it would be good to have:

a) Users who have permissions to create conference rooms.
b) Users who have permission to participate in a specific conference room.

Is this possible? Is there any documentation to accomplish this? I was
researching but I still have not found a way to implement it.

I have made some progress with this and now all users are prompted for
username and password. For this I have read this [1] document (Secure
Domain).

Now I just need to get some kind of permissions for each user. Users who
have permissions to create a new conference room, and users who can only
join to a specific conference room (for example, userA and userB can
only join to ConferenceX, and userC and userD can only join to ConferenceY).

Is this possible? I would appreciate any guidance/recommendation.

You can check this document for more info, maybe you will be able to
achieve what you want using an external reservation system that you
need to implement. Not sure though that everything you need is
possible.
https://github.com/jitsi/jicofo/blob/master/doc/reservation.md

Very interesting. Thanks for the information.

From what I was reading, Jicofo expects from the reservation system some
of these replies:

1) HTTP 200 or 201: Conference created successfully.

2) HTTP 409: Conference already exists.

3) HTTP 4xx.

Here for example, if the user does not have permissions to create a
conference room, the reservation system could return HTTP 403
(Forbidden). Otherwise it could return an HTTP 200.

What is not clear to me here is:

a) I understood correctly, the purpose of the reservation system is to
allow or deny the creation of a new conference room without knowing if a
room already exists. So I'm not clear how this could return an HTTP 409.
Maybe I'm missing something.

b) How I could use this to allow certain users to be able to
specifically join a previously created conference room. Since the
reservation system seems to be oriented only to define some condition
for the creation of a new conference room.

Thanks for your reply.

Kind regards,
Daniel

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#7

Hi,

Is this possible? I would appreciate any guidance/recommendation.

You can check this document for more info, maybe you will be able to
achieve what you want using an external reservation system that you
need to implement. Not sure though that everything you need is
possible.
https://github.com/jitsi/jicofo/blob/master/doc/reservation.md

Very interesting. Thanks for the information.

From what I was reading, Jicofo expects from the reservation system some
of these replies:

1) HTTP 200 or 201: Conference created successfully.

2) HTTP 409: Conference already exists.

3) HTTP 4xx.

Here for example, if the user does not have permissions to create a
conference room, the reservation system could return HTTP 403
(Forbidden). Otherwise it could return an HTTP 200.

What is not clear to me here is:

a) I understood correctly, the purpose of the reservation system is to
allow or deny the creation of a new conference room without knowing if a
room already exists. So I'm not clear how this could return an HTTP 409.
Maybe I'm missing something.

In our use case HTTP 409 was returned when Jicofo requested to create
a room which already exists in the reservation system's memory. That
could happen if for any reason Jicofo process is abruptly terminated.

b) How I could use this to allow certain users to be able to
specifically join a previously created conference room. Since the
reservation system seems to be oriented only to define some condition
for the creation of a new conference room.

That part is currently missing. Also such existing room would require
some handling on the XMPP MUC layer. Otherwise some custom clients
could join it anyway. That's because even if Jicofo would say that
you're not allowed to join a custom client could ignore it.

Regards,
Pawel

···

On Fri, Jan 13, 2017 at 9:17 AM, Daniel Bareiro <daniel-listas@gmx.net> wrote:


#8

Hi,

I widely use the reservation system, here is the reasons:

- to check if is the owner who starts the conference (it is not enough to have creator rights to start some other's conference)

- to have conference time management and autodestruction

- with some other mechanism with freeswitch : to join the right room with jigasi

- mode private

409 - means that the conference already exist (reserved) and and you can compare the owner and the person who tries to start.
403 - if the conference does not exist and the person have not enough rights to create the conference

Concerning the mode when every user can must be authenticated, i failed to find a mechanism in jitsi, so i invented a system with proxy system which blocks jitsi-meet by default and authorizes ones the person is CAS authenticated.
On again i use reservation service to declare a conference as "private" or "access if link"

Best Regards,
Arthur

···

________________________________
De : dev <dev-bounces@jitsi.org> de la part de Pawel Domas <pawel.domas@jitsi.org>
Envoyé : vendredi 13 janvier 2017 16:34
À : Jitsi Developers
Objet : Re: [jitsi-dev] Restrict access to authorized users for Jitsi Meet

Hi,

On Fri, Jan 13, 2017 at 9:17 AM, Daniel Bareiro <daniel-listas@gmx.net> wrote:

Is this possible? I would appreciate any guidance/recommendation.

You can check this document for more info, maybe you will be able to
achieve what you want using an external reservation system that you
need to implement. Not sure though that everything you need is
possible.
https://github.com/jitsi/jicofo/blob/master/doc/reservation.md

[https://avatars2.githubusercontent.com/u/3671647?v=3&s=400]<https://github.com/jitsi/jicofo/blob/master/doc/reservation.md>

jitsi/jicofo<https://github.com/jitsi/jicofo/blob/master/doc/reservation.md>
github.com
jicofo - JItsi COnference FOcus is a server side focus component used in Jitsi Meet conferences.

Very interesting. Thanks for the information.

From what I was reading, Jicofo expects from the reservation system some
of these replies:

1) HTTP 200 or 201: Conference created successfully.

2) HTTP 409: Conference already exists.

3) HTTP 4xx.

Here for example, if the user does not have permissions to create a
conference room, the reservation system could return HTTP 403
(Forbidden). Otherwise it could return an HTTP 200.

What is not clear to me here is:

a) I understood correctly, the purpose of the reservation system is to
allow or deny the creation of a new conference room without knowing if a
room already exists. So I'm not clear how this could return an HTTP 409.
Maybe I'm missing something.

In our use case HTTP 409 was returned when Jicofo requested to create
a room which already exists in the reservation system's memory. That
could happen if for any reason Jicofo process is abruptly terminated.

b) How I could use this to allow certain users to be able to
specifically join a previously created conference room. Since the
reservation system seems to be oriented only to define some condition
for the creation of a new conference room.

That part is currently missing. Also such existing room would require
some handling on the XMPP MUC layer. Otherwise some custom clients
could join it anyway. That's because even if Jicofo would say that
you're not allowed to join a custom client could ignore it.

Regards,
Pawel

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev
dev -- Jitsi Developers - Mailing Lists<http://lists.jitsi.org/mailman/listinfo/dev>
lists.jitsi.org
For discussion of technical implementation details, and is where developers meet and discuss issues, code changes, etc. To see the collection of prior postings to the ...


#9

Hi, Damian.

···

On 13/01/17 12:30, Damian Minkov wrote:

You can check this document for more info, maybe you will be able to
achieve what you want using an external reservation system that you
need to implement. Not sure though that everything you need is
possible.
https://github.com/jitsi/jicofo/blob/master/doc/reservation.md

Very interesting. Thanks for the information.

From what I was reading, Jicofo expects from the reservation system some
of these replies:

1) HTTP 200 or 201: Conference created successfully.

2) HTTP 409: Conference already exists.

3) HTTP 4xx.

Here for example, if the user does not have permissions to create a
conference room, the reservation system could return HTTP 403
(Forbidden). Otherwise it could return an HTTP 200.

What is not clear to me here is:

a) I understood correctly, the purpose of the reservation system is to
allow or deny the creation of a new conference room without knowing if a
room already exists. So I'm not clear how this could return an HTTP 409.
Maybe I'm missing something.

b) How I could use this to allow certain users to be able to
specifically join a previously created conference room. Since the
reservation system seems to be oriented only to define some condition
for the creation of a new conference room.

The reservation system is also notified for expired conferences. So
there you can have a state of all conferences.

I guess you say this in response to the point (a). I have not seen any
mention of this in the document you mentioned. Is there any other
document that complements it?

Thanks for your reply.

Kind regards,
Daniel


#10

Hi,

Hi, Pawel.

Is this possible? I would appreciate any guidance/recommendation.

You can check this document for more info, maybe you will be able to
achieve what you want using an external reservation system that you
need to implement. Not sure though that everything you need is
possible.
https://github.com/jitsi/jicofo/blob/master/doc/reservation.md

Very interesting. Thanks for the information.

From what I was reading, Jicofo expects from the reservation system some
of these replies:

1) HTTP 200 or 201: Conference created successfully.

2) HTTP 409: Conference already exists.

3) HTTP 4xx.

Here for example, if the user does not have permissions to create a
conference room, the reservation system could return HTTP 403
(Forbidden). Otherwise it could return an HTTP 200.

What is not clear to me here is:

a) I understood correctly, the purpose of the reservation system is to
allow or deny the creation of a new conference room without knowing if a
room already exists. So I'm not clear how this could return an HTTP 409.
Maybe I'm missing something.

In our use case HTTP 409 was returned when Jicofo requested to create
a room which already exists in the reservation system's memory. That
could happen if for any reason Jicofo process is abruptly terminated.

I see... Damian also said that the reservation system is also notified
for expired conferences so there I can have a state of all conferences.
"Expired conferences" is what the document says as "deleted conferences"
in the last section?

In this section it says: "Jicofo deletes conferences in the reservation
system in two cases. First when all users leave XMPP Multi User Chat
room. Second when conference duration limit is exceeded. In the latter
case Jicofo will destroy XMPP MUC room and expire all Colibri channels
on the videobridge which will result in conference termination. After
MUC room is destroyed Jicofo sends HTTP DELETE request to
'/conference/{id}' endpoint where {id} is replaced with conference
identifier assigned by the reservation system."

DELETE /conference/364758328 HTTP/1.1
host: http://reservation.example.com
...

Perhaps here I was missing out on something because this suggests that
the reservation system also follows the status of each conference under
/conference/{id} '. But I don't see this document saying what
information about the conference should be kept in the reservation
system. I suppose this would have to be a data structure where each
element represents a conference for which to store: 'id', 'name',
'mail_owner', 'start_time' and 'duration'. Here is not the state, but I
suppose it should also be stored, right?

b) How I could use this to allow certain users to be able to
specifically join a previously created conference room. Since the
reservation system seems to be oriented only to define some condition
for the creation of a new conference room.

That part is currently missing. Also such existing room would require
some handling on the XMPP MUC layer. Otherwise some custom clients
could join it anyway. That's because even if Jicofo would say that
you're not allowed to join a custom client could ignore it.

As I mentioned in an earlier message, the idea was to use Jitsi for
professional training courses. So the idea was that a student only have
access to the conference related to the course they are taking and not
any conference.

In relation to this topic of authentication, do you think that some kind
of integration could be possible for authentication can be done with
users created in, for example, Moodle?

Thanks for your reply and your time.

Kind regards,
Daniel

···

On 13/01/17 12:34, Paweł Domas wrote:


#11

Hi,

Hi, Arthur.

I widely use the reservation system, here is the reasons:

- to check if is the owner who starts the conference (it is not enough
to have creator rights to start some other's conference)

- to have conference time management and autodestruction

- with some other mechanism with freeswitch : to join the right room
with jigasi

- mode private

What do you mean with "mode private"?

409 - means that the conference already exist (reserved) and and you can
compare the owner and the person who tries to start.

This is interesting. In the case that the conference already exists, the
reservation system returns 409 to Jicofo and then it usually
incorporates the user into the conference room?

If the conference room already exists and the user simply wants to join
it, to prevent from entering the conference room, the reservation system
could not return a 403 or 4xx? The point here is that, in case the
reservation system returns 4xx, Jicofo should understand that 4xx to
prevent the user from entering the conference.

403 - if the conference does not exist and the person have not enough
rights to create the conference

Concerning the mode when every user can must be authenticated, i failed
to find a mechanism in jitsi, so i invented a system with proxy system
which blocks jitsi-meet by default and authorizes ones the person is CAS
authenticated.
On again i use reservation service to declare a conference as "private"
or "access if link"

I'm not sure if I understood this. Is it some mechanism that you
designed to allow only authorized users to join into an already created
conference?

Can you please elaborate "the person is CAS authenticated"?

Thank you for your contribution.

Kind regards,
Daniel

···

On 13/01/17 12:57, Arthur TOUMASSIAN wrote:


#12

Hi,

To restrict the creation of the conference to a some group or else

Restriction by XMPP authentication

The reservation api can have multiple client interfaces (for me: web client and email client)
So we can meet the case 409 not only in the case of interrupted service.

What is interstring is that with every access to a jitsi room (yourdmain/yourroom) jicofo will do a POST to your service with
{name, mail_owner, start_time, duration} . At this moment your reservation can :
1) check if mail_owner has creation rights (403 if not)
2) check if name exists
2.1) if not -> create a new 200
2.2) if yes -> check the that reserved and the one sent by jicofo ( jicofo already does this verification, but you can customize the user message etc...). Here you can choose to send 409. Or cutomize some more.

PS: jicofo stores locally all reservations that it was requested. This ` to destory expired conferences. So your changes at reservation side will not take effect if the conference alreay requested (you should restart jicofo). So i implemented a daemo that periodically fetches the conferences to see if there is modification and so... In the case where the owner is absent you may be able to design another one rather than reinvite every one.

This is interesting. In the case that the conference already exists, the
reservation system returns 409 to Jicofo and then it usually
incorporates the user into the conference room?

Yes if the owner is the "organiser" . If not we get "Reservation error" From jicofo. So her is some effort to do to get clear message like "Your are not the organiser"...

What do you mean with "mode private"?

Actually if we have the link (or room name) we can join a started conference. Unfortunately i had not found a mecanism that prevents a random people to join the room.
Our need was that the organiser, while reserving his conference , check the mode private and makes a list of email/login that are allowed to join the conference.
My idea is to serve jitsi only on localhost. Each access to url like yourdomain/yourroom are served by a proxy.
- If the conference is not private you just "pipe" your local jitsi-meet to the user.
- Else you will identify the user. If success -> serve local jitsi, else show a custom page.
I said CAS auth because i use CAS. my proxy is implemented with PHP and phpCAS.
My solution is not perfect. Because the organiser get twice a login page: the CAS, and XMPP.

I tried to use XMPP prebind to create a xmpp conenction (using jitsi connection optimisation) once user CAS authD but this causes very strange issues on jitsi meet.

So if someone knows how to programatically connect a user to jitsi-meet (without XMPP prompt) i will be thankful.

Feel free to ask details if i wasn't clear enough.

Regards,
Arthur

···

________________________________
De : dev <dev-bounces@jitsi.org> de la part de Daniel Bareiro <daniel-listas@gmx.net>
Envoyé : samedi 14 janvier 2017 00:12
À : dev@jitsi.org
Objet : Re: [jitsi-dev] Restrict access to authorized users for Jitsi Meet

On 13/01/17 12:57, Arthur TOUMASSIAN wrote:

Hi,

Hi, Arthur.

I widely use the reservation system, here is the reasons:

- to check if is the owner who starts the conference (it is not enough
to have creator rights to start some other's conference)

- to have conference time management and autodestruction

- with some other mechanism with freeswitch : to join the right room
with jigasi

- mode private

What do you mean with "mode private"?

409 - means that the conference already exist (reserved) and and you can
compare the owner and the person who tries to start.

This is interesting. In the case that the conference already exists, the
reservation system returns 409 to Jicofo and then it usually
incorporates the user into the conference room?

If the conference room already exists and the user simply wants to join
it, to prevent from entering the conference room, the reservation system
could not return a 403 or 4xx? The point here is that, in case the
reservation system returns 4xx, Jicofo should understand that 4xx to
prevent the user from entering the conference.

403 - if the conference does not exist and the person have not enough
rights to create the conference

Concerning the mode when every user can must be authenticated, i failed
to find a mechanism in jitsi, so i invented a system with proxy system
which blocks jitsi-meet by default and authorizes ones the person is CAS
authenticated.
On again i use reservation service to declare a conference as "private"
or "access if link"

I'm not sure if I understood this. Is it some mechanism that you
designed to allow only authorized users to join into an already created
conference?

Can you please elaborate "the person is CAS authenticated"?

Thank you for your contribution.

Kind regards,
Daniel


#13

Hi,

Hi, Arthur.

To restrict the creation of the conference to a some group or else

Restriction by XMPP authentication

I understand this is done by configuring Jicofo + Prosody.

As far as I understand, the reservation system is only limited to
determining if a user has permissions to create a room, but not to
determine which user can join what room, right?

The reservation api can have multiple client interfaces (for me: web
client and email client)

I am thinking of integrating user authentication, either to create rooms
or to join an existing room, with the users used in Moodle. Do you think
this could be possible?

So we can meet the case 409 not only in the case of interrupted service.

In what other cases are you returning 409?

What is interstring is that with every access to a jitsi room
(yourdmain/yourroom) jicofo will do a POST to your service with
*{name, mail_owner, start_time, duration}*. At this moment your
reservation can :

1) check if *mail_owner* has creation rights (403 if not)
2) check if *name* exists
2.1) if not -> create a new 200
2.2) if yes -> check the that reserved and the one sent by jicofo (
jicofo already does this verification, but you can customize the user
message etc...). Here you can choose to send 409. Or cutomize some more.

Perfect. From what I saw, this is done through *message* in the response
of the reservation system to Jicofo, which in turn uses Jicofo to
present to the client.

I would like to make a note of something I noticed yesterday: after
having added authentication for everyone (I do not use the guest
domain), I noticed that all users in a conference become moderators. I
had thought that adding an authentication layer would not change the
previous behavior and that the moderator would be the person who created
the room. Why can this behavior be different?

PS: jicofo stores locally all reservations that it was requested. This `
to destory expired conferences. So your changes at reservation side will
not take effect if the conference alreay requested (you should restart
jicofo). So i implemented a daemo that periodically fetches the
conferences to see if there is modification and so... In the case where
the owner is absent you may be able to design another one rather than
reinvite every one.

This is not clear to me. Could you please elaborate?

This is interesting. In the case that the conference already exists, the
reservation system returns 409 to Jicofo and then it usually
incorporates the user into the conference room?

Yes if the owner is the "organiser" . If not we get "Reservation error"
From jicofo. So her is some effort to do to get clear message like "Your
are not the organiser"...

I'm not sure if I understood this point. What difference do you make
between "owner" and "organiser"?

On the other hand, my interpretation of reading the mentioned document
was that the reservation system would return 409 to any user specifying
an existing room, regardless of whether the user intended to create it
or simply join to it.

What do you mean with "mode private"?

Actually if we have the link (or room name) we can join a started
conference. Unfortunately i had not found a mecanism that prevents a
random people to join the room.

I think you mention here the same concern that I had. My idea was to use
Jitsi for professional training courses. So the idea was that a student
only have access to the conference related to the course they are taking
and not any conference.

Our need was that the organiser, while reserving his conference , check
the mode private and makes a list of email/login that are allowed to
join the conference.

Do you do this using some kind of web frontend that interacts with the
reservation system?

My idea is to serve jitsi only on localhost. Each access to url like
yourdomain/yourroom are served by a proxy.
- If the conference is not private you just "pipe" your local jitsi-meet
to the user.
- Else you will identify the user. If success -> serve local jitsi, else
show a custom page.

I said CAS auth because i use CAS. my proxy is implemented with PHP
and phpCAS.

I am using a Apache2 proxy for connections from the outside of my local
network. Jitsi is currently accesible for any PC on the LAN.

I guess that frontend that I imagined before interacting with the
reservation system, will also have implemented another logic that
interacts with this CAS system you mentioned to determine also which
user is allowed to enter into which room, right?

For the proxy server are you using any specific configuration of Nginx
or Apache2?

My solution is not perfect. Because the organiser get twice a login
page: the CAS, and XMPP.

Then all users have to go through the CAS authentication. What happens
if a user wants to enter a room that has not yet been created? After the
user was authenticated by the CAS system, do you make any kind of
verification of this?

I tried to use XMPP prebind to create a xmpp conenction (using jitsi
connection optimisation) once user CAS authD but this causes very
strange issues on jitsi meet.

_So if someone knows how to programatically connect a user to jitsi-meet
(without XMPP prompt) i will be thankful._

Feel free to ask details if i wasn't clear enough.

Thank you very much for your time explaining this.

Kind regards,
Daniel

···

On 14/01/17 15:06, Arthur TOUMASSIAN wrote:


#14

Is it possible to have Jigasi SIP calls and Jitsi meet user authentication enabled together?
with autherntication turned on , it prevented us from sending SIP messges.

# If you want jigasi to perform authenticated login instead of anonymous login

# to the XMPP server, you can set the following properties.

# org.jitsi.jigasi.xmpp.acc.USER_ID=SOME_USER@SOME_DOMAIN

# org.jitsi.jigasi.xmpp.acc.PASS=SOME_PASS

# org.jitsi.jigasi.xmpp.acc.ANONYMOUS_AUTH=false

···

----- Original Message -----

From: "Arthur TOUMASSIAN" <artogu@live.fr>
To: "Jitsi Developers" <dev@jitsi.org>
Sent: Saturday, January 14, 2017 10:06:43 AM
Subject: Re: [jitsi-dev] Restrict access to authorized users for Jitsi Meet

Hi,

To restrict the creation of the conference to a some group or else

Restriction by XMPP authentication

The reservation api can have multiple client interfaces (for me: web client and email client)
So we can meet the case 409 not only in the case of interrupted service.

What is interstring is that with every access to a jitsi room (yourdmain/yourroom) jicofo will do a POST to your service with
{name, mail_owner, start_time, duration} . At this moment your reservation can :
1) check if mail_owner has creation rights (403 if not)
2) check if name exists
2.1) if not -> create a new 200
2.2) if yes -> check the that reserved and the one sent by jicofo ( jicofo already does this verification, but you can customize the user message etc...). Here you can choose to send 409. Or cutomize some more.

PS: jicofo stores locally all reservations that it was requested. This ` to destory expired conferences. So your changes at reservation side will not take effect if the conference alreay requested (you should restart jicofo). So i implemented a daemo that periodically fetches the conferences to see if there is modification and so... In the case where the owner is absent you may be able to design another one rather than reinvite every one.

This is interesting. In the case that the conference already exists, the
reservation system returns 409 to Jicofo and then it usually
incorporates the user into the conference room?

Yes if the owner is the "organiser" . If not we get "Reservation error" From jicofo. So her is some effort to do to get clear message like "Your are not the organiser"...

What do you mean with "mode private"?

Actually if we have the link (or room name) we can join a started conference. Unfortunately i had not found a mecanism that prevents a random people to join the room.
Our need was that the organiser, while reserving his conference , check the mode private and makes a list of email/login that are allowed to join the conference.
My idea is to serve jitsi only on localhost. Each access to url like yourdomain/yourroom are served by a proxy.
- If the conference is not private you just "pipe" your local jitsi-meet to the user.
- Else you will identify the user. If success -> serve local jitsi, else show a custom page.
I said CAS auth because i use CAS. my proxy is implemented with PHP and phpCAS.
My solution is not perfect. Because the organiser get twice a login page: the CAS, and XMPP.

I tried to use XMPP prebind to create a xmpp conenction (using jitsi connection optimisation) once user CAS authD but this causes very strange issues on jitsi meet.

So if someone knows how to programatically connect a user to jitsi-meet (without XMPP prompt) i will be thankful.

Feel free to ask details if i wasn't clear enough.

Regards,
Arthur

De : dev <dev-bounces@jitsi.org> de la part de Daniel Bareiro <daniel-listas@gmx.net>
Envoyé : samedi 14 janvier 2017 00:12
À : dev@jitsi.org
Objet : Re: [jitsi-dev] Restrict access to authorized users for Jitsi Meet

On 13/01/17 12:57, Arthur TOUMASSIAN wrote:

Hi,

Hi, Arthur.

I widely use the reservation system, here is the reasons:

- to check if is the owner who starts the conference (it is not enough
to have creator rights to start some other's conference)

- to have conference time management and autodestruction

- with some other mechanism with freeswitch : to join the right room
with jigasi

- mode private

What do you mean with "mode private"?

409 - means that the conference already exist (reserved) and and you can
compare the owner and the person who tries to start.

This is interesting. In the case that the conference already exists, the
reservation system returns 409 to Jicofo and then it usually
incorporates the user into the conference room?

If the conference room already exists and the user simply wants to join
it, to prevent from entering the conference room, the reservation system
could not return a 403 or 4xx? The point here is that, in case the
reservation system returns 4xx, Jicofo should understand that 4xx to
prevent the user from entering the conference.

403 - if the conference does not exist and the person have not enough
rights to create the conference

Concerning the mode when every user can must be authenticated, i failed
to find a mechanism in jitsi, so i invented a system with proxy system
which blocks jitsi-meet by default and authorizes ones the person is CAS
authenticated.
On again i use reservation service to declare a conference as "private"
or "access if link"

I'm not sure if I understood this. Is it some mechanism that you
designed to allow only authorized users to join into an already created
conference?

Can you please elaborate "the person is CAS authenticated"?

Thank you for your contribution.

Kind regards,
Daniel

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#15

As far as I understand, the reservation system is only limited to

determining if a user has permissions to create a room, but not to
determine which user can join what room, right?

Yes the only control is done on the owner.

I am thinking of integrating user authentication, either to create rooms
or to join an existing room, with the users used in Moodle. Do you think
this could be possible?

I think you can. Imagine that you bypass all auth modes. As it is on meet.jit.si. So you can manage all auth system within the proxy app.

In what other cases are you returning 409?

As i described you cant meet this case when the conference is reserved before it starts. When you announce your online class, you join the reservated link with the invitation.
I use it for some complexe situation conference with multiple organisers (currently this POC is in Draft state) .

I would like to make a note of something I noticed yesterday: after
having added authentication for everyone (I do not use the guest
domain), I noticed that all users in a conference become moderators. I
had thought that adding an authentication layer would not change the
previous behavior and that the moderator would be the person who created
the room. Why can this behavior be different?

I am not sure but i think that to create focus (start conf.) you need to be the same as in reservation side.

PS: jicofo stores locally all reservations that it was requested. This `
to destory expired conferences. So your changes at reservation side will
not take effect if the conference alreay requested (you should restart
jicofo). So i implemented a daemo that periodically fetches the
conferences to see if there is modification and so... In the case where
the owner is absent you may be able to design another one rather than
reinvite every one.

This is not clear to me. Could you please elaborate?

https://github.com/jitsi/jicofo/blob/master/src/main/java/org/jitsi/impl/reservation/rest/RESTReservations.java line 69
If room A is reqested, the room A will stored within jicofo. So any modification for the conference A in reservation service side will not affect (see. condition l.132)
So either you consider reservation ummutable or you (as i've done) synchronize jicofo with your reservation for requested conf.

I'm not sure if I understood this point. What difference do you make
between "owner" and "organiser"?

For me the 'organiser' is the person who reserves the conference. For it could be the teacher. The 'owner' is the term of jicofo : the one who start the conference.
https://github.com/jitsi/jicofo/blob/master/src/main/java/org/jitsi/impl/reservation/rest/RESTReservations.java l.200

On the other hand, my interpretation of reading the mentioned document
was that the reservation system would return 409 to any user specifying
an existing room, regardless of whether the user intended to create it
or simply join to it.

Yes but with the owner check. See above.

Do you do this using some kind of web frontend that interacts with the
reservation system?

I am using a Apache2 proxy for connections from the outside of my local
network. Jitsi is currently accesible for any PC on the LAN.

I guess that frontend that I imagined before interacting with the
reservation system, will also have implemented another logic that
interacts with this CAS system you mentioned to determine also which
user is allowed to enter into which room, right?

Exact! So your reservation is more than described in JIcofo docs. You may add a table storing participants.
/!\ just a tip which will save you 2 day debug. Never send json array fields to jicofo. So differentiate somehow jicofo rest call from others. For me it is custom header.

For the proxy server are you using any specific configuration of Nginx
or Apache2?

For me this is nginx as reverse proxy to all my services. For me the room names are GUIDs. So nginx proxies all room request to my php based auth_proxy. In this way static files served normally. Your auth_proxy uses CAS + reservation to serve or not the local jitsi-meet instance.

Then all users have to go through the CAS authentication. What happens
if a user wants to enter a room that has not yet been created? After the
user was authenticated by the CAS system, do you make any kind of
verification of this?

This is pretty simple: you get the same exact behaviour. The mecanism described before with auth_proxy is a garantie that you serve a private conference only to some people.
In other words you unlock the url to jitsi locked with the auth_proxy

Best Regards,
Arthur


#16

Hi,

···

On Sat, Feb 4, 2017 at 9:27 PM, <royblog@comcast.net> wrote:

# org.jitsi.jigasi.xmpp.acc.USER_ID=SOME_USER@SOME_DOMAIN

# org.jitsi.jigasi.xmpp.acc.PASS=SOME_PASS

# org.jitsi.jigasi.xmpp.acc.ANONYMOUS_AUTH=false

Even if you enable these properties? What is the error you see in jigasi logs?

Regards
damencho


#17

Hi, Arthur.

As far as I understand, the reservation system is only limited to
determining if a user has permissions to create a room, but not to
determine which user can join what room, right?

Yes the only control is done on the owner.

Thanks for confirm.

I am thinking of integrating user authentication, either to create rooms
or to join an existing room, with the users used in Moodle. Do you think
this could be possible?

I think you can. Imagine that you bypass all auth modes. As it is on
meet.jit.si. So you can manage all auth system within the proxy app.

Can be. I'd have to analyze how to implement it.

In what other cases are you returning 409?

As i described you cant meet this case when the conference is reserved
before it starts. When you announce your online class, you join the
reservated link with the invitation.
I use it for some complexe situation conference with multiple organisers
(currently this POC is in Draft state).

Ah, I see.

I would like to make a note of something I noticed yesterday: after
having added authentication for everyone (I do not use the guest
domain), I noticed that all users in a conference become moderators. I
had thought that adding an authentication layer would not change the
previous behavior and that the moderator would be the person who created
the room. Why can this behavior be different?

I am not sure but i think that to create focus (start conf.) you need to
be the same as in reservation side.

After some tests I think I've figured out how this works. Jitsi Meet
considers that every authenticated user with Prosody + Jicofo is the
owner (moderator) of the conference. So if I do not use a "guest" domain,
all conference participants become moderators.

I have now created a "guest" domain. If the conference room does not
exist, Jitsi Meet shows to the user a window notifying him/her that the
moderator has not yet created the room. It also shows a button asking if
s/he is the moderator. If the user presses the button, then in a new
window s/he can enter username and password.

In this scenario, any user who subsequently attempts to enter the room,
would do so as anonymous and would not have moderator privileges. But I
have found an unexpected effect here con Firefox ESR y Chromium.

If a user who is considered a moderator enters their credentials, they
are saved without the browser asking for that action. This eventually
causes that in the future a user can become a moderator of a room that
was created by another user. This happens in both Firefox ESR and
Chromium. Clearing the cache seems to avoid this. But the strange thing
is that both browsers do not display a window asking if the user wants
to save the password and, if the user saves them, this could generate
the mentioned problem that I think we should try to avoid. Maybe Damian
or somebody else on the Jitsi team can tell us how to avoid this.

PS: jicofo stores locally all reservations that it was requested. This `
to destory expired conferences. So your changes at reservation side will
not take effect if the conference alreay requested (you should restart
jicofo). So i implemented a daemo that periodically fetches the
conferences to see if there is modification and so... In the case where
the owner is absent you may be able to design another one rather than
reinvite every one.

This is not clear to me. Could you please elaborate?

https://github.com/jitsi/jicofo/blob/master/src/main/java/org/jitsi/impl/reservation/rest/RESTReservations.java line
69
If room A is reqested, the room A will stored within jicofo. So any
modification for the conference A in reservation service side will not
affect (see. condition l.132)
So either you consider reservation ummutable or you (as i've done)
synchronize jicofo with your reservation for requested conf.

And why are you considering that there might be some change in a
conference already created on the reservation system side? Ah, I see
that you mention the case of establishing a new moderator in the case
that the original moderator was absent. I suppose this is a particular case.

I'm not sure if I understood this point. What difference do you make
between "owner" and "organiser"?

For me the 'organiser' is the person who reserves the conference. For it
could be the teacher. The 'owner' is the term of jicofo : the one who
start the conference.
https://github.com/jitsi/jicofo/blob/master/src/main/java/org/jitsi/impl/reservation/rest/RESTReservations.java l.200

Thanks for the clarification.

On the other hand, my interpretation of reading the mentioned document
was that the reservation system would return 409 to any user specifying
an existing room, regardless of whether the user intended to create it
or simply join to it.

Yes but with the owner check. See above.

Yes, now it became clear to me that the reservation system only
validates at the level of the person trying to start the conference.

Do you do this using some kind of web frontend that interacts with the
reservation system?

I am using a Apache2 proxy for connections from the outside of my local
network. Jitsi is currently accesible for any PC on the LAN.

I guess that frontend that I imagined before interacting with the
reservation system, will also have implemented another logic that
interacts with this CAS system you mentioned to determine also which
user is allowed to enter into which room, right?

Exact! So your reservation is more than described in JIcofo docs. You
may add a table storing participants.
/!\ just a tip which will save you 2 day debug. Never send json array
fields to jicofo. So differentiate somehow jicofo rest call from others.
For me it is custom header.

[ Regarding the proxy server ]

For me this is nginx as reverse proxy to all my services. For me the
room names are GUIDs. So nginx proxies all room request to my php based
auth_proxy. In this way static files served normally. Your auth_proxy
uses CAS + reservation to serve or not the local jitsi-meet instance.

Thanks for the recommendation. I would have to investigate how phpCAS
works to find a way to combine it with a reverse proxy. Would you mind
sharing your Nginx configuration to see how it works?

Then all users have to go through the CAS authentication. What happens
if a user wants to enter a room that has not yet been created? After the
user was authenticated by the CAS system, do you make any kind of
verification of this?

This is pretty simple: you get the same exact behaviour. The mecanism
described before with auth_proxy is a garantie that you serve a private
conference only to some people.
In other words you unlock the url to jitsi locked with the auth_proxy

Here I imagine the following flow (although it would be good to confirm
which is the one you followed):

1) The user enters their credentials in the CAS system.
2) Are the credentials correct?
2.1) Yes:
2.1.1) Is the user linked to a room?
2.1.2) Yes => The user is a student.
2.1.2.1) Is the conference room created?
2.1.2.1.1) Yes => Incorporate the user into the room.
2.1.2.1.2) No => Inform to the user that the room is not created.
2.1.3) No => The user is any owner (teacher):
2.1.4) Redirect to Prosody + Jicofo authentication.
2.2) No: Display incorrect authentication message.

Thank you for your reply and your time.

Kind regards,
Daniel

···

On 15/01/17 13:57, Arthur TOUMASSIAN wrote:


#18

Damian,

Thank you for reply. Attached our current log file with user authentication turned off.

Question: Is SIP calling mutually exclusive with user authentication; both can not be enabled at the same time?
We were not able to send SIP messages until we turned off user authentication.

Question: Currently, with autherntication turned off, invites we are sending have null values,

We are registered to Asterisk server, initialized values, but our messages are sent with null values.
Is another process overwriting or clearing value that should be sent?

Origin o = sdpFactory.createOrigin(userName, 0, 0, "IN", addrType, localAddress.getHostAddress());
Connection c = sdpFactory.createConnection("IN", addrType, localAddress.getHostAddress());

Our INVITEs being sent :
o=7777775353-jitsi.org 0 0 IN null null
c=IN IP4 165.45.34.35

jigasi_log.txt (8.85 KB)

···

----- Original Message -----

From: "Damian Minkov" <damencho@jitsi.org>
To: "Jitsi Developers" <dev@jitsi.org>
Sent: Sunday, February 5, 2017 12:09:36 AM
Subject: Re: [jitsi-dev] Restrict access to authorized users for Jitsi Meet

Hi,

On Sat, Feb 4, 2017 at 9:27 PM, <royblog@comcast.net> wrote:

# org.jitsi.jigasi.xmpp.acc.USER_ID=SOME_USER@SOME_DOMAIN

# org.jitsi.jigasi.xmpp.acc.PASS=SOME_PASS

# org.jitsi.jigasi.xmpp.acc.ANONYMOUS_AUTH=false

Even if you enable these properties? What is the error you see in jigasi logs?

Regards
damencho

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#19

I append a draft schema to explain quickly the idea.

I will share the nginx conf once i have access to my working station.

Here I imagine the following flow (although it would be good to confirm
which is the one you followed):

If you load jitsi after getting identified user you get the same jitsi-meet behaviour.

But as you got the control of the js html code piped to your web user , you can inject some javascript.

For example i inject the user name in the code (windows.localStorage.displayName) as i have user CAS infos.

You can also try to use jwt described in lib-jitsi-meet docs. But i didn't try yet.

I think you should look at JWT because as far i understood you always need "private" mode.

Another intersting idea is use customized prosody auth. Look at custom_auth_http from prosody.

Regards,
Arthur

Auth_proxy.pdf (35.5 KB)

···

________________________________
De : dev <dev-bounces@jitsi.org> de la part de Daniel Bareiro <daniel-listas@gmx.net>
Envoyé : dimanche 15 janvier 2017 23:03
À : dev@jitsi.org
Objet : Re: [jitsi-dev] Restrict access to authorized users for Jitsi Meet

Hi, Arthur.

On 15/01/17 13:57, Arthur TOUMASSIAN wrote:

As far as I understand, the reservation system is only limited to
determining if a user has permissions to create a room, but not to
determine which user can join what room, right?

Yes the only control is done on the owner.

Thanks for confirm.

I am thinking of integrating user authentication, either to create rooms
or to join an existing room, with the users used in Moodle. Do you think
this could be possible?

I think you can. Imagine that you bypass all auth modes. As it is on
meet.jit.si. So you can manage all auth system within the proxy app.

Can be. I'd have to analyze how to implement it.

In what other cases are you returning 409?

As i described you cant meet this case when the conference is reserved
before it starts. When you announce your online class, you join the
reservated link with the invitation.
I use it for some complexe situation conference with multiple organisers
(currently this POC is in Draft state).

Ah, I see.

I would like to make a note of something I noticed yesterday: after
having added authentication for everyone (I do not use the guest
domain), I noticed that all users in a conference become moderators. I
had thought that adding an authentication layer would not change the
previous behavior and that the moderator would be the person who created
the room. Why can this behavior be different?

I am not sure but i think that to create focus (start conf.) you need to
be the same as in reservation side.

After some tests I think I've figured out how this works. Jitsi Meet
considers that every authenticated user with Prosody + Jicofo is the
owner (moderator) of the conference. So if I do not use a "guest" domain,
all conference participants become moderators.

I have now created a "guest" domain. If the conference room does not
exist, Jitsi Meet shows to the user a window notifying him/her that the
moderator has not yet created the room. It also shows a button asking if
s/he is the moderator. If the user presses the button, then in a new
window s/he can enter username and password.

In this scenario, any user who subsequently attempts to enter the room,
would do so as anonymous and would not have moderator privileges. But I
have found an unexpected effect here con Firefox ESR y Chromium.

If a user who is considered a moderator enters their credentials, they
are saved without the browser asking for that action. This eventually
causes that in the future a user can become a moderator of a room that
was created by another user. This happens in both Firefox ESR and
Chromium. Clearing the cache seems to avoid this. But the strange thing
is that both browsers do not display a window asking if the user wants
to save the password and, if the user saves them, this could generate
the mentioned problem that I think we should try to avoid. Maybe Damian
or somebody else on the Jitsi team can tell us how to avoid this.

PS: jicofo stores locally all reservations that it was requested. This `
to destory expired conferences. So your changes at reservation side will
not take effect if the conference alreay requested (you should restart
jicofo). So i implemented a daemo that periodically fetches the
conferences to see if there is modification and so... In the case where
the owner is absent you may be able to design another one rather than
reinvite every one.

This is not clear to me. Could you please elaborate?

https://github.com/jitsi/jicofo/blob/master/src/main/java/org/jitsi/impl/reservation/rest/RESTReservations.java line

[https://avatars2.githubusercontent.com/u/3671647?v=3&s=400]<https://github.com/jitsi/jicofo/blob/master/src/main/java/org/jitsi/impl/reservation/rest/RESTReservations.java>

jitsi/jicofo<https://github.com/jitsi/jicofo/blob/master/src/main/java/org/jitsi/impl/reservation/rest/RESTReservations.java>
github.com
jicofo - JItsi COnference FOcus is a server side focus component used in Jitsi Meet conferences.

69
If room A is reqested, the room A will stored within jicofo. So any
modification for the conference A in reservation service side will not
affect (see. condition l.132)
So either you consider reservation ummutable or you (as i've done)
synchronize jicofo with your reservation for requested conf.

And why are you considering that there might be some change in a
conference already created on the reservation system side? Ah, I see
that you mention the case of establishing a new moderator in the case
that the original moderator was absent. I suppose this is a particular case.

I'm not sure if I understood this point. What difference do you make
between "owner" and "organiser"?

For me the 'organiser' is the person who reserves the conference. For it
could be the teacher. The 'owner' is the term of jicofo : the one who
start the conference.
https://github.com/jitsi/jicofo/blob/master/src/main/java/org/jitsi/impl/reservation/rest/RESTReservations.java l.200

[https://avatars2.githubusercontent.com/u/3671647?v=3&s=400]<https://github.com/jitsi/jicofo/blob/master/src/main/java/org/jitsi/impl/reservation/rest/RESTReservations.java>

jitsi/jicofo<https://github.com/jitsi/jicofo/blob/master/src/main/java/org/jitsi/impl/reservation/rest/RESTReservations.java>
github.com
jicofo - JItsi COnference FOcus is a server side focus component used in Jitsi Meet conferences.

Thanks for the clarification.

On the other hand, my interpretation of reading the mentioned document
was that the reservation system would return 409 to any user specifying
an existing room, regardless of whether the user intended to create it
or simply join to it.

Yes but with the owner check. See above.

Yes, now it became clear to me that the reservation system only
validates at the level of the person trying to start the conference.

Do you do this using some kind of web frontend that interacts with the
reservation system?

I am using a Apache2 proxy for connections from the outside of my local
network. Jitsi is currently accesible for any PC on the LAN.

I guess that frontend that I imagined before interacting with the
reservation system, will also have implemented another logic that
interacts with this CAS system you mentioned to determine also which
user is allowed to enter into which room, right?

Exact! So your reservation is more than described in JIcofo docs. You
may add a table storing participants.
/!\ just a tip which will save you 2 day debug. Never send json array
fields to jicofo. So differentiate somehow jicofo rest call from others.
For me it is custom header.

[ Regarding the proxy server ]

For me this is nginx as reverse proxy to all my services. For me the
room names are GUIDs. So nginx proxies all room request to my php based
auth_proxy. In this way static files served normally. Your auth_proxy
uses CAS + reservation to serve or not the local jitsi-meet instance.

Thanks for the recommendation. I would have to investigate how phpCAS
works to find a way to combine it with a reverse proxy. Would you mind
sharing your Nginx configuration to see how it works?

Then all users have to go through the CAS authentication. What happens
if a user wants to enter a room that has not yet been created? After the
user was authenticated by the CAS system, do you make any kind of
verification of this?

This is pretty simple: you get the same exact behaviour. The mecanism
described before with auth_proxy is a garantie that you serve a private
conference only to some people.
In other words you unlock the url to jitsi locked with the auth_proxy

Here I imagine the following flow (although it would be good to confirm
which is the one you followed):

1) The user enters their credentials in the CAS system.
2) Are the credentials correct?
2.1) Yes:
2.1.1) Is the user linked to a room?
2.1.2) Yes => The user is a student.
2.1.2.1) Is the conference room created?
2.1.2.1.1) Yes => Incorporate the user into the room.
2.1.2.1.2) No => Inform to the user that the room is not created.
2.1.3) No => The user is any owner (teacher):
2.1.4) Redirect to Prosody + Jicofo authentication.
2.2) No: Display incorrect authentication message.

Thank you for your reply and your time.

Kind regards,
Daniel


#20

Hi,

Damian,

Thank you for reply. Attached our current log file with user authentication
turned off.

Question: Is SIP calling mutually exclusive with user authentication; both
can not be enabled at the same time?
We were not able to send SIP messages until we turned off user
authentication.

The log file is just the beginning of the log, and doesn't have any
info or any call, and no errors to see for the problem sip outgoing
calls.

Question: Currently, with autherntication turned off, invites we are sending
have null values,

We are registered to Asterisk server, initialized values, but our messages
are sent with null values.
Is another process overwriting or clearing value that should be sent?

Origin o = sdpFactory.createOrigin(userName, 0, 0, "IN", addrType,
localAddress.getHostAddress());
Connection c = sdpFactory.createConnection("IN", addrType,
localAddress.getHostAddress());

Our INVITEs being sent :
o=7777775353-jitsi.org 0 0 IN null null
c=IN IP4 165.45.34.35

This was fixed, which version of jigasi are you using?

Regards
damencho

···

On Sun, Feb 5, 2017 at 4:23 PM, <royblog@comcast.net> wrote:

________________________________
From: "Damian Minkov" <damencho@jitsi.org>
To: "Jitsi Developers" <dev@jitsi.org>
Sent: Sunday, February 5, 2017 12:09:36 AM
Subject: Re: [jitsi-dev] Restrict access to authorized users for Jitsi Meet

Hi,

On Sat, Feb 4, 2017 at 9:27 PM, <royblog@comcast.net> wrote:

# org.jitsi.jigasi.xmpp.acc.USER_ID=SOME_USER@SOME_DOMAIN

# org.jitsi.jigasi.xmpp.acc.PASS=SOME_PASS

# org.jitsi.jigasi.xmpp.acc.ANONYMOUS_AUTH=false

Even if you enable these properties? What is the error you see in jigasi
logs?

Regards
damencho

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev