Jitsi Kubernetes JWT Authentication & colibri API

Hi!

We’re trying to set up a Jitsi stack using Kubernetes and hit some roadblocks on the way with enforcing authentication while still allowing guests to join rooms created by authenticated users.
Additionally we want to open the rooms via the colibri REST API.
We’re using a slightly modified version of this for our setup.

Right now we’re trying authentication with JWT, but we would also be open to use other authentication methods if that would be easier.
We also considered using the internal authentication with something similar to https://stackoverflow.com/questions/44140593/how-to-run-command-after-initialization, but didn’t try it any further since JWT seemed easier because we could avoid the prosody lifecycle issue when trying to create a user.

In detail we want to achieve the following:

  • Only the server can open rooms with the secret using the colibri REST API
  • Server gives out room ID and a room password to clients
  • Clients can only join these rooms with the received ID and password

We got JWT authentication to work, but we ran into the same problem described here where it is either:

  • Only authenticated users can join rooms
  • Everyone can create and join rooms

We’re using this version, which should already contain the changes described here.

We adjusted the JWT configuration like this (with the appropriate JWT_APP_SECRET in our configuration file - which also works since we tested it):

            - name: ENABLE_AUTH
              value: "1"
            - name: ENABLE_GUESTS
              value: "1"
            - name: AUTH_TYPE
              value: "jwt"
            - name: JWT_APP_ID
              value: "<app id>"
            - name: JWT_APP_SECRET
              valueFrom:
                secretKeyRef:
                  name: jitsi-config
                  key: JWT_APP_SECRET

which is the version working with only authenticated users.

If we add

            - name: JWT_ALLOW_EMPTY
              value: "1"

we get to the situation where anyone (guests included) can create rooms without the need of the JWT token.

Then for the colibri REST API we tried the following without success:
in the /defaults/sip-communicator.properties

org.jitsi.videobridge.rest.private.jetty.port=-1
org.jitsi.videobridge.rest.jetty.port=80

We also added colibri to the enabled APIs:

            - name: JVB_ENABLE_APIS
              value: colibri,rest

The questions:

  • How can we achieve what we need using JWT?
  • Is there a better way of doing this (authentication)?
  • How can we make the colibri REST API accessible from the outside?

Let me know if you need more information or if something is unclear!
Thanks in advance for the help!