We’re trying to set up a Jitsi stack using Kubernetes and hit some roadblocks on the way with enforcing authentication while still allowing guests to join rooms created by authenticated users.
Additionally we want to open the rooms via the colibri REST API.
We’re using a slightly modified version of this for our setup.
Right now we’re trying authentication with JWT, but we would also be open to use other authentication methods if that would be easier.
We also considered using the internal authentication with something similar to https://stackoverflow.com/questions/44140593/how-to-run-command-after-initialization, but didn’t try it any further since JWT seemed easier because we could avoid the prosody lifecycle issue when trying to create a user.
In detail we want to achieve the following:
- Only the server can open rooms with the secret using the colibri REST API
- Server gives out room ID and a room password to clients
- Clients can only join these rooms with the received ID and password
We got JWT authentication to work, but we ran into the same problem described here where it is either:
- Only authenticated users can join rooms
- Everyone can create and join rooms
We adjusted the JWT configuration like this (with the appropriate JWT_APP_SECRET in our configuration file - which also works since we tested it):
- name: ENABLE_AUTH value: "1" - name: ENABLE_GUESTS value: "1" - name: AUTH_TYPE value: "jwt" - name: JWT_APP_ID value: "<app id>" - name: JWT_APP_SECRET valueFrom: secretKeyRef: name: jitsi-config key: JWT_APP_SECRET
which is the version working with only authenticated users.
If we add
- name: JWT_ALLOW_EMPTY value: "1"
we get to the situation where anyone (guests included) can create rooms without the need of the JWT token.
Then for the colibri REST API we tried the following without success:
We also added colibri to the enabled APIs:
- name: JVB_ENABLE_APIS value: colibri,rest
- How can we achieve what we need using JWT?
- Is there a better way of doing this (authentication)?
- How can we make the colibri REST API accessible from the outside?
Let me know if you need more information or if something is unclear!
Thanks in advance for the help!