Jitsi Meet JWT : no more moderator after refreshing page


We have recently deployed Jitsi Meet on one of our servers, along with jitsi-meet-token plugin.

We have set it to allow only users with a token (and the proper “room” set inside) to be moderator of a room. Other users without a token (or with a token but with a different room set) are just guests.

The token live only 1 minute, as it is adviced by JWT standards.

It appears that when authentified as the room modeartor with a JWT, and then refresh the page (or close the tab et coming back to the URL), you’re no longer the moderator…

Is this a feature? A normal thing to happen? Or an issue?

My guess was that the token just replaced the login form to authenticate. Then, Jitsi created the session like it would do with the initial settings (withtout token).
With Jitsi tokens, you need a token in query string anytime you go in a room, even if you just authenticated into it???

Welcome to the community.

If you set the token validity for just 1 minute, then after that, it’s no longer valid. When you refresh, the browser cache presents an invalid (no longer valid) token, so you’re placed in the meeting as a guest.

What module do you use to set moderator from jwt?

Do you pass the token in the URL again, on the second join of the meeting?

I’ve tried to refresh during the 1 minute validity of the token.

No, I don’t pass the token again.

Because when giving the token the first time, Jitsi remove it from the URL.
Then, doing F5, the URL is juste the room without the jwt query parameter.

We do not store the token, so if you don’t pass it that is normal. We reuse the token if the reload is triggered inside jitsi-meet.

I don’t understand… there’s no Session Id created after managing the token?
JWT is not about sessions, it is just about authentication. You mean the session is based on the token from the url? It has to be there everytime? You don’t start any session? (I’m from PHP world, maybe I have a wrong understanding)

Yep, token is sent with websocket/bosh request and it needs to be there to be validated.

Just to be clear. My point of view concerning JWT usage comes from that blog post: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/.

There is no session for web, the session is created on XMPP server (prosody). It starts when joining the meeting room and ends after quiting.

There is no session management based on JWT, it is only used at the authentication step.

Thank you for your answer, that’s exactly what I was looking for.