[jitsi-users] JWT Token Authentication


#1

Hello,

I’m reading the documentation to configure JWT token authentication, and ran into where I need to disable c2s_require_encryption. Does this mean that communication between server and client is open and not encrypted?

-Mark

https://github.com/jitsi/lib-jitsi-meet/blob/master/doc/tokens.md#patching-prosody
Patching Prosody

JWT token authentication requires prosody-trunk version at least 607.

You can download latest prosody-trunk packages from here<http://packages.prosody.im/debian/pool/main/p/prosody-trunk/>. Then install it with the following command:

sudo dpkg -i prosody-trunk_1nightly607-1~trusty_amd64.deb

Make sure that /etc/prosody/prosody.cfg.lua contains the line below at the end to include meet host config. That's because Prosody nightly may come with slightly different default config:

Include "conf.d/*.cfg.lua"

Also check if client to server encryption is not enforced. Otherwise token authentication won't work:

c2s_require_encryption=false

- Mark

···

**********************************************************************
The information contained in this e-mail may be privileged and/or confidential, and protected from disclosure, and no waiver of any attorney-client, work product, or other privilege is intended. If you are the intended recipient, further disclosures are prohibited without proper authorization. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden and possibly a violation of federal or state law and regulations. The sender and Baylor Scott & White Health, and its affiliated entities, hereby expressly reserve all privileges and confidentiality that might otherwise be waived as a result of an erroneous or misdirected e-mail transmission. No employee or agent is authorized to conclude any binding agreement on behalf of Baylor Scott & White Health, or any affiliated entity, by e-mail without express written confirmation by the CEO, the Senior Vice President of Supply Chain Services or other duly authorized representative of Baylor Scott & White Health.


#2

Hi,

Hello,

I’m reading the documentation to configure JWT token authentication, and ran
into where I need to disable c2s_require_encryption. Does this mean that
communication between server and client is open and not encrypted?

Yes, this is correct. But in this case the client is the webserver
(nginx, apache or jetty) and the server is prosody. As this
communication is on localhost this is not a problem.
For example checkout
https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet/jitsi-meet.example#L44,
where nginx connect to prosody using http. The connection between the
web client and the webserver is always https.

Regards
damencho

···

On Tue, May 1, 2018 at 9:59 AM, Madlangbayan, Mark <Mark.Madlangbayan@bswhealth.org> wrote:

-Mark

https://github.com/jitsi/lib-jitsi-meet/blob/master/doc/tokens.md#patching-prosody

Patching Prosody

JWT token authentication requires prosody-trunk version at least 607.

You can download latest prosody-trunk packages from here. Then install it
with the following command:

sudo dpkg -i prosody-trunk_1nightly607-1~trusty_amd64.deb

Make sure that /etc/prosody/prosody.cfg.lua contains the line below at the
end to include meet host config. That's because Prosody nightly may come
with slightly different default config:

Include "conf.d/*.cfg.lua"

Also check if client to server encryption is not enforced. Otherwise token
authentication won't work:

c2s_require_encryption=false

- Mark

________________________________
The information contained in this e-mail may be privileged and/or
confidential, and protected from disclosure, and no waiver of any
attorney-client, work product, or other privilege is intended. If you are
the intended recipient, further disclosures are prohibited without proper
authorization. If you are not the intended recipient (or have received this
e-mail in error) please notify the sender immediately and destroy this
e-mail. Any unauthorized copying, disclosure or distribution of the material
in this e-mail is strictly forbidden and possibly a violation of federal or
state law and regulations. The sender and Baylor Scott & White Health, and
its affiliated entities, hereby expressly reserve all privileges and
confidentiality that might otherwise be waived as a result of an erroneous
or misdirected e-mail transmission. No employee or agent is authorized to
conclude any binding agreement on behalf of Baylor Scott & White Health, or
any affiliated entity, by e-mail without express written confirmation by the
CEO, the Senior Vice President of Supply Chain Services or other duly
authorized representative of Baylor Scott & White Health.

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#3

Thanks!

···

-----Original Message-----
From: users <users-bounces@jitsi.org> On Behalf Of Damian Minkov
Sent: Tuesday, May 1, 2018 10:10 AM
To: Jitsi Users <users@jitsi.org>
Subject: {EXTERNAL} Re: [jitsi-users] JWT Token Authentication

Hi,

On Tue, May 1, 2018 at 9:59 AM, Madlangbayan, Mark <Mark.Madlangbayan@bswhealth.org> wrote:

Hello,

I’m reading the documentation to configure JWT token authentication,
and ran into where I need to disable c2s_require_encryption. Does
this mean that communication between server and client is open and not encrypted?

Yes, this is correct. But in this case the client is the webserver (nginx, apache or jetty) and the server is prosody. As this communication is on localhost this is not a problem.
For example checkout
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jitsi_jitsi-2Dmeet_blob_master_doc_debian_jitsi-2Dmeet_jitsi-2Dmeet.example-23L44&d=DwIGaQ&c=qhent5lL-8Lans1hhN7NTGhSd0GBLfQfwUvzHj1D5tQ&r=UsoPggNO2vUOjaxjsJA7uSfWM7NoxMalhjVWJEQ3DDA&m=8Jix4e63-oY1L3B_5ig9RgwMyCBQq2wBfUw0CJWIssA&s=yn9TgEKaN1dKmrjxNWAQw152Z9ZhWnoZoD7hX0yWwuw&e=,
where nginx connect to prosody using http. The connection between the web client and the webserver is always https.

Regards
damencho

-Mark

https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_jitsi_
lib-2Djitsi-2Dmeet_blob_master_doc_tokens.md-23patching-2Dprosody&d=Dw
IGaQ&c=qhent5lL-8Lans1hhN7NTGhSd0GBLfQfwUvzHj1D5tQ&r=UsoPggNO2vUOjaxjs
JA7uSfWM7NoxMalhjVWJEQ3DDA&m=8Jix4e63-oY1L3B_5ig9RgwMyCBQq2wBfUw0CJWIs
sA&s=veX7LuP0_PCInapoAOXOlXFQPq0F8rGYr5A7K9JQmUk&e=

Patching Prosody

JWT token authentication requires prosody-trunk version at least 607.

You can download latest prosody-trunk packages from here. Then install
it with the following command:

sudo dpkg -i prosody-trunk_1nightly607-1~trusty_amd64.deb

Make sure that /etc/prosody/prosody.cfg.lua contains the line below at
the end to include meet host config. That's because Prosody nightly
may come with slightly different default config:

Include "conf.d/*.cfg.lua"

Also check if client to server encryption is not enforced. Otherwise
token authentication won't work:

c2s_require_encryption=false

- Mark

________________________________
The information contained in this e-mail may be privileged and/or
confidential, and protected from disclosure, and no waiver of any
attorney-client, work product, or other privilege is intended. If you
are the intended recipient, further disclosures are prohibited without
proper authorization. If you are not the intended recipient (or have
received this e-mail in error) please notify the sender immediately
and destroy this e-mail. Any unauthorized copying, disclosure or
distribution of the material in this e-mail is strictly forbidden and
possibly a violation of federal or state law and regulations. The
sender and Baylor Scott & White Health, and its affiliated entities,
hereby expressly reserve all privileges and confidentiality that might
otherwise be waived as a result of an erroneous or misdirected e-mail
transmission. No employee or agent is authorized to conclude any
binding agreement on behalf of Baylor Scott & White Health, or any
affiliated entity, by e-mail without express written confirmation by
the CEO, the Senior Vice President of Supply Chain Services or other duly authorized representative of Baylor Scott & White Health.

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.jitsi.org_ma
ilman_listinfo_users&d=DwIGaQ&c=qhent5lL-8Lans1hhN7NTGhSd0GBLfQfwUvzHj
1D5tQ&r=UsoPggNO2vUOjaxjsJA7uSfWM7NoxMalhjVWJEQ3DDA&m=8Jix4e63-oY1L3B_
5ig9RgwMyCBQq2wBfUw0CJWIssA&s=0OnD0wo43fVqCd4uxR5r4CJMJaezFpELJw-9HWZL
rTI&e=

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.jitsi.org_mailman_listinfo_users&d=DwIGaQ&c=qhent5lL-8Lans1hhN7NTGhSd0GBLfQfwUvzHj1D5tQ&r=UsoPggNO2vUOjaxjsJA7uSfWM7NoxMalhjVWJEQ3DDA&m=8Jix4e63-oY1L3B_5ig9RgwMyCBQq2wBfUw0CJWIssA&s=0OnD0wo43fVqCd4uxR5r4CJMJaezFpELJw-9HWZLrTI&e=

**********************************************************************
The information contained in this e-mail may be privileged and/or confidential, and protected from disclosure, and no waiver of any attorney-client, work product, or other privilege is intended. If you are the intended recipient, further disclosures are prohibited without proper authorization. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden and possibly a violation of federal or state law and regulations. The sender and Baylor Scott & White Health, and its affiliated entities, hereby expressly reserve all privileges and confidentiality that might otherwise be waived as a result of an erroneous or misdirected e-mail transmission. No employee or agent is authorized to conclude any binding agreement on behalf of Baylor Scott & White Health, or any affiliated entity, by e-mail without express written confirmation by the CEO, the Senior Vice President of Supply Chain Services or other duly authorized representative of Baylor Scott & White Health.