Joining as Guest not working - Token nil not allowed to join

Hi,

i’ve justed upgraded my Jitsi Meet Servers from the :latest docker images to :stable. Jitsi is working fine so far expect for one thing. I cannot invite guests anymore. Even if the room is created by an authorized user and is open, as soon as i invite through link i get an error while trying to join.

In the log of the docker container i can see this:

c2s561cb3892550                                              info       Authenticated as fc7da29d-8383-41d2-bb2e-33ceb57f13de@guest.meet.jitsi
muc.meet.jitsi:token_verification                            **error      Token nil not allowed to join**: d447d538-e66b-4762-b0cc-b629b3958cae@muc.meet.jitsi/fc7da29d

I have the “ENABLE_GUESTS” flag set in the environment.

Can someone help me here?

Try setting JWT_ENABLE_DOMAIN_VERIFICATION=false in the env. Does that fixes it?

1 Like

Thank you for your help.
I’ve just tried it. The error stays the same even after a restart of the containers. Any other idea?

I’ve checked the file in .jitsi-meet-cfg/prosody/config/conf.d/jitsi-meet.cfg.lua. Which states the following two lines:

allow_empty_token = false
enable_domain_verification = true

Is this correct? I’ve changed both true->false and false->true but the error stays.
So as soon as a user with “@guest.meet.jitsi” tries to join it errors, “@meet.jitsi” is fine.

Don’t know what to check next. Any ideas?

enable_domain_verification needs to be false.

Can you try moving enable_domain_verification=false in the general part of the file, before any virtual host and restart prosody.

1 Like

I’ve tried it like this:

....
 enable_domain_verification=false
 VirtualHost "meet.jitsi"
...

Note: “meet.jitsi” is the first VirtualHost in the file.

Still the error stays the same. Nothing changed.

No ideas. In general tokens and guest domain was never intended to work together and was never tested, and it worked was a pure luck. We are planning to refactor all the authentication mechanism at some point Intent to deprecate and remove: external auth mechanisms

Oh, is there a way to set this up correctly then?

I have multiple Nextcloud instances with the jitsi meet extenstion, they all use a different “JWT_ACCEPTED_ISSUERS”, and want to be able to invite guests to the meetings.

Is there a way to make this work right now?

You can drop the guest domain from config.js and enable allow_empty_token under the main virtual host.

When i remove config.hosts.anonymousdomain = 'guest.meet.jitsi'; from the config.js, and click on Join via invite link, i get asked for username and password, even tho i set “allow_empty_token”.

Did you set a Docker environment variable or did you edit the config file?

I edit the config. Well technically i have a restart.sh script that triggers a customize.sh script which modifies the configs in .jitsi-meet-cfg folder via sed commands.

allow_empty_token should be inside the main VirtualHost block.

Do you have a third-party Prosody module?

It is set within the VirtualHost “meet.jitsi”, the error persists.

Here are my scripts and the .env file, hope that helps.

The restart.sh:

#!/bin/bash

DOCKERPATH=/opt/docker

# Shutdown grafana containers (because of external network)
cd $DOCKERPATH/grafana/
docker-compose down

# Create overlay network if not exist
if [ $(docker network ls | grep jitsi-meet | wc -l) = 0 ]; then
        docker network create --driver=overlay --attachable jitsi-meet
fi

# Configure overlay network in docker-compose.yml
cd $DOCKERPATH/jitsi-meet
sed -i 's/meet.jitsi/jitsi-meet/g' docker-compose.yml

# Shutdown jitsi meet containers and remove images
cd $DOCKERPATH/jitsi-meet
docker-compose down --rmi all

# Delete configs and recreate folders
rm -rf .jitsi-meet-cfg/
mkdir -p .jitsi-meet-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb}

# Start Jitsi Meet
docker-compose up -d
sleep 10

# Customize
./customize.sh

# Create XMPP user for Grafana
docker exec jitsi-meet_prosody_1 prosodyctl --config /config/prosody.cfg.lua register grafana auth.meet.jitsi 9dswNOpvUIkvVIln


# Set JVB Logging from INFO to WARNING
sed -i 's/.level=.*/.level=WARNING/' .jitsi-meet-cfg/jvb/logging.properties
docker restart jitsi-meet_jvb_1

# Powerup grafana containers (because of external network)
cd $DOCKERPATH/grafana/
docker-compose pull
docker-compose up -d

The customize.sh:

#!/bin/bash

# Welcome Page
docker cp welcome-background.png jitsi-meet_web_1:/usr/share/jitsi-meet/images/
docker cp favicon.ico jitsi-meet_web_1:/usr/share/jitsi-meet/images/


# Disable Watermark
sed -i "s/JITSI_WATERMARK_LINK: '.*',/JITSI_WATERMARK_LINK: '',/" .jitsi-meet-cfg/web/interface_config.js

# Disable third party requests (gravatar.com)
sed -i "s#// disableThirdPartyRequests: false,#disableThirdPartyRequests: true,#" .jitsi-meet-cfg/web/config.js

# Testing
sed -i "/config.hosts.domain/i config.hosts.anonymousdomain = \'guest.meet.jitsi\'\;" .jitsi-meet-cfg/web/interface_config.js

# Acrive flags - Testing
# sed -i '/flags:.*/a\\n\t\tsourceNameSignaling: true,\n\t\tsendMultipleVideoStreams: true,\n\t\treceiveMultipleVideoStreams: true,' .jitsi-meet-cfg/web/config.js

# Disable generated room names
sed -i "s#GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,#GENERATE_ROOMNAMES_ON_WELCOME_PAGE: false,#" .jitsi-meet-cfg/web/interface_config.js

# Set own STUN server
sed -i "s#// { urls: 'stun:jitsi-meet.example.com:3478#{ urls: 'stun:meet-turn.xxxxx.tld:5349#" .jitsi-meet-cfg/web/config.js
sed -i 's/meet-jit-si-turnrelay.jitsi.net:443/meet-turn.xxxxxxx.tld:5349/' .jitsi-meet-cfg/web/config.js

# Auto Language
sed -i 's/LANG_DETECTION: false/LANG_DETECTION: true/' .jitsi-meet-cfg/web/interface_config.js
sed -i "s#// defaultLanguage: 'en'#defaultLanguage: 'de'#" .jitsi-meet-cfg/web/config.js

# Set Resolution
sed -i 's#// resolution: 720#resolution: 720#' .jitsi-meet-cfg/web/config.js
if [ $(grep "    constraints: {" .jitsi-meet-cfg/web/config.js | wc -l) = 0 ]; then
cat << EOF | sed -i '/constraints: {/r /dev/stdin' .jitsi-meet-cfg/web/config.js
    constraints: {
        video: {
            height: {
                ideal: 720,
                max: 720,
                min: 180
            },
            width: {
                    ideal: 1280,
                    max: 1280,
                    min: 320
            }
        }
    },

    videoQuality: {
            maxBitratesVideo: {
            low: 200000,
            standard: 500000,
            high: 1500000
        },
    },
EOF
fi


# Enable Layer Suspension
sed -i 's#// enableLayerSuspension: false,#enableLayerSuspension: true,#' .jitsi-meet-cfg/web/config.js

# Disable recording
sed -i 's#// fileRecordingsEnabled: false,#fileRecordingsEnabled: false,#' .jitsi-meet-cfg/web/config.js

# Disable livestreaming
sed -i 's#// liveStreamingEnabled: false,#liveStreamingEnabled: false,#' .jitsi-meet-cfg/web/config.js

The .env file:

JICOFO_AUTH_PASSWORD=34dbXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
JVB_AUTH_PASSWORD=ca67XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
JIGASI_XMPP_PASSWORD=0e17XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
JIBRI_RECORDER_PASSWORD=3f0fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
JIBRI_XMPP_PASSWORD=27a4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


CONFIG=.jitsi-meet-cfg
HTTP_PORT=180
HTTPS_PORT=1443
TZ=Europe/Berlin
PUBLIC_URL=https://meet-shard01.xxxx.tld

DOCKER_HOST_ADDRESS=185.XXXXXXXXX


ENABLE_LOBBY=1
ENABLE_PREJOIN_PAGE=1
ENABLE_BREAKOUT_ROOMS=1

ETHERPAD_TITLE=Video Chat
ETHERPAD_DEFAULT_PAD_TEXT="Welcome to Web Chat!\n\n"
ETHERPAD_SKIN_NAME=colibris
ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background full-width-editor"

ENABLE_AUTH=1
ENABLE_GUESTS=1
AUTH_TYPE=jwt

JWT_APP_ID=meetsxxxxx
JWT_APP_SECRET=278xxxx
JWT_ACCEPTED_ISSUERS=xxx,xxx,...

XMPP_DOMAIN=meet.jitsi
XMPP_SERVER=xmpp.meet.jitsi
XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280
XMPP_AUTH_DOMAIN=auth.meet.jitsi
XMPP_MUC_DOMAIN=muc.meet.jitsi
XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi
XMPP_GUEST_DOMAIN=guest.meet.jitsi
XMPP_MODULES=
XMPP_MUC_MODULES=
XMPP_INTERNAL_MUC_MODULES=


JVB_BREWERY_MUC=jvbbrewery
JVB_AUTH_USER=jvb
JVB_STUN_SERVERS=meet-turn.xxxxx.tld:5349
JVB_PORT=10000

JICOFO_AUTH_USER=focus

JIGASI_XMPP_USER=jigasi
JIGASI_BREWERY_MUC=jigasibrewery
JIGASI_PORT_MIN=20000
JIGASI_PORT_MAX=20050

XMPP_RECORDER_DOMAIN=recorder.meet.jitsi
JIBRI_RECORDER_USER=recorder
JIBRI_RECORDING_DIR=/config/recordings
JIBRI_XMPP_USER=jibri
JIBRI_BREWERY_MUC=jibribrewery
JIBRI_PENDING_TIMEOUT=90
JIBRI_STRIP_DOMAIN_JID=muc
JIBRI_LOGS_DIR=/config/logs

RESTART_POLICY=unless-stopped

Fixed.

I set JWT_ENABLE_DOMAIN_VERIFICATION=false in the env file, but forgot to set “- JWT_ENABLE_DOMAIN_VERIFICATION” in the docker-compose file.

It is now working as expected. Cheers!

2 Likes