Joining as Guest not working - Token nil not allowed to join

pyte · November 30, 2022, 2:17pm

Hi,

i’ve justed upgraded my Jitsi Meet Servers from the :latest docker images to :stable. Jitsi is working fine so far expect for one thing. I cannot invite guests anymore. Even if the room is created by an authorized user and is open, as soon as i invite through link i get an error while trying to join.

In the log of the docker container i can see this:

c2s561cb3892550                                              info       Authenticated as fc7da29d-8383-41d2-bb2e-33ceb57f13de@guest.meet.jitsi
muc.meet.jitsi:token_verification                            **error      Token nil not allowed to join**: d447d538-e66b-4762-b0cc-b629b3958cae@muc.meet.jitsi/fc7da29d

I have the “ENABLE_GUESTS” flag set in the environment.

Can someone help me here?

damencho · November 30, 2022, 2:22pm

Try setting JWT_ENABLE_DOMAIN_VERIFICATION=false in the env. Does that fixes it?

pyte · November 30, 2022, 2:27pm

Thank you for your help.
I’ve just tried it. The error stays the same even after a restart of the containers. Any other idea?

pyte · November 30, 2022, 2:49pm

I’ve checked the file in .jitsi-meet-cfg/prosody/config/conf.d/jitsi-meet.cfg.lua. Which states the following two lines:

allow_empty_token = false
enable_domain_verification = true

Is this correct? I’ve changed both true->false and false->true but the error stays.
So as soon as a user with “@guest.meet.jitsi” tries to join it errors, “@meet.jitsi” is fine.

Don’t know what to check next. Any ideas?

damencho · November 30, 2022, 2:53pm

enable_domain_verification needs to be false.

Can you try moving enable_domain_verification=false in the general part of the file, before any virtual host and restart prosody.

pyte · November 30, 2022, 3:17pm

I’ve tried it like this:

....
 enable_domain_verification=false
 VirtualHost "meet.jitsi"
...

Note: “meet.jitsi” is the first VirtualHost in the file.

Still the error stays the same. Nothing changed.

damencho · November 30, 2022, 3:22pm

No ideas. In general tokens and guest domain was never intended to work together and was never tested, and it worked was a pure luck. We are planning to refactor all the authentication mechanism at some point Intent to deprecate and remove: external auth mechanisms

pyte · November 30, 2022, 3:27pm

Oh, is there a way to set this up correctly then?

I have multiple Nextcloud instances with the jitsi meet extenstion, they all use a different “JWT_ACCEPTED_ISSUERS”, and want to be able to invite guests to the meetings.

Is there a way to make this work right now?

damencho · November 30, 2022, 3:30pm

You can drop the guest domain from config.js and enable allow_empty_token under the main virtual host.

pyte · December 1, 2022, 7:43am

When i remove config.hosts.anonymousdomain = 'guest.meet.jitsi'; from the config.js, and click on Join via invite link, i get asked for username and password, even tho i set “allow_empty_token”.

emrah · December 1, 2022, 9:02am

Did you set a Docker environment variable or did you edit the config file?

pyte · December 1, 2022, 9:17am

I edit the config. Well technically i have a restart.sh script that triggers a customize.sh script which modifies the configs in .jitsi-meet-cfg folder via sed commands.

emrah · December 1, 2022, 9:34am

allow_empty_token should be inside the main VirtualHost block.

Do you have a third-party Prosody module?

pyte · December 1, 2022, 9:43am

It is set within the VirtualHost “meet.jitsi”, the error persists.

Here are my scripts and the .env file, hope that helps.

The restart.sh:

#!/bin/bash

DOCKERPATH=/opt/docker

# Shutdown grafana containers (because of external network)
cd $DOCKERPATH/grafana/
docker-compose down

# Create overlay network if not exist
if [ $(docker network ls | grep jitsi-meet | wc -l) = 0 ]; then
        docker network create --driver=overlay --attachable jitsi-meet
fi

# Configure overlay network in docker-compose.yml
cd $DOCKERPATH/jitsi-meet
sed -i 's/meet.jitsi/jitsi-meet/g' docker-compose.yml

# Shutdown jitsi meet containers and remove images
cd $DOCKERPATH/jitsi-meet
docker-compose down --rmi all

# Delete configs and recreate folders
rm -rf .jitsi-meet-cfg/
mkdir -p .jitsi-meet-cfg/{web/letsencrypt,transcripts,prosody,jicofo,jvb}

# Start Jitsi Meet
docker-compose up -d
sleep 10

# Customize
./customize.sh

# Create XMPP user for Grafana
docker exec jitsi-meet_prosody_1 prosodyctl --config /config/prosody.cfg.lua register grafana auth.meet.jitsi 9dswNOpvUIkvVIln


# Set JVB Logging from INFO to WARNING
sed -i 's/.level=.*/.level=WARNING/' .jitsi-meet-cfg/jvb/logging.properties
docker restart jitsi-meet_jvb_1

# Powerup grafana containers (because of external network)
cd $DOCKERPATH/grafana/
docker-compose pull
docker-compose up -d

The customize.sh:

#!/bin/bash

# Welcome Page
docker cp welcome-background.png jitsi-meet_web_1:/usr/share/jitsi-meet/images/
docker cp favicon.ico jitsi-meet_web_1:/usr/share/jitsi-meet/images/


# Disable Watermark
sed -i "s/JITSI_WATERMARK_LINK: '.*',/JITSI_WATERMARK_LINK: '',/" .jitsi-meet-cfg/web/interface_config.js

# Disable third party requests (gravatar.com)
sed -i "s#// disableThirdPartyRequests: false,#disableThirdPartyRequests: true,#" .jitsi-meet-cfg/web/config.js

# Testing
sed -i "/config.hosts.domain/i config.hosts.anonymousdomain = \'guest.meet.jitsi\'\;" .jitsi-meet-cfg/web/interface_config.js

# Acrive flags - Testing
# sed -i '/flags:.*/a\\n\t\tsourceNameSignaling: true,\n\t\tsendMultipleVideoStreams: true,\n\t\treceiveMultipleVideoStreams: true,' .jitsi-meet-cfg/web/config.js

# Disable generated room names
sed -i "s#GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,#GENERATE_ROOMNAMES_ON_WELCOME_PAGE: false,#" .jitsi-meet-cfg/web/interface_config.js

# Set own STUN server
sed -i "s#// { urls: 'stun:jitsi-meet.example.com:3478#{ urls: 'stun:meet-turn.xxxxx.tld:5349#" .jitsi-meet-cfg/web/config.js
sed -i 's/meet-jit-si-turnrelay.jitsi.net:443/meet-turn.xxxxxxx.tld:5349/' .jitsi-meet-cfg/web/config.js

# Auto Language
sed -i 's/LANG_DETECTION: false/LANG_DETECTION: true/' .jitsi-meet-cfg/web/interface_config.js
sed -i "s#// defaultLanguage: 'en'#defaultLanguage: 'de'#" .jitsi-meet-cfg/web/config.js

# Set Resolution
sed -i 's#// resolution: 720#resolution: 720#' .jitsi-meet-cfg/web/config.js
if [ $(grep "    constraints: {" .jitsi-meet-cfg/web/config.js | wc -l) = 0 ]; then
cat << EOF | sed -i '/constraints: {/r /dev/stdin' .jitsi-meet-cfg/web/config.js
    constraints: {
        video: {
            height: {
                ideal: 720,
                max: 720,
                min: 180
            },
            width: {
                    ideal: 1280,
                    max: 1280,
                    min: 320
            }
        }
    },

    videoQuality: {
            maxBitratesVideo: {
            low: 200000,
            standard: 500000,
            high: 1500000
        },
    },
EOF
fi


# Enable Layer Suspension
sed -i 's#// enableLayerSuspension: false,#enableLayerSuspension: true,#' .jitsi-meet-cfg/web/config.js

# Disable recording
sed -i 's#// fileRecordingsEnabled: false,#fileRecordingsEnabled: false,#' .jitsi-meet-cfg/web/config.js

# Disable livestreaming
sed -i 's#// liveStreamingEnabled: false,#liveStreamingEnabled: false,#' .jitsi-meet-cfg/web/config.js

The .env file:

JICOFO_AUTH_PASSWORD=34dbXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
JVB_AUTH_PASSWORD=ca67XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
JIGASI_XMPP_PASSWORD=0e17XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
JIBRI_RECORDER_PASSWORD=3f0fXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
JIBRI_XMPP_PASSWORD=27a4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


CONFIG=.jitsi-meet-cfg
HTTP_PORT=180
HTTPS_PORT=1443
TZ=Europe/Berlin
PUBLIC_URL=https://meet-shard01.xxxx.tld

DOCKER_HOST_ADDRESS=185.XXXXXXXXX


ENABLE_LOBBY=1
ENABLE_PREJOIN_PAGE=1
ENABLE_BREAKOUT_ROOMS=1

ETHERPAD_TITLE=Video Chat
ETHERPAD_DEFAULT_PAD_TEXT="Welcome to Web Chat!\n\n"
ETHERPAD_SKIN_NAME=colibris
ETHERPAD_SKIN_VARIANTS="super-light-toolbar super-light-editor light-background full-width-editor"

ENABLE_AUTH=1
ENABLE_GUESTS=1
AUTH_TYPE=jwt

JWT_APP_ID=meetsxxxxx
JWT_APP_SECRET=278xxxx
JWT_ACCEPTED_ISSUERS=xxx,xxx,...

XMPP_DOMAIN=meet.jitsi
XMPP_SERVER=xmpp.meet.jitsi
XMPP_BOSH_URL_BASE=http://xmpp.meet.jitsi:5280
XMPP_AUTH_DOMAIN=auth.meet.jitsi
XMPP_MUC_DOMAIN=muc.meet.jitsi
XMPP_INTERNAL_MUC_DOMAIN=internal-muc.meet.jitsi
XMPP_GUEST_DOMAIN=guest.meet.jitsi
XMPP_MODULES=
XMPP_MUC_MODULES=
XMPP_INTERNAL_MUC_MODULES=


JVB_BREWERY_MUC=jvbbrewery
JVB_AUTH_USER=jvb
JVB_STUN_SERVERS=meet-turn.xxxxx.tld:5349
JVB_PORT=10000

JICOFO_AUTH_USER=focus

JIGASI_XMPP_USER=jigasi
JIGASI_BREWERY_MUC=jigasibrewery
JIGASI_PORT_MIN=20000
JIGASI_PORT_MAX=20050

XMPP_RECORDER_DOMAIN=recorder.meet.jitsi
JIBRI_RECORDER_USER=recorder
JIBRI_RECORDING_DIR=/config/recordings
JIBRI_XMPP_USER=jibri
JIBRI_BREWERY_MUC=jibribrewery
JIBRI_PENDING_TIMEOUT=90
JIBRI_STRIP_DOMAIN_JID=muc
JIBRI_LOGS_DIR=/config/logs

RESTART_POLICY=unless-stopped

pyte · December 5, 2022, 9:06am

Fixed.

I set JWT_ENABLE_DOMAIN_VERIFICATION=false in the env file, but forgot to set “- JWT_ENABLE_DOMAIN_VERIFICATION” in the docker-compose file.

It is now working as expected. Cheers!