JWT Authantication failed

@damencho

I’ve started authantication using TOKEN and setup, I’m facing authantication failed issue after setup.

Browser console snapshot.

Prosody Logs

Jan 30 11:54:44 internal.auth.xxx.xxx.xxx:muc error Error restoring room jvbbrewery@internal.auth.xxx.xxx.xxx from storage: no data storage active
Jan 30 11:54:45 portmanager error Error binding encrypted port for https: No certificate present in SSL/TLS configuration for https port 5281
Jan 30 11:54:45 portmanager error Error binding encrypted port for https: No certificate present in SSL/TLS configuration for https port 5281

Jicofo Logs

Jicofo 2020-01-30 11:54:44.929 WARNING: [38045] org.jivesoftware.smack.AbstractXMPPConnection.callConnectionClosedOnErrorListener() Connection XMPPTCPConnection[focus@auth.xxx.xxx.xx/focus193601083959760] (0) closed with error
org.jivesoftware.smack.XMPPException$StreamErrorException: system-shutdown You can read more about the meaning of this stream error at http://xmpp.org/rfcs/rfc6120.html#streams-error-conditions
stream:errorReceived SIGTERM</stream:error>
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1064)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
at java.lang.Thread.run(Thread.java:748)
Jicofo 2020-01-30 11:54:44.929 SEVERE: [38045] org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.connectionClosedOnError().641 XMPP connection closed on error: system-shutdown You can read more about the meaning of this stream error at http://xmpp.org/rfcs/rfc6120.html#streams-error-conditions
stream:errorReceived SIGTERM</stream:error>
Jicofo 2020-01-30 11:54:44.929 INFO: [38045] org.jitsi.jicofo.ComponentsDiscovery.log() Connection lost - component offline: conference.xxx.xxx.xx
Jicofo 2020-01-30 11:54:44.930 WARNING: [38045] org.jitsi.jicofo.JitsiMeetServices.log() MUC component went offline: conference.xxx.xxx.xx
Jicofo 2020-01-30 11:54:44.930 INFO: [38045] org.jitsi.jicofo.ComponentsDiscovery.log() Connection lost - component offline: focus.xxx.xxx.xx
Jicofo 2020-01-30 11:54:44.930 INFO: [38045] org.jitsi.jicofo.ComponentsDiscovery.log() Connection lost - component offline: auth.xxx.xxx.xx
Jicofo 2020-01-30 11:54:44.930 INFO: [38045] org.jitsi.jicofo.FocusManager.log() XMPP provider reg state: RegistrationState=Unregistered
Jicofo 2020-01-30 11:54:45.935 INFO: [38264] org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.reconnectingIn().684 XMPP reconnecting in: 6
Jicofo 2020-01-30 11:54:46.936 INFO: [38264] org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.reconnectingIn().684 XMPP reconnecting in: 5
Jicofo 2020-01-30 11:54:47.922 SEVERE: [38043] org.jivesoftware.whack.ExternalComponentManager.error()
java.net.SocketException: Broken pipe (Write failed)
at java.net.SocketOutputStream.socketWrite0(Native Method)
at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:111)
at java.net.SocketOutputStream.write(SocketOutputStream.java:155)
at sun.nio.cs.StreamEncoder.writeBytes(StreamEncoder.java:221)
at sun.nio.cs.StreamEncoder.implFlushBuffer(StreamEncoder.java:291)
at sun.nio.cs.StreamEncoder.implFlush(StreamEncoder.java:295)
at sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:141)
at java.io.OutputStreamWriter.flush(OutputStreamWriter.java:229)
at java.io.BufferedWriter.flush(BufferedWriter.java:254)
at org.dom4j.io.XMLWriter.flush(XMLWriter.java:272)
at org.jivesoftware.whack.ExternalComponent.send(ExternalComponent.java:371)
at org.jivesoftware.whack.ExternalComponentManager.sendPacket(ExternalComponentManager.java:269)
at org.xmpp.component.AbstractComponent.send(AbstractComponent.java:925)
at org.jitsi.xmpp.component.ComponentBase.access$400(ComponentBase.java:36)
at org.jitsi.xmpp.component.ComponentBase$PingTask.run(ComponentBase.java:577)
at java.util.TimerThread.mainLoop(Timer.java:555)
at java.util.TimerThread.run(Timer.java:505)
Jicofo 2020-01-30 11:54:47.937 INFO: [38264] org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.reconnectingIn().684 XMPP reconnecting in: 4
Jicofo 2020-01-30 11:54:48.937 INFO: [38264] org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.reconnectingIn().684 XMPP reconnecting in: 3
Jicofo 2020-01-30 11:54:49.937 INFO: [38264] org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.reconnectingIn().684 XMPP reconnecting in: 2
Jicofo 2020-01-30 11:54:50.938 INFO: [38264] org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.reconnectingIn().684 XMPP reconnecting in: 1
Jicofo 2020-01-30 11:54:51.938 INFO: [38264] org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.reconnectingIn().684 XMPP reconnecting in: 0
Jicofo 2020-01-30 11:54:51.939 INFO: [38264] org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.reconnectingIn().684 XMPP reconnecting in: 0
Jicofo 2020-01-30 11:54:52.119 INFO: [38264] org.jitsi.jicofo.xmpp.BaseBrewery.start().186 Joined brewery room: JvbBrewery@internal.auth.xxx.xxx.xx
Jicofo 2020-01-30 11:54:52.121 INFO: [38264] org.jitsi.jicofo.ComponentsDiscovery.log() New component discovered: conference.xxx.xxx.xx, null
Jicofo 2020-01-30 11:54:52.121 INFO: [38264] org.jitsi.jicofo.JitsiMeetServices.log() MUC component discovered: conference.xxx.xxx.xx
Jicofo 2020-01-30 11:54:52.124 INFO: [38264] org.jitsi.jicofo.ComponentsDiscovery.log() New component discovered: focus.xxx.xxx.xx, null
Jicofo 2020-01-30 11:54:52.126 INFO: [38264] org.jitsi.jicofo.ComponentsDiscovery.log() New component discovered: auth.xxx.xxx.xx, IQ Stanza (query jabber:iq:version) [to=focus@auth.xxx.xxx.xx/focus193601083959760,from=auth.xxx.xxx.xx,id=bHaTK-203116,type=result,]
Jicofo 2020-01-30 11:54:52.126 INFO: [38264] org.jitsi.jicofo.JitsiMeetServices.log() Detected XMPP server version: IQ Stanza (query jabber:iq:version) [to=focus@auth.xxx.xxx.xx/focus193601083959760,from=auth.xxx.xxx.xx,id=bHaTK-203116,type=result,]
Jicofo 2020-01-30 11:54:52.126 INFO: [38264] org.jitsi.jicofo.ComponentsDiscovery.log() Services re-discovery interval: 30000
Jicofo 2020-01-30 11:54:52.129 INFO: [38264] org.jitsi.jicofo.FocusManager.log() XMPP provider reg state: RegistrationState=Registered
Jicofo 2020-01-30 11:54:52.926 SEVERE: [38266] org.jitsi.xmpp.component.ComponentBase.log() Ping timeout for ID: bHaTK-203091

JVB Logs

JVB 2020-01-30 12:02:06.024 INFO: [18] org.jitsi.videobridge.Videobridge.log() CAT=stat create_conf,conf_id=8118e8e63dd4bb97 conf_name=null,logging=false,conf_count=1,ch_count=0,v_streams=0
JVB 2020-01-30 12:02:06.057 INFO: [18] org.jitsi.videobridge.health.Health.log() Performed a successful health check in 33ms. Sticky failure: false

Prosody Configuration

plugin_paths = { “/usr/share/jitsi-meet/prosody-plugins/” }

– domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = “xxx.xxx.xx”;

turncredentials_secret = “CbiPhC1D”;

turncredentials = {
{ type = “stun”, host = “xxx.xxx.xx”, port = “443” },
{ type = “turn”, host = “xxx.xxx.xx”, port = “443”, transport = “udp” },
{ type = “turns”, host = “xxx.xxx.xx”, port = “443”, transport = “tcp” }
};

cross_domain_bosh = false;
consider_bosh_secure = true;
c2s_require_encryption=false;

VirtualHost “xxx.xxx.xx”
– enabled = false – Remove this line to enable this host
authentication = “token”
– Properties below are modified by jitsi-meet-tokens package config
– and authentication above is switched to “token”
app_id=“vidoly_app”;
app_secret=“vidoly_app_secret”;
allow_empty_token = false;
– Assign this host a certificate for TLS, otherwise it would use the one
– set in the global section (if any).
– Note that old-style SSL on port 5223 only supports one certificate, and will always
– use the global one.
ssl = {
key = “/etc/prosody/certs/xxx.xxx.xx.key”;
certificate = “/etc/prosody/certs/xxx.xxx.xx.crt”;
}
speakerstats_component = “speakerstats.xxx.xxx.xx”
conference_duration_component = “conferenceduration.xxx.xxx.xx”
– we need bosh
modules_enabled = {
“bosh”;
“pubsub”;
“ping”; – Enable mod_ping
“speakerstats”;
“turncredentials”;
“conference_duration”;
}
c2s_require_encryption = false

Component “conference.xxx.xxx.xx” “muc”
storage = “internal”
muc_room_cache_size = 100
modules_enabled = {
“muc_meeting_id”;
“muc_domain_mapper”;
“token_verification”;
}
admins = { “focus@auth.xxx.xxx.xx” }

– internal muc component
Component “internal.auth.xxx.xxx.xx” “muc”
storage = “memory”
modules_enabled = {
“ping”;
}
admins = { “focus@auth.xxx.xxx.xx”, “jvb@auth.xxx.xxx.xx” }

VirtualHost “auth.xxx.xxx.xx”
ssl = {
key = “/etc/prosody/certs/auth.xxx.xxx.xx.key”;
certificate = “/etc/prosody/certs/auth.xxx.xxx.xx.crt”;
}
authentication = “internal_plain”

Component “focus.xxx.xxx.xx”
component_secret = “FuQm7Mur”

Component “speakerstats.xxx.xxx.xx” “speakerstats_component”
muc_component = “conference.xxx.xxx.xx”

Component “conferenceduration.xxx.xxx.xx” “conference_duration_component”
muc_component = “conference.xxx.xxx.xx”

Which prosody version are you using? In case of 0.11.x make sure you have in your prosody config storage = "memory", for older trunk it is storage = "null" and for 0.10 storage = "none". But if you are doing jwt I suppose you want to use 0.11.
All those are handled on install time if you have prosody 0.11 installed before installing jitsi-meet. If you upgraded later you need to handle some stuff by hand.

I’ve upgraded later.

I already updated storage="memory" in prosody configuration. except that any further need to update?

Something is not right, or you are looking at old logs, as it still complains about it.

I just checked in prososdy just getting following error,

Jan 30 12:30:45 portmanager error Error binding encrypted port for https: No certificate present in SSL/TLS configuration for https port 5281
Jan 30 12:30:45 portmanager error Error binding encrypted port for https: No certificate present in SSL/TLS configuration for https port 5281

from storage: no data storage active Removed, at one placed I forgot to update.

And your token still do not work?
Open the chrome network tab in dev tools and find the xmpp bosh response with the error for the token, what does it say?

It’s somthing like token required but I’m passing in URL using like,

https://xxx.xxx.xxx/test?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJqaXRzaSIsImlzcyI6InZpZG9seV9hcHAiLCJzdWIiOiJzdGFnaW5nLnZjb25mLnZpZG9seS51cyIsInJvb20iOiIqIiwiZXhwIjoxNTgwNzMzODMxODA4LCJpYXQiOjE1ODAzODgyMzF9.d3TDXft_NgLronBa8BLxHfsraxPNNVuT-V0PZFOU50A

what is your nginx config?

We’re not using Nginx.

Are you sure it is passing all the url params to the prosody endpoint?

1 Like

Not sure, I hope it’s passing because we’re not using any middle-ware.

Do you have any idea how can we check it?

@damencho
I found the solution, thank you for the help.

Hope someone else gets help from these threads.

I Changed this: https://github.com/jitsi/jitsi-meet/blob/54c36198d060bfaa8e88d4594066a44310a579c3/resources/prosody-plugins/mod_auth_token.lua#L21 to say hook_global since mod_bosh is a global module: https://hg.prosody.im/0.11/file/tip/plugins/mod_bosh.lua#l9

Reference: https://github.com/jitsi/lib-jitsi-meet/issues/837

If you first install prosody and then jitsi-meet this will be handled https://github.com/jitsi/jitsi-meet/blob/ab5627212dc271f1c836b44bfc620cc3a9b861ff/debian/jitsi-meet-tokens.postinst#L77

NOTED. Thank you for the update.