JWT authentication with public key is failing

I have these settings to run the docker.

ENABLE_AUTH=1
ENABLE_GUESTS=1
AUTH_TYPE=jwt
LOG_LEVEL=debug

JWT_APP_ID=https://mydomain/auth/realms/test-meet
#JWT_APP_SECRET=my_jitsi_app_secret
JWT_ASAP_KEYSERVER=http://10.0.2.15:3001/publickey
JWT_ACCEPTED_ISSUERS=https://mydomain/auth/realms/test-meet
JWT_ACCEPTED_AUDIENCES=test-meet

JWT_AUTH_TYPE=token
JWT_TOKEN_AUTH_MODULE=token_verification

I could able to access my host machine IP (10.0.2.15:3001) from prosody container (tested with curl http://10.0.2.15:3001/publickey/22e20dd7e707d4ac2185335225496d59fde5b8445fa0817d904e2389471bec3f.pem)

My token has the following claims.

{
    "alg": "RS256",
    "typ": "JWT",
    "kid": "HZyCHLJzbP97PpaEhh5r0qDWOQWle7gDtHk2wR-4K6o"
}
{
    "exp": 1595838065,
    "iat": 1595837765,
    "auth_time": 1595837764,
    "jti": "b81269a3-71bb-4358-93be-8f1255a20402",
    "iss": "https://mydomain/auth/realms/test-meet",
    "aud": "test-meet",
    "sub": "abbe961f-53a0-44de-84e2-a177df24cd16",
    "typ": "Bearer",
    "azp": "test-meet",
    "nonce": "417a2ddb-f49b-4272-8293-4e7c7fa215b7",
    "session_state": "aaa0017e-7394-4bcf-b000-cfe59d0333ab",
    "acr": "1",
    "scope": "openid test-scope",
    "context": {
    "user": {
        "name": "Test User",
        "id": "abbe961f-53a0-44de-84e2-a177df24cd16",
        "email": "test@test.com"
    },
    "group": "create-room"
    },
    "name": "Test User",
    "room": "abbe961f-53a0-44de-84e2-a177df24cd16"
}

When start room with token I am getting the following error in prosody logs.

prosody_1  | meet.jitsi:auth_token                                        debug	Cache miss for key: HZyCHLJzbP97PpaEhh5r0qDWOQWle7gDtHk2wR-4K6o
prosody_1  | meet.jitsi:auth_token                                        debug	Fetching public key from: http://10.0.2.15:3001/publickey/22e20dd7e707d4ac2185335225496d59fde5b8445fa0817d904e2389471bec3f.pem
prosody_1  | http                                                         debug	Making HTTP GET request '556938da5450' to http://10.0.2.15:3001/publickey/22e20dd7e707d4ac2185335225496d59fde5b8445fa0817d904e2389471bec3f.pem
prosody_1  | runnerDDLjJdtz                                               debug	changed state from ready to error (ready)
prosody_1  | mod_bosh                                                     error	Traceback[bosh]: /usr/lib/prosody/net/resolvers/basic.lua:71: attempt to concatenate local 'conn_type' (a nil value)
prosody_1  | stack traceback:
prosody_1  | 	/usr/lib/prosody/net/resolvers/basic.lua:71: in function 'new'
prosody_1  | 	/usr/lib/prosody/net/http.lua:263: in function </usr/lib/prosody/net/http.lua:184>
prosody_1  | 	(...tail calls...)
prosody_1  | 	/prosody-plugins/token/util.lib.lua:130: in function 'get_public_key'
prosody_1  | 	/prosody-plugins/token/util.lib.lua:273: in function 'process_and_verify_token'
prosody_1  | 	/prosody-plugins/mod_auth_token.lua:80: in function 'anonymous'
prosody_1  | 	/prosody-plugins/mod_auth_token.lua:118: in function </prosody-plugins/mod_auth_token.lua:113>
prosody_1  | 	(...tail calls...)
prosody_1  | 	/usr/lib/prosody/modules/mod_saslauth.lua:77: in function </usr/lib/prosody/modules/mod_saslauth.lua:66>
prosody_1  | 	(...tail calls...)
prosody_1  | 	/usr/lib/prosody/util/events.lua:79: in function </usr/lib/prosody/util/events.lua:75>
prosody_1  | 	(...tail calls...)
prosody_1  | 	/usr/lib/prosody/core/stanza_router.lua:142: in function 'dispatch_stanza'
prosody_1  | 	/usr/lib/prosody/modules/mod_bosh.lua:305: in function 'func'
prosody_1  | 	/usr/lib/prosody/util/async.lua:127: in function </usr/lib/prosody/util/async.lua:125>
prosody_1  | stack traceback:
prosody_1  | 	/usr/lib/prosody/util/async.lua:211: in function 'run'
prosody_1  | 	/usr/lib/prosody/modules/mod_bosh.lua:447: in function 'cb_handlestanza'
prosody_1  | 	/usr/lib/prosody/util/xmppstream.lua:182: in function </usr/lib/prosody/util/xmppstream.lua:162>
prosody_1  | 	[C]: in function 'parse'
prosody_1  | 	/usr/lib/prosody/util/xmppstream.lua:282: in function 'feed'
prosody_1  | 	/usr/lib/prosody/modules/mod_bosh.lua:133: in function '?'
prosody_1  | 	/usr/lib/prosody/util/events.lua:79: in function </usr/lib/prosody/util/events.lua:75>
prosody_1  | 	(...tail calls...)
prosody_1  | 	/usr/lib/prosody/net/http/server.lua:228: in function </usr/lib/prosody/net/http/server.lua:176>
prosody_1  | 	[C]: in function 'xpcall'
prosody_1  | 	/usr/lib/prosody/net/http/server.lua:108: in function 'process_next'
prosody_1  | 	/usr/lib/prosody/net/http/server.lua:124: in function 'success_cb'
prosody_1  | 	/usr/lib/prosody/net/http/parser.lua:177: in function 'feed'
prosody_1  | 	/usr/lib/prosody/net/http/server.lua:155: in function </usr/lib/prosody/net/http/server.lua:154>
prosody_1  | 	[C]: in function 'pcall'
prosody_1  | 	/usr/lib/prosody/net/server_epoll.lua:159: in function 'on'
prosody_1  | 	/usr/lib/prosody/net/server_epoll.lua:348: in function 'onreadable'
prosody_1  | 	/usr/lib/prosody/net/server_epoll.lua:734: in function </usr/lib/prosody/net/server_epoll.lua:726>
prosody_1  | 	[C]: in function 'xpcall'
prosody_1  | 	/usr/bin/prosody:76: in function 'loop'
prosody_1  | 	/usr/bin/prosody:86: in main chunk
prosody_1  | 	[C]: in ?
prosody_1  | mod_bosh                                                     debug	Session 518417bd-4956-4a9e-9b40-d3d95502daa3 has 1 out of 1 requests open
prosody_1  | mod_bosh                                                     debug	and there are 0 things in the send_buffer:
prosody_1  | mod_bosh                                                     debug	Have nothing to say, so leaving request unanswered for now

On the UI I am getting Gateway timeout for https://127.0.0.1/http-bind?room=abbe961f-53a0-44de-84e2-a177df24cd16&token=<token>.

Can anyone please help me to fix this issue.

Hi, first I recommend you have the minimum viable path removing all the extra keys like this:

 {
  "aud": "some_audiences_test", // JWT_ACCEPTED_AUDIENCES
  "iss": "some_issuers_test", // JWT_ACCEPTED_ISSUERS
  "sub": "meet.jitsi",
  "room": "specific_room_name"
}

until I know you don’t need to put as aud or iss a URL

finally, I recommend you see my youtube video

@dyapasrikanth I also encountered similar bug and found out, that for me it was caused by errorneous file in prosody. Replacing it in newest prosody version with older one from https://github.com/bjc/prosody/blob/e0a077e53b7daa04975397bbd3fdc49b73ef0f50/net/http.lua solved my issue.

Directory path in prosody dir is net/http.lua (ie usually /usr/lib/prosody/net/http.lua)

Maybe it will help you.

1 Like

@nosmo tks, it works for me