Hi Team,
We have a custom Jitsi domain & trying to implement the JWT authentication for the users. We’re able to do JWT authentication successfully. But when the guest users (one who doesn’t have a JWT token) are not allowed in. Any help from the experts would be highly appreciated.
Browser Console error
Prosody config
VirtualHost "my-jitsi-domain.com"
authentication = "token"
app_id="app-id-here"
app_secret="app-secret-here"
speakerstats_component = "speakerstats.my-jitsi-domain.com"
conference_duration_component = "conferenceduration.my-jitsi-domain.com"
-- we need bosh
modules_enabled = {
"bosh";
"pubsub";
"ping"; -- Enable mod_ping
"speakerstats";
"turncredentials";
"conference_duration";
"muc_lobby_rooms";
"presence_identity";
"muc_allowners";
}
c2s_require_encryption = false
lobby_muc = "lobby.my-jitsi-domain.com"
main_muc = "conference.my-jitsi-domain.com"
storage = "none"
modules_enabled = {
"muc_meeting_id";
"muc_domain_mapper";
"token_verification";
}
admins = { "focus@auth.my-jitsi-domain.com" }
muc_room_locking = false
muc_room_default_public_jids = true
VirtualHost "guest.my-jitsi-domain.com"
authentication = "anonymous"
c2s_require_encryption = false
allow_empty_token = true;
/etc/jitsi/jicofo/sip-communicator.properties
org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.my-jitsi-domain.com
org.jitsi.jicofo.auth.URL=XMPP:my-jitsi-domain.com
org.jitsi.jicofo.ALWAYS_TRUST_MODE_ENABLED=true
config.js
var config = {
// Connection
//
hosts: {
// XMPP domain.
domain: 'my-jitsi-domain.com',
// When using authentication, domain for guest users.
anonymousdomain: 'guest.my-jitsi-domain.com',
// Domain for authenticated users. Defaults to <domain>.
// authdomain: 'my-jitsi-domain.com',
// Focus component domain. Defaults to focus.<domain>.
// focus: 'focus.my-jitsi-domain.com',
// XMPP MUC domain. FIXME: use XEP-0030 to discover it.
muc: 'conference.<!--# echo var="subdomain" default="" -->my-jitsi-domain.com'
}
}
Thanks for the reply. I have tried the allow_empty_token = true. But still the same error. No improvements.
emrah
March 10, 2021, 6:25am
#4
Remove all guest.my-jitsi-domain.com related changes. These are not for JWT
Thanks. I have removed the guest related configurations. Now the users with JWT are able to login. But the ones (guest) without JWT are asked for Username & Password.
But, what’s the usual behavior? I guess when someone with JWT joins the meeting, then the guests can enter there without authentication. Am I right?
emrah
March 10, 2021, 7:17am
#6
If you set allow_empty_token, the guests can able to enter too
Add allow_empty_token=true after the app_secret line and restart prosody
I did that as well but no luck. It’s asking for authentication (username & password). Any other things that I might be missing?
emrah
March 10, 2021, 4:35pm
#8
Could you paste your prosody config?
Yeah sure. Here it is.
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "my-jitsi-domain.com";
turncredentials_secret = "erqwer345bfggn";
turncredentials = {
{ type = "stun", host = "my-jitsi-domain.com", port = "3478" },
{ type = "turn", host = "my-jitsi-domain.com", port = "3478", transport = "udp" },
{ type = "turns", host = "my-jitsi-domain.com", port = "5349", transport = "tcp" }
};
cross_domain_bosh = false;
consider_bosh_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
protocol = "tlsv1_2+";
ciphers = "{SOME_CIPHERS}"
}
VirtualHost "my-jitsi-domain.com"
-- enabled = false -- Remove this line to enable this host
authentication = "token"
-- Properties below are modified by jitsi-meet-tokens package config
-- and authentication above is switched to "token"
app_id="{my_app_id}"
app_secret="{my_app_secret}"
allow_empty_token = true;
-- Assign this host a certificate for TLS, otherwise it would use the one
-- set in the global section (if any).
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
-- use the global one.
ssl = {
key = "/etc/prosody/certs/my-jitsi-domain.com.key";
certificate = "/etc/prosody/certs/my-jitsi-domain.com.crt";
}
speakerstats_component = "speakerstats.my-jitsi-domain.com"
conference_duration_component = "conferenceduration.my-jitsi-domain.com"
-- we need bosh
modules_enabled = {
"bosh";
"pubsub";
"ping"; -- Enable mod_ping
"speakerstats";
"turncredentials";
"conference_duration";
"muc_lobby_rooms";
"presence_identity";
}
c2s_require_encryption = false
lobby_muc = "lobby.my-jitsi-domain.com"
main_muc = "conference.my-jitsi-domain.com"
-- muc_lobby_whitelist = { "recorder.my-jitsi-domain.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
storage = "none"
modules_enabled = {
"muc_meeting_id";
"muc_domain_mapper";
"token_verification";
}
admins = { "focus@auth.my-jitsi-domain.com" }
muc_room_locking = false
muc_room_default_public_jids = true
-- internal muc component
Component "internal.auth.my-jitsi-domain.com" "muc"
storage = "none"
modules_enabled = {
"ping";
}
admins = { "focus@auth.my-jitsi-domain.com", "jvb@auth.my-jitsi-domain.com" }
muc_room_locking = false
muc_room_default_public_jids = true
VirtualHost "auth.my-jitsi-domain.com"
ssl = {
key = "/etc/prosody/certs/auth.my-jitsi-domain.com.key";
certificate = "/etc/prosody/certs/auth.my-jitsi-domain.com.crt";
}
authentication = "internal_plain"
Component "focus.my-jitsi-domain.com"
component_secret = "34584IDJFJASJFSD"
Component "speakerstats.my-jitsi-domain.com" "speakerstats_component"
muc_component = "conference.my-jitsi-domain.com"
Component "conferenceduration.my-jitsi-domain.com" "conference_duration_component"
muc_component = "conference.my-jitsi-domain.com"
Component "lobby.my-jitsi-domain.com" "muc"
storage = "none"
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true
emrah
March 10, 2021, 5:14pm
#10
Component "conference.your-domain" "muc"
line is missing.
What is your prosody version?
dpkg -l "prosody*"
This is my prosody version.
emrah
March 11, 2021, 6:23am
#12
I think prosody is the problem.Try to purge it and install a newer version. My recommendation is using Debian 10 Buster or Ubuntu 20.04 and the prosody package from the official distro repo.
trentmu
March 11, 2021, 12:22pm
#13
Pardon my complete ignorance, but how do you generate/create/choose the tokens/IDs in this block
VirtualHost "my-jitsi-domain.com"
authentication = "token"
app_id="{my_app_id}"
app_secret="{my_app_secret}"
allow_empty_token = true;
Hello @trentmu . We have chosen the app_secret with some random secret string which complies with our app(which generates JWT) & configured the same here. The app_id would be something like my-client-app and it matches with the iss field JWT.
So, to be clear, will this Component "conference.your-domain" "muc" part will be autogenerated if I re-install prosody? Or shall I add that part in the prosody config without re-installing?
emrah
March 12, 2021, 7:35am
#16
Normally you don’t need to edit prosody config. The package manager does all the jobs. The only think you may do after the installation is to add allow_empty_token = true line to the config file because it’s disabled by default
Hi @emrah I have re-installed prosody & the guest users are able to login to the system successfully even if they don’t have a JWT.
But the problem is the guests are joined into the room even without the already joined users (with JWT) giving permission for the guest to enter. This is a problem right?
