JWT authentication working but guests without JWT are not allowed

Hi Team,

We have a custom Jitsi domain & trying to implement the JWT authentication for the users. We’re able to do JWT authentication successfully. But when the guest users (one who doesn’t have a JWT token) are not allowed in. Any help from the experts would be highly appreciated.

Browser Console error

Prosody config

VirtualHost "my-jitsi-domain.com"
    authentication = "token"
    app_id="app-id-here"
    app_secret="app-secret-here"

    speakerstats_component = "speakerstats.my-jitsi-domain.com"
    conference_duration_component = "conferenceduration.my-jitsi-domain.com"

    -- we need bosh
    modules_enabled = {
        "bosh";
        "pubsub";
        "ping"; -- Enable mod_ping
        "speakerstats";
        "turncredentials";
        "conference_duration";
        "muc_lobby_rooms";
        "presence_identity";
        "muc_allowners";
    }

    c2s_require_encryption = false
    lobby_muc = "lobby.my-jitsi-domain.com"
    main_muc = "conference.my-jitsi-domain.com"
    storage = "none"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        "token_verification";
    }
    admins = { "focus@auth.my-jitsi-domain.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true

VirtualHost "guest.my-jitsi-domain.com"
    authentication = "anonymous"
    c2s_require_encryption = false
    allow_empty_token = true;

/etc/jitsi/jicofo/sip-communicator.properties

org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.my-jitsi-domain.com
org.jitsi.jicofo.auth.URL=XMPP:my-jitsi-domain.com
org.jitsi.jicofo.ALWAYS_TRUST_MODE_ENABLED=true

config.js

var config = {
    // Connection
    //

    hosts: {
        // XMPP domain.
        domain: 'my-jitsi-domain.com',

        // When using authentication, domain for guest users.
        anonymousdomain: 'guest.my-jitsi-domain.com',

        // Domain for authenticated users. Defaults to <domain>.
        // authdomain: 'my-jitsi-domain.com',

        // Focus component domain. Defaults to focus.<domain>.
        // focus: 'focus.my-jitsi-domain.com',

        // XMPP MUC domain. FIXME: use XEP-0030 to discover it.
        muc: 'conference.<!--# echo var="subdomain" default="" -->my-jitsi-domain.com'
    }
}
allow_empty_token = true

Thanks for the reply. I have tried the allow_empty_token = true. But still the same error. No improvements.

Remove all guest.my-jitsi-domain.com related changes. These are not for JWT

Thanks. I have removed the guest related configurations. Now the users with JWT are able to login. But the ones (guest) without JWT are asked for Username & Password.

But, what’s the usual behavior? I guess when someone with JWT joins the meeting, then the guests can enter there without authentication. Am I right?

If you set allow_empty_token, the guests can able to enter too

Add allow_empty_token=true after the app_secret line and restart prosody

I did that as well but no luck. It’s asking for authentication (username & password). Any other things that I might be missing?

Could you paste your prosody config?

Yeah sure. Here it is.

plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "my-jitsi-domain.com";

turncredentials_secret = "erqwer345bfggn";

turncredentials = {
    { type = "stun", host = "my-jitsi-domain.com", port = "3478" },
    { type = "turn", host = "my-jitsi-domain.com", port = "3478", transport = "udp" },
    { type = "turns", host = "my-jitsi-domain.com", port = "5349", transport = "tcp" }
};

cross_domain_bosh = false;
consider_bosh_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284

-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
    protocol = "tlsv1_2+";
    ciphers = "{SOME_CIPHERS}"
}

VirtualHost "my-jitsi-domain.com"
    -- enabled = false -- Remove this line to enable this host
    authentication = "token"
    -- Properties below are modified by jitsi-meet-tokens package config
    -- and authentication above is switched to "token"
    app_id="{my_app_id}"
    app_secret="{my_app_secret}"
    allow_empty_token = true;
    -- Assign this host a certificate for TLS, otherwise it would use the one
    -- set in the global section (if any).
    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
    -- use the global one.
    ssl = {
        key = "/etc/prosody/certs/my-jitsi-domain.com.key";
        certificate = "/etc/prosody/certs/my-jitsi-domain.com.crt";
    }
    speakerstats_component = "speakerstats.my-jitsi-domain.com"
    conference_duration_component = "conferenceduration.my-jitsi-domain.com"
    -- we need bosh
    modules_enabled = {
        "bosh";
        "pubsub";
        "ping"; -- Enable mod_ping
        "speakerstats";
        "turncredentials";
        "conference_duration";
        "muc_lobby_rooms";
	    "presence_identity";
    }
    c2s_require_encryption = false
    lobby_muc = "lobby.my-jitsi-domain.com"
    main_muc = "conference.my-jitsi-domain.com"
    -- muc_lobby_whitelist = { "recorder.my-jitsi-domain.com" } -- Here we can whitelist jibri to enter lobby enabled rooms
    storage = "none"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        "token_verification";
    }
    admins = { "focus@auth.my-jitsi-domain.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true

-- internal muc component
Component "internal.auth.my-jitsi-domain.com" "muc"
    storage = "none"
    modules_enabled = {
        "ping";
    }
    admins = { "focus@auth.my-jitsi-domain.com", "jvb@auth.my-jitsi-domain.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true

VirtualHost "auth.my-jitsi-domain.com"
    ssl = {
        key = "/etc/prosody/certs/auth.my-jitsi-domain.com.key";
        certificate = "/etc/prosody/certs/auth.my-jitsi-domain.com.crt";
    }
    authentication = "internal_plain"

Component "focus.my-jitsi-domain.com"
    component_secret = "34584IDJFJASJFSD"

Component "speakerstats.my-jitsi-domain.com" "speakerstats_component"
    muc_component = "conference.my-jitsi-domain.com"

Component "conferenceduration.my-jitsi-domain.com" "conference_duration_component"
    muc_component = "conference.my-jitsi-domain.com"

Component "lobby.my-jitsi-domain.com" "muc"
    storage = "none"
    restrict_room_creation = true
    muc_room_locking = false
    muc_room_default_public_jids = true

Component "conference.your-domain" "muc"

line is missing.

What is your prosody version?

dpkg -l "prosody*"

This is my prosody version.

I think prosody is the problem.Try to purge it and install a newer version. My recommendation is using Debian 10 Buster or Ubuntu 20.04 and the prosody package from the official distro repo.

Pardon my complete ignorance, but how do you generate/create/choose the tokens/IDs in this block

VirtualHost "my-jitsi-domain.com"
    authentication = "token"
    app_id="{my_app_id}"
    app_secret="{my_app_secret}"
    allow_empty_token = true;

Hello @trentmu. We have chosen the app_secret with some random secret string which complies with our app(which generates JWT) & configured the same here. The app_id would be something like my-client-app and it matches with the iss field JWT.

So, to be clear, will this Component "conference.your-domain" "muc" part will be autogenerated if I re-install prosody? Or shall I add that part in the prosody config without re-installing?

Normally you don’t need to edit prosody config. The package manager does all the jobs. The only think you may do after the installation is to add allow_empty_token = true line to the config file because it’s disabled by default

Hi @emrah I have re-installed prosody & the guest users are able to login to the system successfully even if they don’t have a JWT.

But the problem is the guests are joined into the room even without the already joined users (with JWT) giving permission for the guest to enter. This is a problem right?

same error i am facing… if i am doing allow_empty_token…anyone will be able enter without the token and will become moderator…

this happens in my case…

however if i do allow empty token=false

then both host and guest can join with token

Do u have any update on it?

I Have Same Issue How to Figure Out the correct Way Please Help