JWT authentication

I’m trying to configure JWT authentication since 3 days, but I can’t get out of it.
I installed Jitsi on a Ubuntu 20 LTS and it’ working fine without JWT.
I followed this guide to configure JWT.

This is my prosody configuration.

plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "jitsi.enerlamp.it";
external_service_secret = "aXQFSQvbYOc4lmQq";
external_services = {
     { type = "stun", host = "jitsi.enerlamp.it", port = 3478 },
     { type = "turn", host = "jitsi.enerlamp.it", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
     { type = "turns", host = "jitsi.enerlamp.it", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
};

asap_accepted_issuers = { "*" }
asap_accepted_audiences = { "*" }

cross_domain_bosh = false;
consider_bosh_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
    protocol = "tlsv1_2+";
    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-PO
LY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}
unlimited_jids = {
    "focus@auth.MY_DOMAIN",
    "jvb@auth.MY_DOMAIN"
}
VirtualHost "MY_DOMAIN"
    -- enabled = false -- Remove this line to enable this host
    authentication = "token"
    -- Properties below are modified by jitsi-meet-tokens package config
    -- and authentication above is switched to "token"
    app_id="YOUR_APP_ID"
    app_secret="YOUR_SECRET"
    -- Assign this host a certificate for TLS, otherwise it would use the one
    -- set in the global section (if any).
    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
    -- use the global one.
    ssl = {
        key = "/etc/prosody/certs/MY_DOMAIN.key";
        certificate = "/etc/prosody/certs/MY_DOMAIN.crt";
    }
    av_moderation_component = "avmoderation.MY_DOMAIN"
    speakerstats_component = "speakerstats.MY_DOMAIN"
    conference_duration_component = "conferenceduration.MY_DOMAIN"
      -- we need bosh
    modules_enabled = {
        "bosh";
        "pubsub";
        "ping"; -- Enable mod_ping
        "speakerstats";
        "external_services";
        "conference_duration";
        "muc_lobby_rooms";
        "av_moderation";
        "presence_identity";
    }
    c2s_require_encryption = false
    lobby_muc = "lobby.MY_DOMAIN"
    main_muc = "conference.MY_DOMAIN"
    -- muc_lobby_whitelist = { "recorder.MY_DOMAIN" } -- Here we can whitelist jibri to enter lobby enabled rooms
Component "conference.MY_DOMAIN" "muc"
    restrict_room_creation = true
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        "polls";
        "token_verification";
    }
    admins = { "focus@auth.MY_DOMAIN" }
    muc_room_locking = false
    muc_room_default_public_jids = true
-- internal muc component
Component "internal.auth.MY_DOMAIN" "muc"
    storage = "memory"
    modules_enabled = {
        "ping";
    }
    admins = { "focus@auth.MY_DOMAIN", "jvb@auth.MY_DOMAIN" }
    muc_room_locking = false
    muc_room_default_public_jids = true
VirtualHost "auth.MY_DOMAIN"
    ssl = {
        key = "/etc/prosody/certs/auth.MY_DOMAIN.key";
        certificate = "/etc/prosody/certs/auth.MY_DOMAIN.crt";
    }
    modules_enabled = {
        "limits_exception";
    }
    authentication = "internal_hashed"

-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.
Component "focus.MY_DOMAIN" "client_proxy"
    target_address = "focus@auth.MY_DOMAIN"
Component "speakerstats.MY_DOMAIN" "speakerstats_component"
    muc_component = "conference.MY_DOMAIN"
Component "conferenceduration.MY_DOMAIN" "conference_duration_component"
    muc_component = "conference.MY_DOMAIN"
Component "avmoderation.MY_DOMAIN" "av_moderation_component"
    muc_component = "conference.MY_DOMAIN"
Component "lobby.MY_DOMAIN" "muc"
    storage = "memory"
    restrict_room_creation = true
    muc_room_locking = false
    muc_room_default_public_jids = true
VirtualHost "guest.MY_DOMAIN"
    authentication = "token";
    app_id = "YOUR_APP_ID";
    app_secret = "YOUR_SECRET";
    c2s_require_encryption = false;
    allow_empty_token = true;

I’m getting a JWT token from https://jwt.io with this data:

{
  "context": {
    "user": {
      "avatar": "gravatar.com/123",
      "name": "marco",
      "email": "marco@gmail.com"
    }
  },
  "moderator": true,
  "aud": "jitsi",
  "iss": "YOUR_APP_ID",
  "sub": "MY_DOMAIN",
  "room": "*",
  "exp": 1843498815
}

but the authentication does not work.

In the browser console I have the following errors.

[connection.js] CONNECTION FAILED: connection.passwordRequired
[features/base/conference] JWT error: Invalid signature
[features/base/conference] JWT parsing error: "- invalid `nbf` value"

In prosody log I have the following.

mod_bosh        info    New BOSH session, assigned it sid 'c1f81b11-99a3-4167-9ec7-2b7f3f1ca20a'
general warn    Error verifying token err:not-allowed, reason:token required

I’m using the JWT token like
https://MY_DOMAIN/test?jwt=eyJhbGciOiJIUzI1Ni...

What can I do to solve/debug this issue?

Maybe you need “nbf” (Configures the time that the token can be used )

I did not find any reference about this.
Can you please provide me a link or explain me how to do that?

  "aud": "YOUR_APP_ID",
  "iss": "YOUR_APP_ID",

@emrah I tried, but the problem is still the same

{
“context”: {
“user”: {
“avatar”: “gravatar.com/123”,
“name”: “marco”,
“email”: “marco@gmail.com
}
},
“moderator”: true,
“aud”: “jitsi”,
“iss”: “YOUR_APP_ID”,
“sub”: “MY_DOMAIN”,
“room”: “*”,
“exp”: 1843498815,
“nbf” : timestamp like exp, example: 1634642846

}

Can you create token in jitok.emrah.com

Change only secret and aud values

1 Like

@Antonio_Pereira

nbf issue is solved, but I still get this

2021-10-19T11:33:48.490Z [connection.js] CONNECTION FAILED: connection.passwordRequired Logger.js:154:22
2021-10-19T11:33:48.492Z [features/base/conference] JWT error: Invalid signature Logger.js:154:22
2021-10-19T11:33:48.523Z [features/base/connection] <p/</</<>: connection.passwordRequired

and this

Oct 19 11:31:41 mod_bosh        info    New BOSH session, assigned it sid 'e8fb7220-3ea9-48b4-95de-7d6f5c072c45'
Oct 19 11:31:41 general warn    Error verifying token err:not-allowed, reason:Invalid signature

what I should do now?

@emrah nothing changes with this site

On https://jwt.io/
did you verified your signature with your app_secret ?

yes, I did

@Antonio_Pereira

I was using a second level domain in the sub field.
It was left over from one of the many previous tests.
Adding the nbf field seams to solve my issue… thank you!

1 Like

In short, JWTs are used as a secure way to authenticate users and share information . Typically, a private key, or secret, is used by the issuer to sign the JWT. The receiver of the JWT will verify the signature to ensure that the token hasn’t been altered after it was signed by the issuer.

}–>MyBalanceNow