JWT error: Invalid or incorrect alg

anaconda · July 18, 2022, 2:17pm

Hi,
I have self hosted Jitsi embedded in drupal 9. It used to work with token authentication, but after I upgraded the whole Jitsi server(apt upgrade) I can’t anymore enter to a video room and the JS console gives these errors:
index.js:154
[connection.js] <r.s>: CONNECTION FAILED: connection.passwordRequired
index.js:154
[features/base/conference] JWT error: Invalid or incorrect alg
index.js:154
[features/base/conference] JWT parsing error:
[‘- invalid nbf value’]
index.js:154
[features/base/connection] connection.passwordRequired

And the browser says to the user this:
authentication failed
sorry youre not allowed to join this call

saghul · July 18, 2022, 2:56pm

Can you paste the contents of such token? You can use jwt.io to decode them.

anaconda · July 18, 2022, 3:57pm

The token which the application server (separate server from the jitsi server which is not upgraded) creates
this when using jwt.io:

{
“typ”: “JWT”,
“alg”: “HS512”
}

Payload:data
{
“iat”: 1658158423,
“exp”: 1658162023,
“drupal”: {
“uid”: “98”
},
“context”: {
“user”: {
“name”: “anaconda”,
“email”: “test@hotmail.com”,
“id”: “98”
},
“group”: “group1”
},
“aud”: “https://meet.testing.com”,
“iss”: “nameit1233”,
“sub”: “*”,
“room”: “test2”
}

So that token is not working when I upgrade the JITSI server, but is working with the old server.
And when upgrading the jitsi server (sudo apt upgrade) it will upgrade all these:

jicofo/stable 1.0-900-1 all [upgradable from: 1.0-846-1]
jitsi-meet-prosody/stable 1.0.6260-1 all [upgradable from: 1.0.5818-1]
jitsi-meet-tokens/stable 1.0.6260-1 all [upgradable from: 1.0.5818-1]
jitsi-meet-web-config/stable 1.0.6260-1 all [upgradable from: 1.0.5818-1]
jitsi-meet-web/stable 1.0.6260-1 all [upgradable from: 1.0.5818-1]
jitsi-meet/stable 2.0.7439-1 all [upgradable from: 2.0.6865-2]
jitsi-videobridge2/stable 2.2-9-g8cded16e-1 all [upgradable from: 2.1-617-ga8b39c3f-1]

After upgrading those, the authentication does not work.

So most probably, something has changed in the newer versions which my application does not support.

saghul · July 19, 2022, 8:04am

Your token seems to be lacking the nbf field.

emrah · July 21, 2022, 10:20am

IIRC the latest Jitsi (or prosody or Lua module) doesn’t work with HS512. Try it with HS256

AbhiV · July 28, 2022, 7:31am

I am getting this same error while trying to integrate Keyclock with jitsi for JWT based authetication.
I am using RS256 algorithm only but still getting “JWT error: Invalid or incorrect alg”

saghul · July 28, 2022, 7:35am

Please paste the jwt.io debugged token and the full log ilnes.

AbhiV · July 28, 2022, 9:15am

header –
{
“alg”: “RS256”,
“typ”: “JWT”,
“kid”: “-QRFvY3DcgXqnMgJtBq6ynvh5G7gmbF4D4GIggT7G”
}

payload –
{
“exp”: 1658999825,
“iat”: 1658999525,
“auth_time”: 1658990426,
“jti”: “c9b723c7-c30a-40e7-85e0-61d182399672”,
“iss”: “keyclock_server”,
“sub”: “06d4016e-fc21-40ac-af84-c83dade84dff”,
“typ”: “Bearer”,
“azp”: “VC-auth”,
“nonce”: “0440cbf1-84eb-46b0-80b1-e4c3e0f66f0c”,
“session_state”: “44c95a10-028a-4bc1-8915-064b3a807398”,
“acr”: “0”,
“allowed-origins”: [
“https://127.0.0.1:8081”
],
“scope”: “openid email profile”,
“sid”: “44c95a10-028a-4bc1-8915-064b3a807398”,
“email_verified”: true,
“name”: “Abhishek Vijay”,
“preferred_username”: “abhi”,
“given_name”: “Abhishek”,
“family_name”: “Vijay”,
“email”: “abhishek.vijay@gmail.com”
}

error log —
index.js:154 2022-07-28T09:12:05.720Z [features/base/conference] <_logJwtErrors>: JWT error: Invalid or incorrect alg

saghul · July 28, 2022, 10:18am

Did you configure signature_algorithm in Prosody? Did you set asap_key_server ?

AbhiV · July 28, 2022, 10:29am

Yeah I Used ‘signature_algorithm = “RS256”’ in prosody.cfg.lua file.
for asap_key_server, I am giving “JWT_ASAP_KEYSERVER = http://keyclock_server.com/realms/VC/” in .env file but it’s unable to fetch public key from keyclock server.

It is giving same error when I am using “HS256” algorithm in keyclock and prosody.cfg.lua file.

saghul · July 28, 2022, 11:40am

Please check the generated config file, just to be sure there is no issue on the Docker side of things.

ahamdi · November 14, 2022, 12:59pm

I had the same issue and it was caused by the difference between the alg sent with my token and the expected one by Jitsi
To fix this, we needed to add a new file under Prosody docker container in the following path : /config/conf.d/algorithm.cfg.lua that contained the signature algorithm . The content of the file is

-- Define the algorithm used for JWT signature
signature_algorithm = "HS384"

Hope this helps someone