JWT error: Invalid or incorrect alg

I have self hosted Jitsi embedded in drupal 9. It used to work with token authentication, but after I upgraded the whole Jitsi server(apt upgrade) I can’t anymore enter to a video room and the JS console gives these errors:
[connection.js] <r.s>: CONNECTION FAILED: connection.passwordRequired
[features/base/conference] JWT error: Invalid or incorrect alg
[features/base/conference] JWT parsing error:
[‘- invalid nbf value’]
[features/base/connection] connection.passwordRequired

And the browser says to the user this:
authentication failed
sorry youre not allowed to join this call

Can you paste the contents of such token? You can use jwt.io to decode them.

The token which the application server (separate server from the jitsi server which is not upgraded) creates
this when using jwt.io:

“typ”: “JWT”,
“alg”: “HS512”

“iat”: 1658158423,
“exp”: 1658162023,
“drupal”: {
“uid”: “98”
“context”: {
“user”: {
“name”: “anaconda”,
“email”: “test@hotmail.com”,
“id”: “98”
“group”: “group1”
“aud”: “https://meet.testing.com”,
“iss”: “nameit1233”,
“sub”: “*”,
“room”: “test2”

So that token is not working when I upgrade the JITSI server, but is working with the old server.
And when upgrading the jitsi server (sudo apt upgrade) it will upgrade all these:

jicofo/stable 1.0-900-1 all [upgradable from: 1.0-846-1]
jitsi-meet-prosody/stable 1.0.6260-1 all [upgradable from: 1.0.5818-1]
jitsi-meet-tokens/stable 1.0.6260-1 all [upgradable from: 1.0.5818-1]
jitsi-meet-web-config/stable 1.0.6260-1 all [upgradable from: 1.0.5818-1]
jitsi-meet-web/stable 1.0.6260-1 all [upgradable from: 1.0.5818-1]
jitsi-meet/stable 2.0.7439-1 all [upgradable from: 2.0.6865-2]
jitsi-videobridge2/stable 2.2-9-g8cded16e-1 all [upgradable from: 2.1-617-ga8b39c3f-1]

After upgrading those, the authentication does not work.

So most probably, something has changed in the newer versions which my application does not support.

Your token seems to be lacking the nbf field.

1 Like

IIRC the latest Jitsi (or prosody or Lua module) doesn’t work with HS512. Try it with HS256

1 Like

I am getting this same error while trying to integrate Keyclock with jitsi for JWT based authetication.
I am using RS256 algorithm only but still getting “JWT error: Invalid or incorrect alg”

Please paste the jwt.io debugged token and the full log ilnes.

header –
“alg”: “RS256”,
“typ”: “JWT”,
“kid”: “-QRFvY3DcgXqnMgJtBq6ynvh5G7gmbF4D4GIggT7G”

payload –
“exp”: 1658999825,
“iat”: 1658999525,
“auth_time”: 1658990426,
“jti”: “c9b723c7-c30a-40e7-85e0-61d182399672”,
“iss”: “keyclock_server”,
“sub”: “06d4016e-fc21-40ac-af84-c83dade84dff”,
“typ”: “Bearer”,
“azp”: “VC-auth”,
“nonce”: “0440cbf1-84eb-46b0-80b1-e4c3e0f66f0c”,
“session_state”: “44c95a10-028a-4bc1-8915-064b3a807398”,
“acr”: “0”,
“allowed-origins”: [
“scope”: “openid email profile”,
“sid”: “44c95a10-028a-4bc1-8915-064b3a807398”,
“email_verified”: true,
“name”: “Abhishek Vijay”,
“preferred_username”: “abhi”,
“given_name”: “Abhishek”,
“family_name”: “Vijay”,
“email”: “abhishek.vijay@gmail.com

error log —
index.js:154 2022-07-28T09:12:05.720Z [features/base/conference] <_logJwtErrors>: JWT error: Invalid or incorrect alg

Did you configure signature_algorithm in Prosody? Did you set asap_key_server ?

Yeah I Used ‘signature_algorithm = “RS256”’ in prosody.cfg.lua file.
for asap_key_server, I am giving “JWT_ASAP_KEYSERVER = http://keyclock_server.com/realms/VC/” in .env file but it’s unable to fetch public key from keyclock server.

It is giving same error when I am using “HS256” algorithm in keyclock and prosody.cfg.lua file.

Please check the generated config file, just to be sure there is no issue on the Docker side of things.

I had the same issue and it was caused by the difference between the alg sent with my token and the expected one by Jitsi
To fix this, we needed to add a new file under Prosody docker container in the following path : /config/conf.d/algorithm.cfg.lua that contained the signature algorithm . The content of the file is

-- Define the algorithm used for JWT signature
signature_algorithm = "HS384"

Hope this helps someone