JWT Hidden User

I am using JWT in my implementation, but the JWT Token does not seem to be hitting my recorder host to login as a hidden user.

In my /etc/prosody/conf.d/meet.example.com.cfg.lua:

asap_accepted_issuers **=** **{** "example-webrtc", "smash" **}**

asap_accepted_audiences **=** **{** "example-webrtc", "smash" **}**

VirtualHost "recorder.meet.example.com"

authentication **=** "token"

app_id **=** "example-webrtc"

app_secret **=** "sometoken"

modules_enabled **=** **{**

"turncredentials";

**}**

c2s_require_encryption **=** **true**

allow_empty_token **=** **true** ;

In my /etc/jitsi/meet/meet.example.com-config.js

 hosts: {
        // XMPP domain.
        domain: 'meet.example.com',

        // When using authentication, domain for guest users.
        anonymousdomain: 'guest.example.com',

        hiddenDomain: 'recorder.meet.example.com',
}

Now I am creating my JSON Token as such:

{
 "aud": "example-webrtc",

  "iss": "example-webrtc",

  "sub": "recorder.meet.example.com",

  "room": "*"
}

Shareable link of the JWT here: https://jwt.io/#debugger-io?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJleGFtcGxlLWhpZGRlbiIsImlzcyI6ImV4YW1wbGUtaGlkZGVuIiwic3ViIjoicmVjb3JkZXIubWVldC5leGFtcGxlLmNvbSIsInJvb20iOiIqIn0.mB9K099RPYOt5XMlSVFLHEIoTncR7Kfz81cCu1PTGJc

And then my javascript:

        const domain = 'meet.example.com';

        const options = {
            roomName: screening_id,
            width: 700,
            height: 700,
            parentNode: document.querySelector('#webrtc'),
            configOverwrite: { 
                startWithAudioMuted: true, 
                startWithVideoMuted: true, 
                desktopSharingChromeDisabled: true,
                desktopSharingFirefoxDisabled: true,
                enableWelcomePage: false,
                hideLobbyButton: true,
                hiddenDomain: "recorder.meet.example.com",
            },
            interfaceConfigOverwrite: {
                filmStripOnly: true, 
                startWithAudioMuted: true,
                startWithVideoMuted: true,
                TOOLBAR_BUTTONS : [],
                SETTINGS_SECTIONS : []
            },
            jwt : '<token from above with signature>'
        };

It log the user in, but the user isn’t hidden, they appear to be a normal user. Am I doing something wrong in try to get the user to login as a hiddenUser using a JWT?

JIBRI cant join???
JIBRI user not hidden???

No the JIBRI is hidden, but I am not sure it is using the JWT token. I’m looking for when a user joins, they can use the token to login as a hiddenUser.

JIBRI uses recorder.meet.example.com if you want to “check” comment the
#anonymousdomain:guest.example.com

and restart all services…
jibri uses recorder domain… in my server i not use anonymousdomain.

In default setup jibri doesn’t use jwt token to authenticate, but rather it’s own credentials to login into its own recorder subdomain. Those credentials are specified in JIBRI_* env vars in docker based setup. Using that, jibri user is registered in prosody at the prosody startup.
Jibri is not seen, because by default recorder subdomain is set to be hiden in config.js variable hiddenDomain.

It is possible to login to a specific domain/virtual host with a JWT token? @nosmo

JWT token doesn’t specify where to login or connect or which room the user should join.
It’s self-contained authentication data that can also contain some restriction from issuer to which room(s) is user able to join with that jwt token.
I don’t know what are you trying to achieve here, if you can describe that, than i might help you more.

@nosmo I am trying “mock” a broadcast of a few-to-many-relationship. Where a few people will have video/audio, and many people can watch but the people who have the audio/video do not know how many “attendees” are watching, and the “attendees” will not have camera input options.

To achieve this, I am trying to have the “attendee” login to a hidden domain. I am currently using the IFrame and everything is working where Ive manged to disable their videos and other requirements, but I haven’t been able to make them hidden.

This sounds like a very weird request and raises serious privacy concerns. :confused: Unless you’re saying the people on video will know there are others watching, but just won’t know how many…

Maybe you can consider livestreaming instead?

@Freddie @nosmo Its not weird, we are holding panel discussions. For more context, the site name is BingeWave: https://distribution.bingewave.com/l/festival . Zoom offer this feature, so I think its pretty standard for conferneces/discussions/panels where their is a clear distinction between the presenters and the audience.

Currently live-streaming through RTMP of movies which is easy. For WebRTC where the goal is to take a few particanpants videos so they can chat while others watch is more difficult. I first got lured into the “tourist trap” of muaz-khan/RTCMultiConnection which is not production ready and does not scale.

Currently Jitsi seems the easiest solution to setup except for this one feature.

As @Freddie pointed out, for that matter it would be better to handle panel discussions in jitsi, have the main panelist live stream to youtube live channel and have the audience watch the discussion there. I think that is one of the basic features in jitsi.
This way, audience can watch on youtube with all it’s scaling benefits, and presenters can have their discussion in jitsi. I know it’s not that much integrated solution, but i think it’s best and that it is much better than trying to go against all the things in jitsi, that try to prevent those privacy concerns (such as hidden users etc.).

@nosmo Youtube won’t work for what clients are looking for. Not everyone wants to use Youtube, and it doesn’t work for private events. Just personal opionons, I think Jitsi is missing a large market by not being more adaptable to use cases.

But in regards to streaming, I did look up this solution by @lodopidolo : How do I change YOUTUBE Live Stream to another RTMP server url?

The problem is there isn’t the ability to auto-start a livestream, and it will require too much configuring by the user.

Given livestreaming is a growing market with Youtube, Facebook and custom platforms, more use cases could be served by making the destination the livestream generic. Or the ability through another API, pull individual video streams.

But back to the matter at hand, there is no way to login to different virtual hosts with a JWT credentials?

Ok, i understand your needs. I don’t know much on livestream, i leave that to others.

Regarding jwt - jwt is handled in prosody in context of virtual host and it’s there only for authentication (can participant with this jwt join this room? yes/no), so basically you can’t specify in jwt, that participant trying to access specific virtual host should connect or use different virtual host in prosody. That is for xmpp virtual hosts.
If you want to join them using other virtual host, why dont specify it in config.js? Then you have to serve your config.js in different versions for different conference roles (participants/audience). We are doing something like this for octo region setup.

@nosmo Thanks! One last question. Which config.js are you modifying?

Config.js in jitsi meet web, where you setup things for clients like video resolution, hiddenDomain, etc. You have above it as meet.example.com-config.js.

Than main point in your solution would be how to differentiate between the two classes of participants and serve them different config.js files - one with hidden domain and authdomain set and one without those things. Both authdomains can use the same jwts to authenticate users. I never tried this, but since jibri uses such mechanism in general, i think it would work for you.