JWT Subdomain Not Working

Hi All,
Im currently running the latest Jitsi with Prosody 0.11 and i have finally got JWT working on the main domain however it is not working for Sub-Domains, all i get is a sorry not allowed.

I have enabled check domain in the lua and my payload is as follows:

"context" => [
      "user" => [
      "name" => $wo['user']['username'],
      "avatar" => $wo['user']['avatar'],
      "email" => $wo['user']['email'],
      "id" => $wo['user']['user_id']
      ],
    ],
    "aud" => $clientID,
    "iss" => $clientID,
    "sub" => "subdomain.example.com",
    "room" => $name,
    "exp" => time() + 4 * 3600

Can anyone spot where i am going wrong?

@damencho could you advise anything?

Just to add muc_mapper_domain_base = “example.com”;
Is set in my prosody config is there anything else i need to configure for the domains?

Jicofo.log shows:
Jicofo 2020-04-15 02:41:49.546 INFO: [57] org.jitsi.jicofo.xmpp.FocusComponent.handleConferenceIq().401 Focus request for room: letmein@conference.eutimio.khmeet.uk
Jicofo 2020-04-15 02:41:49.546 INFO: [57] org.jitsi.jicofo.FocusManager.log() Created new focus for letmein@conference.eutimio.khmeet.uk@auth.khmeet.uk. Conference count 1,options:
Jicofo 2020-04-15 02:41:49.547 INFO: [57] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Lip-sync enabled in letmein@conference.eutimio.khmeet.uk
Jicofo 2020-04-15 02:41:49.547 INFO: [57] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Joining the room: letmein@conference.eutimio.khmeet.uk
Jicofo 2020-04-15 02:41:49.722 INFO: [27] org.jitsi.jicofo.ChatRoomRoleAndPresence.log() Chat room event ChatRoomMemberPresenceChangeEvent[type=MemberJoined sourceRoom=org.jitsi.impl.protocol.xmpp.ChatRoomImpl@21e8302f member=ChatMember[letmein@conference.eutimio.khmeet.uk/3c89da32, jid: null]@1508572231]
Jicofo 2020-04-15 02:41:49.728 SEVERE: [27] org.jitsi.jicofo.ChatRoomRoleAndPresence.log() Failed to grant owner status to 3c89da32-8cf2-4ab4-b7d2-d663e9f8e588@khmeet.uk/s5QwFe-C
java.lang.RuntimeException: Failed to grant owner:
at org.jitsi.impl.protocol.xmpp.ChatRoomImpl.grantOwnership(ChatRoomImpl.java:808)
at org.jitsi.jicofo.ChatRoomRoleAndPresence.grantOwner(ChatRoomRoleAndPresence.java:332)
at org.jitsi.jicofo.ChatRoomRoleAndPresence.electNewOwner(ChatRoomRoleAndPresence.java:247)
at org.jitsi.jicofo.ChatRoomRoleAndPresence.memberPresenceChanged(ChatRoomRoleAndPresence.java:159)
at org.jitsi.impl.protocol.xmpp.ChatRoomImpl.lambda$notifyMemberJoined$1(ChatRoomImpl.java:915)
at java.util.concurrent.CopyOnWriteArrayList.forEach(CopyOnWriteArrayList.java:891)
at org.jitsi.impl.protocol.xmpp.ChatRoomImpl.notifyMemberJoined(ChatRoomImpl.java:915)
at org.jitsi.impl.protocol.xmpp.ChatRoomImpl.processOtherPresence(ChatRoomImpl.java:1204)
at org.jitsi.impl.protocol.xmpp.ChatRoomImpl.processPresence(ChatRoomImpl.java:1253)
at org.jivesoftware.smackx.muc.MultiUserChat$3.processStanza(MultiUserChat.java:251)
at org.jivesoftware.smack.AbstractXMPPConnection$6.run(AbstractXMPPConnection.java:1263)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Jicofo 2020-04-15 02:41:49.729 INFO: [27] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Member letmein@conference.eutimio.khmeet.uk/3c89da32 joined.

Ok so now i get a LUA error please see prosody log:

prosody.log (88.3 KB)

Are you talking about subdomains as https://meet.jit.si/jitsi/roomname if this is the case you need group: “jitsi” in the jwt. Check https://github.com/jitsi/lib-jitsi-meet/blob/master/doc/tokens.md#payload

Good Evening @damencho

So the errors are now sorted however i keep getting a permissions denied error. Here is what the log says:

Apr 15 22:10:47 conference.khmeet.uk:token_verification	error	Token eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiI0OTUzODE4MzQiLCJzdWIiOiJraG1lZXQudWsiLCJpYXQiOjE1ODY5ODE0MjIsIm5iZiI6MTU4Njk4MTQyMiwiZXhwIjoxNTg2OTk1ODIyLCJhdWQiOiJLaW5reUhlcmV0aWNzIiwicm9vbSI6InRlc3QxIiwiY29udGV4dCI6eyJncm91cCI6InRlc3RlciIsInVzZXIiOnsibmFtZSI6ImV1dGltaW8iLCJlbWFpbCI6ImtlbnphLmNvaGVuQGl3ZWJob3N0LnVrIiwiYXZhdGFyIjoiaHR0cHM6XC9cL2tpbmt5aGVyZXRpY3MuY29tXC91cGxvYWRcL3Bob3Rvc1wvMjAyMFwvMDNcL1ppa1FPNDNjUjVRazU1Y0lkTmRpXzIxXzk3OTZjZjU0N2E0MDZlMzVhYzYzZmE5MTUxNGNkNjFiX2F2YXRhci5qcGc_Y2FjaGU9MTU4NDc2NjY1OSIsImlkIjoiMSJ9fX0.srVGwLjPPsbMxRwAlWVG9XJiSO1h4X_qFc0LKY5CaYA not allowed to join: [tester]test1@conference.khmeet.uk/cc6f9a39

Here is the payload of the token:
{
“iss”: “495381834”,
“sub”: “khmeet.uk”,
“iat”: 1586981422,
“nbf”: 1586981422,
“exp”: 1586995822,
“aud”: “KinkyHeretics”,
“room”: “test1”,
“context”: {
“group”: “tester”,
“user”: {
“name”: “eutimio”,
“email”: “removed”,
“avatar”: “removed”,
“id”: “1”
}
}
}

The URL accessed is /tester/test1

Any Suggestions?

Can it be expiration date? You can open the network tab in chrome and check the bosh message content of the packed with the error response when trying to join, do you see a different error?

@damencho when accessing a room without a subdomain it is fine, when accessing a subdomain that is when it boots me out,

It errors when it reaches: https://khmeet.uk/http-bind?room=test&token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiI0OTUzODE4MzQiLCJzdWIiOiJraG1lZXQudWsiLCJpYXQiOjE1ODcwMjE2MzAsIm5iZiI6MTU4NzAyMTYzMCwiZXhwIjoxNTg3MDM2MDMwLCJhdWQiOiJLaW5reUhlcmV0aWNzIiwiZ3JvdXAiOiJ0ZXN0Iiwicm9vbSI6InRlc3QiLCJjb250ZXh0Ijp7InVzZXIiOnsibmFtZSI6ImV1dGltaW8iLCJlbWFpbCI6ImtlbnphLmNvaGVuQGl3ZWJob3N0LnVrIiwiYXZhdGFyIjoiaHR0cHM6XC9cL2tpbmt5aGVyZXRpY3MuY29tXC91cGxvYWRcL3Bob3Rvc1wvMjAyMFwvMDNcL1ppa1FPNDNjUjVRazU1Y0lkTmRpXzIxXzk3OTZjZjU0N2E0MDZlMzVhYzYzZmE5MTUxNGNkNjFiX2F2YXRhci5qcGc_Y2FjaGU9MTU4NDc2NjY1OSIsImlkIjoiMSJ9LCJncm91cCI6InRlc3QifX0.edWYNjo4at99QimY0Eq6aUX8F8bEo6PIkWVHqOAa6HY

then gives a header refresh, it

console shows: conference error: notallowed then redirects to https://khmeet.uk/test/static/authError.html

Jicofo Log:
Jicofo 2020-04-16 10:07:51.062 INFO: [70] org.jitsi.jicofo.xmpp.FocusComponent.handleConferenceIq().401 Focus request for room: test2@conference.test.khmeet.uk
Jicofo 2020-04-16 10:07:51.069 INFO: [70] org.jitsi.jicofo.FocusManager.log() Created new focus for test2@conference.test.khmeet.uk@auth.khmeet.uk. Conference count 2,options:
Jicofo 2020-04-16 10:07:51.077 INFO: [70] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Lip-sync enabled in test2@conference.test.khmeet.uk
Jicofo 2020-04-16 10:07:51.077 INFO: [70] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Joining the room: test2@conference.test.khmeet.uk
Jicofo 2020-04-16 10:07:51.144 INFO: [27] org.jitsi.jicofo.ChatRoomRoleAndPresence.log() Chat room event ChatRoomMemberPresenceChangeEvent[type=MemberJoined sourceRoom=org.jitsi.impl.protocol.xmpp.ChatRoomImpl@4b16c6fb member=ChatMember[test2@conference.test.khmeet.uk/1e989db2, jid: null]@1159203083]
Jicofo 2020-04-16 10:07:51.150 INFO: [27] org.jitsi.jicofo.ChatRoomRoleAndPresence.log() Granted owner to test2@conference.test.khmeet.uk/1e989db2
Jicofo 2020-04-16 10:07:51.150 INFO: [27] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Member test2@conference.test.khmeet.uk/1e989db2 joined.
Jicofo 2020-04-16 10:07:51.193 INFO: [27] org.jitsi.jicofo.ChatRoomRoleAndPresence.log() Chat room event ChatRoomMemberPresenceChangeEvent[type=MemberLeft sourceRoom=org.jitsi.impl.protocol.xmpp.ChatRoomImpl@4b16c6fb member=ChatMember[test2@conference.test.khmeet.uk/1e989db2, jid: 1e989db2-3f89-4814-927a-5989da951d9a@khmeet.uk/LeTLjkzr]@1159203083]
Jicofo 2020-04-16 10:07:51.194 INFO: [27] org.jitsi.jicofo.ChatRoomRoleAndPresence.log() Owner has left the room !
Jicofo 2020-04-16 10:07:51.194 INFO: [27] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Member test2@conference.test.khmeet.uk/1e989db2 is leaving
Jicofo 2020-04-16 10:07:51.194 WARNING: [27] org.jitsi.jicofo.JitsiMeetConferenceImpl.log() Participant not found for test2@conference.test.khmeet.uk/1e989db2 terminated already or never started ?
Jicofo 2020-04-16 10:07:51.199 INFO: [27] org.jitsi.jicofo.FocusManager.log() Disposed conference for room: test2@conference.test.khmeet.uk conference count: 1

jvb log:
2020-04-16 10:07:36.715 INFO: [17] Videobridge.createConference#326: create_conf, id=e86bf82b9f00733 gid=null logging=false
2020-04-16 10:07:36.729 INFO: [17] Health.doRun#294: Performed a successful health check in 15ms. Sticky failure: false
2020-04-16 10:07:46.731 INFO: [17] Videobridge.createConference#326: create_conf, id=146eef08736e4f88 gid=null logging=false
2020-04-16 10:07:46.752 INFO: [17] Health.doRun#294: Performed a successful health check in 22ms. Sticky failure: false
2020-04-16 10:07:56.753 INFO: [17] Videobridge.createConference#326: create_conf, id=80c8f78e7c0a0d70 gid=null logging=false
2020-04-16 10:07:56.763 INFO: [17] Health.doRun#294: Performed a successful health check in 11ms. Sticky failure: false
2020-04-16 10:08:06.764 INFO: [17] Videobridge.createConference#326: create_conf, id=c90a370af37ffbc0 gid=null logging=false
2020-04-16 10:08:06.772 INFO: [17] Health.doRun#294: Performed a successful health check in 9ms. Sticky failure: false
2020-04-16 10:08:16.773 INFO: [17] Videobridge.createConference#326: create_conf, id=3f1aee1d835600a9 gid=null logging=false
2020-04-16 10:08:16.790 INFO: [17] Health.doRun#294: Performed a successful health check in 18ms. Sticky failure: false
2020-04-16 10:08:26.791 INFO: [17] Videobridge.createConference#326: create_conf, id=b929b5a98bf735a6 gid=null logging=false
2020-04-16 10:08:26.805 INFO: [17] Health.doRun#294: Performed a successful health check in 15ms. Sticky failure: false
2020-04-16 10:08:29.218 INFO: [16] VideobridgeExpireThread.expire#144: Running expire()
2020-04-16 10:08:36.807 INFO: [17] Videobridge.createConference#326: create_conf, id=30c839a5c739eba9 gid=null logging=false
2020-04-16 10:08:36.826 INFO: [17] Health.doRun#294: Performed a successful health check in 20ms. Sticky failure: false

prosody log:

Apr 16 10:07:49 conference.khmeet.uk:muc_domain_mapper warn Session filters applied
Apr 16 10:07:49 mod_bosh info New BOSH session, assigned it sid ‘0e3694f0-6e54-411c-b05f-ac4b5da4a83e’
Apr 16 10:07:49 bosh0e3694f0-6e54-411c-b05f-ac4b5da4a83e info Authenticated as 1e989db2-3f89-4814-927a-5989da951d9a@khmeet.uk
Apr 16 10:07:51 conference.khmeet.uk:token_verification error Token eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiI0OTUzODE4MzQiLCJzdWIiOiJraG1lZXQudWsiLCJpYXQiOjE1ODcwMjQ0NjYsIm5iZiI6MTU4NzAyNDQ2NiwiZXhwIjoxNTg3MDM4ODY2LCJhdWQiOiJLaW5reUhlcmV0aWNzIiwiZ3JvdXAiOiJ0ZXN0Iiwicm9vbSI6InRlc3QyIiwiY29udGV4dCI6eyJ1c2VyIjp7Im5hbWUiOiJldXRpbWlvIiwiZW1haWwiOiJrZW56YS5jb2hlbkBpd2ViaG9zdC51ayIsImF2YXRhciI6Imh0dHBzOlwvXC9raW5reWhlcmV0aWNzLmNvbVwvdXBsb2FkXC9waG90b3NcLzIwMjBcLzAzXC9aaWtRTzQzY1I1UWs1NWNJZE5kaV8yMV85Nzk2Y2Y1NDdhNDA2ZTM1YWM2M2ZhOTE1MTRjZDYxYl9hdmF0YXIuanBnP2NhY2hlPTE1ODQ3NjY2NTkiLCJpZCI6IjEifSwiZ3JvdXAiOiJ0ZXN0In19.YufN-hp41aY3aPchoUhMDHmdjkz2HKlS_OYQf0bmMuo not allowed to join: [test]test2@conference.khmeet.uk/1e989db2
Apr 16 10:07:51 bosh0e3694f0-6e54-411c-b05f-ac4b5da4a83e info BOSH client disconnected: session close
Apr 16 10:07:51 speakerstats.khmeet.uk:speakerstats_component warn A module has been configured that triggers external events.
Apr 16 10:07:51 speakerstats.khmeet.uk:speakerstats_component warn Implement this lib to trigger external events.
Apr 16 10:08:27 speakerstats.khmeet.uk:speakerstats_component warn A module has been configured that triggers external events.
Apr 16 10:08:27 speakerstats.khmeet.uk:speakerstats_component warn Implement this lib to trigger external events.

@damencho ok so breakthrough, it seems a problem with presence:

2020-04-16T08:57:24.912Z [modules/xmpp/ChatRoom.js] : onPresError presence

assignedSlot: null

attributes: NamedNodeMap(4) [ xmlns=“jabber:client”, from="eutimio@conference.eutimio.khmeet.uk/7b8d5dbd", to="7b8d5dbd-43a4-4f43-8513-e7f161d77dc1@khmeet.uk/uHkhXcyF", … ]

baseURI: “https://khmeet.uk/http-bind?room=eutimio&token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiI0OTUzODE4MzQiLCJzdWIiOiJraG1lZXQudWsiLCJpYXQiOjE1ODcwMjc0MzMsIm5iZiI6MTU4NzAyNzQzMywiZXhwIjoxNTg3MDQxODMzLCJhdWQiOiJLaW5reUhlcmV0aWNzIiwiZ3JvdXAiOiJldXRpbWlvIiwicm9vbSI6ImV1dGltaW8iLCJjb250ZXh0Ijp7InVzZXIiOnsibmFtZSI6ImV1dGltaW8iLCJlbWFpbCI6ImtlbnphLmNvaGVuQGl3ZWJob3N0LnVrIiwiYXZhdGFyIjoiaHR0cHM6XC9cL2tpbmt5aGVyZXRpY3MuY29tXC91cGxvYWRcL3Bob3Rvc1wvMjAyMFwvMDNcL1ppa1FPNDNjUjVRazU1Y0lkTmRpXzIxXzk3OTZjZjU0N2E0MDZlMzVhYzYzZmE5MTUxNGNkNjFiX2F2YXRhci5qcGc_Y2FjaGU9MTU4NDc2NjY1OSIsImlkIjoiMSJ9LCJncm91cCI6ImV1dGltaW8ifX0.r3i6X4GXD2IS1l713qG_4M-WYKPelokmwtcJkGTOWTY

childElementCount: 1

childNodes: NodeList [ error

]

children: HTMLCollection { 0: error

, length: 1 }

classList: DOMTokenList

className: “”

clientHeight: 0

clientLeft: 0

clientTop: 0

clientWidth: 0

firstChild: error

​​

assignedSlot: null

​​

attributes: NamedNodeMap [ type=“cancel” ]

​​

baseURI: “https://khmeet.uk/http-bind?room=eutimio&token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiI0OTUzODE4MzQiLCJzdWIiOiJraG1lZXQudWsiLCJpYXQiOjE1ODcwMjc0MzMsIm5iZiI6MTU4NzAyNzQzMywiZXhwIjoxNTg3MDQxODMzLCJhdWQiOiJLaW5reUhlcmV0aWNzIiwiZ3JvdXAiOiJldXRpbWlvIiwicm9vbSI6ImV1dGltaW8iLCJjb250ZXh0Ijp7InVzZXIiOnsibmFtZSI6ImV1dGltaW8iLCJlbWFpbCI6ImtlbnphLmNvaGVuQGl3ZWJob3N0LnVrIiwiYXZhdGFyIjoiaHR0cHM6XC9cL2tpbmt5aGVyZXRpY3MuY29tXC91cGxvYWRcL3Bob3Rvc1wvMjAyMFwvMDNcL1ppa1FPNDNjUjVRazU1Y0lkTmRpXzIxXzk3OTZjZjU0N2E0MDZlMzVhYzYzZmE5MTUxNGNkNjFiX2F2YXRhci5qcGc_Y2FjaGU9MTU4NDc2NjY1OSIsImlkIjoiMSJ9LCJncm91cCI6ImV1dGltaW8ifX0.r3i6X4GXD2IS1l713qG_4M-WYKPelokmwtcJkGTOWTY

​​

childElementCount: 2

​​

childNodes: NodeList [ not-allowed, text

]

​​

children: HTMLCollection { 0: not-allowed, 1: text

, length: 2 }

​​

classList: DOMTokenList

​​

className: “”

​​

clientHeight: 0

​​

clientLeft: 0

​​

clientTop: 0

​​

clientWidth: 0

​​

firstChild: ​​firstElementChild:

​​

id: “”

​​

innerHTML: “<not-allowed xmlns=“urn:ietf:params:xml:ns:xmpp-stanzas”/><text xmlns=“urn:ietf:params:xml:ns:xmpp-stanzas”>Room and token mismatched”

​​

isConnected: true

​​

lastChild: ​​lastElementChild:

​​

localName: “error”

​​

namespaceURI: “jabber:client”

​​

nextElementSibling: null

​​

nextSibling: null

​​

nodeName: “error”

​​

nodeType: 1

​​

nodeValue: null

​​

onfullscreenchange: null

​​

onfullscreenerror: null

​​

outerHTML: “<error xmlns=“jabber:client” type=“cancel”><not-allowed xmlns=“urn:ietf:params:xml:ns:xmpp-stanzas”/><text xmlns=“urn:ietf:params:xml:ns:xmpp-stanzas”>Room and token mismatched”

​​

ownerDocument: XMLDocument { … }

​​

parentElement: ​​parentNode: ​​

part: DOMTokenList

​​

prefix: null

​​

previousElementSibling: null

​​

previousSibling: null

​​

scrollHeight: 0

​​

scrollLeft: 0

​​

scrollLeftMax: 0

​​

scrollTop: 0

​​

scrollTopMax: 0

​​

scrollWidth: 0

​​

shadowRoot: null

​​

slot: “”

​​

tagName: “error”

​​

textContent: “Room and token mismatched”

​​

: ElementPrototype { getAttributeNames: getAttributeNames(), getAttribute: getAttribute(), getAttributeNS: getAttributeNS(), … }

firstElementChild:

id: “”

innerHTML: “<error xmlns=“jabber:client” type=“cancel”><not-allowed xmlns=“urn:ietf:params:xml:ns:xmpp-stanzas”/><text xmlns=“urn:ietf:params:xml:ns:xmpp-stanzas”>Room and token mismatched”

isConnected: true

lastChild: ​lastElementChild:

localName: “presence”

namespaceURI: “jabber:client”

nextElementSibling: ​nextSibling:

nodeName: “presence”

nodeType: 1

nodeValue: null

onfullscreenchange: null

onfullscreenerror: null

outerHTML: “<presence xmlns=“jabber:client” from="eutimio@conference.eutimio.khmeet.uk/7b8d5dbd” to="7b8d5dbd-43a4-4f43-8513-e7f161d77dc1@khmeet.uk/uHkhXcyF" type=“error”><error type=“cancel”><not-allowed xmlns=“urn:ietf:params:xml:ns:xmpp-stanzas”/><text xmlns=“urn:ietf:params:xml:ns:xmpp-stanzas”>Room and token mismatched"

ownerDocument: XMLDocument { … }

parentElement: ​parentNode: ​

part: DOMTokenList

prefix: null

previousElementSibling: null

previousSibling: null

scrollHeight: 0

scrollLeft: 0

scrollLeftMax: 0

scrollTop: 0

scrollTopMax: 0

scrollWidth: 0

shadowRoot: null

slot: “”

tagName: “presence”

textContent: “Room and token mismatched”

: ElementPrototype { getAttributeNames: getAttributeNames(), getAttribute: getAttribute(), getAttributeNS: getAttributeNS(), … }

So this is the error. https://github.com/jitsi/jitsi-meet/blob/00afc32b6b9ec041b75445372603e0ec60a82d2b/resources/prosody-plugins/mod_token_verification.lua#L55
Maybe enable debug logging to see this: https://github.com/jitsi/jitsi-meet/blob/00afc32b6b9ec041b75445372603e0ec60a82d2b/resources/prosody-plugins/mod_token_verification.lua#L49