JWT token_affiliation module guest can create rooms

niranjan · May 26, 2022, 6:57pm

Hi everyone,

I am using the prosody modules mentioned in the post below to assign moderator privileges with JWT authentication

I followed the instructions to enable the token_affiliation module and the moderator privileges are assigned as expected. But I noticed that it also allowed guests without JWT authentication to create a room which is not desirable.

In particular, I noticed that commenting the line “#org.jitsi.jicofo.auth.URL=” as mentioned in the instructions seems to be causing this when I uncomment this line the guest is unable to create a room but the users are no longer assigned appropriate privileges.

I would greatly appreciate it if there is a workaround for this

niranjan · May 26, 2022, 8:49pm

/etc/jitsi/jicofo/sip-communicator.properties:

emrah · May 27, 2022, 7:35am

Did you set allow_empty_token in your prosody config? If so, guests can create rooms.

niranjan · May 27, 2022, 1:42pm

@emrah Yes I have it set on the guest block but If I remove it, the guest can’t create a room but also can’t join any rooms.

VirtualHost "guest.example.domain.com"
    authentication = "token";
    app_id = "app_id";
    app_secret = "app_secret";
    c2s_require_encryption = true;
    allow_empty_token = true;

I want guests to be able to join the room once a JWT authenticated user starts the conference

Thank you for your response

emrah · May 27, 2022, 2:29pm

The guest virtualhost is not for JWT authentication. Using mixed authentication methods may cause unexpected results.

Did you check token_owner_party?

niranjan · May 27, 2022, 7:09pm

I have removed the guest virtualhost block and tried setting allow_empty_token to false and true in the main virtualhost block and in both cases the guest can’t join the conference.

VirtualHost "<domain.net>"
    -- enabled = false -- Remove this line to enable this host
    authentication = "token"
    -- Properties below are modified by jitsi-meet-tokens package config
    -- and authentication above is switched to "token"
    app_id="app_id"
    app_secret="app_secret"
    -- Assign this host a certificate for TLS, otherwise it would use the one
    -- set in the global section (if any).
    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
    -- use the global one.
    ssl = {
        key = "/etc/prosody/certs/<domain.net>.key";
        certificate = "/etc/prosody/certs/<domain.net>.crt";
    }
    av_moderation_component = "avmoderation.<domain.net>"
    speakerstats_component = "speakerstats.<domain.net>"
    conference_duration_component = "conferenceduration.<domain.net>"
    -- we need bosh
    modules_enabled = {
        "bosh";
        "pubsub";
        "ping"; -- Enable mod_ping
        "speakerstats";
        "external_services";
        "conference_duration";
        "muc_lobby_rooms";
        "muc_breakout_rooms";
        "av_moderation";
	"presence_identity";
    }
    allow_empty_token = true
    c2s_require_encryption = false
    lobby_muc = "lobby.<domain.net>"
    breakout_rooms_muc = "breakout.<domain.net>"
    main_muc = "conference.<domain.net>"

I tried using token_owner_party but when guest or non-owner JWT participant joins it gives them an authentication error till the owner JWT participant starts the conference instead of placing them in a lobby that says ‘waiting for host’. Otherwise it works as expected

emrah · May 28, 2022, 2:21pm

There is a hacky way to do this but it may not work in the future because it uses mixed auth methods which is not recommended.

Use token authentication for the main virtualhost.

VirtualHost "your.domain.com"
    authentication = "token"
    app_id="yourappid"
    app_secret="yourappsecret"
    allow_empty_token=false

Add the guest block

VirtualHost "guest.your.domain.com"
    authentication = "anonymous"
    c2s_require_encryption = false

Dont use third-party token modules like token_affiliation or token_owner_party
Enable XMPP authentication for jicofo, /etc/jitsi/jicofo/jicofo.conf

jicofo {
  ...
  ...
  conference: {
    enable-auto-owner: false
  }
  authentication: {         
    enabled: true           
    type: XMPP              
    login-url: your.domain.com
    enable-auto-login: false
  }  
}

Enable anonymousdomain in your /etc/jitsi/meet/your.domain.com-config.js
Restart prosody and jicofo

systemctl restart prosody.service
systemctl restart jicofo.service