JWT token_affiliation module guest can create rooms

Hi everyone,

I am using the prosody modules mentioned in the post below to assign moderator privileges with JWT authentication

I followed the instructions to enable the token_affiliation module and the moderator privileges are assigned as expected. But I noticed that it also allowed guests without JWT authentication to create a room which is not desirable.

In particular, I noticed that commenting the line “#org.jitsi.jicofo.auth.URL=” as mentioned in the instructions seems to be causing this when I uncomment this line the guest is unable to create a room but the users are no longer assigned appropriate privileges.

I would greatly appreciate it if there is a workaround for this

/etc/jitsi/jicofo/sip-communicator.properties:

image

Did you set allow_empty_token in your prosody config? If so, guests can create rooms.

@emrah Yes I have it set on the guest block but If I remove it, the guest can’t create a room but also can’t join any rooms.

VirtualHost "guest.example.domain.com"
    authentication = "token";
    app_id = "app_id";
    app_secret = "app_secret";
    c2s_require_encryption = true;
    allow_empty_token = true;

I want guests to be able to join the room once a JWT authenticated user starts the conference

Thank you for your response :grinning:

The guest virtualhost is not for JWT authentication. Using mixed authentication methods may cause unexpected results.

Did you check token_owner_party?

I have removed the guest virtualhost block and tried setting allow_empty_token to false and true in the main virtualhost block and in both cases the guest can’t join the conference.

VirtualHost "<domain.net>"
    -- enabled = false -- Remove this line to enable this host
    authentication = "token"
    -- Properties below are modified by jitsi-meet-tokens package config
    -- and authentication above is switched to "token"
    app_id="app_id"
    app_secret="app_secret"
    -- Assign this host a certificate for TLS, otherwise it would use the one
    -- set in the global section (if any).
    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
    -- use the global one.
    ssl = {
        key = "/etc/prosody/certs/<domain.net>.key";
        certificate = "/etc/prosody/certs/<domain.net>.crt";
    }
    av_moderation_component = "avmoderation.<domain.net>"
    speakerstats_component = "speakerstats.<domain.net>"
    conference_duration_component = "conferenceduration.<domain.net>"
    -- we need bosh
    modules_enabled = {
        "bosh";
        "pubsub";
        "ping"; -- Enable mod_ping
        "speakerstats";
        "external_services";
        "conference_duration";
        "muc_lobby_rooms";
        "muc_breakout_rooms";
        "av_moderation";
	"presence_identity";
    }
    allow_empty_token = true
    c2s_require_encryption = false
    lobby_muc = "lobby.<domain.net>"
    breakout_rooms_muc = "breakout.<domain.net>"
    main_muc = "conference.<domain.net>"


I tried using token_owner_party but when guest or non-owner JWT participant joins it gives them an authentication error till the owner JWT participant starts the conference instead of placing them in a lobby that says ‘waiting for host’. Otherwise it works as expected

There is a hacky way to do this but it may not work in the future because it uses mixed auth methods which is not recommended.

  • Use token authentication for the main virtualhost.
VirtualHost "your.domain.com"
    authentication = "token"
    app_id="yourappid"
    app_secret="yourappsecret"
    allow_empty_token=false
  • Add the guest block
VirtualHost "guest.your.domain.com"
    authentication = "anonymous"
    c2s_require_encryption = false
  • Dont use third-party token modules like token_affiliation or token_owner_party

  • Enable XMPP authentication for jicofo, /etc/jitsi/jicofo/jicofo.conf

jicofo {
  ...
  ...
  conference: {
    enable-auto-owner: false
  }
  authentication: {         
    enabled: true           
    type: XMPP              
    login-url: your.domain.com
    enable-auto-login: false
  }  
}
  • Enable anonymousdomain in your /etc/jitsi/meet/your.domain.com-config.js

  • Restart prosody and jicofo

systemctl restart prosody.service
systemctl restart jicofo.service
1 Like