JWT token issuer

Hi there,

I’ve setup a Jitsi Meet instance using JWT token auth and it is working great so far (thanks!).

However I’m a little bit confused about the token verification procedure, specially the verification of the “iss” claim. Jitsi token docs say that

‘iss’ specifies application ID which identifies the client app connecting to the server.

However my understanding is that the “iss” claim should contain information about who issued the JWT (in my case it’s a Keycloak server putting its own URL in there). So putting the application ID in there doesn’t feel right to me…(?)

Now I noticed that one can configure asap_accepted_issuers even if no asap_key_server is used (is this intended? I’d argue that just accepted_issuers would be a better name in this case). Although the documentation claims that '*' is used as default value I noticed that it is actually {self.appId}. So instead I configured { "*" } explicitly but that didn’t work because for verify_issuer there is no wildcard check like in verify_audience.

Is there a reason (security?) for not allowing a wildcard as accepted issuer?

No one? :slightly_frowning_face:

@Aaron_K_van_Meerten maybe?