JWT token issuer

Hi there,

I’ve setup a Jitsi Meet instance using JWT token auth and it is working great so far (thanks!).

However I’m a little bit confused about the token verification procedure, specially the verification of the “iss” claim. Jitsi token docs say that

‘iss’ specifies application ID which identifies the client app connecting to the server.

However my understanding is that the “iss” claim should contain information about who issued the JWT (in my case it’s a Keycloak server putting its own URL in there). So putting the application ID in there doesn’t feel right to me…(?)

Now I noticed that one can configure asap_accepted_issuers even if no asap_key_server is used (is this intended? I’d argue that just accepted_issuers would be a better name in this case). Although the documentation claims that '*' is used as default value I noticed that it is actually {self.appId}. So instead I configured { "*" } explicitly but that didn’t work because for verify_issuer there is no wildcard check like in verify_audience.

Is there a reason (security?) for not allowing a wildcard as accepted issuer?

No one? :slightly_frowning_face:

@Aaron_K_van_Meerten maybe?

Good question. Allowing an arbitrary issuer may be acceptable for some installations (clearly would be for yours), and we’d certainly consider a PR that makes this work. For our use case we’d not want to have any arbitrary tokens generated by other services, so we’ve not spent the time to implement the feature.

Sorry, forgot to reference it here…

I created PR #8031: allow wildcard in token issuer verification which was merged in the meantime.