JWT token required / not being passed

Hi there–

Trying to get JWT authentication to work. I was able to get prosody installed with Ubuntu 19.10. Went through the instructions and installed the most recent trunk version (prosody-trunk_1nightly1247-1~eoan_amd64.deb) and also went through the convoluted install of luacrypto from source.

Now I’m trying to get JWT to work. JWT payload looks like this:

{
  "context": {
    "user": {
      "name": "Jeff Wigal"
    }
  },
  "iss": "jitsi-jwt.rescuehub.com",
  "aud": "jitsi.rescuehub.com",
  "room": "*",
  "exp": 1585926997
}

Prosody config looks like this:

plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "jitsi.rescuehub.com";

turncredentials_secret = "<SECRET1>";

turncredentials = {
  { type = "stun", host = "jitsi.rescuehub.com", port = "443" },
  { type = "turn", host = "jitsi.rescuehub.com", port = "443", transport = "udp" },
  { type = "turns", host = "jitsi.rescuehub.com", port = "443", transport = "tcp" }
};

cross_domain_bosh = false;
consider_bosh_secure = true;

VirtualHost "jitsi.rescuehub.com"
        -- enabled = false -- Remove this line to enable this host
        -- authentication = "anonymous"
        authentication = "token"
        -- Properties below are modified by jitsi-meet-tokens package config
        -- and authentication above is switched to "token"
        app_id="jitsi-jwt.rescuehub.com"
        app_secret="<SECRET2>"
        allow_empty_token = false;
       -- Assign this host a certificate for TLS, otherwise it would use the one
        -- set in the global section (if any).
        -- Note that old-style SSL on port 5223 only supports one certificate, and will always
        -- use the global one.
        ssl = {
                key = "/etc/prosody/certs/jitsi.rescuehub.com.key";
                certificate = "/etc/prosody/certs/jitsi.rescuehub.com.crt";
        }
        speakerstats_component = "speakerstats.jitsi.rescuehub.com"
        conference_duration_component = "conferenceduration.jitsi.rescuehub.com"
        -- we need bosh
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping"; -- Enable mod_ping
            "speakerstats";
            "turncredentials";
            "conference_duration";
        }
        c2s_require_encryption = false

Component "conference.jitsi.rescuehub.com" "muc"
    storage = "memory"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        "token_verification";
    }
    admins = { "focus@auth.jitsi.rescuehub.com" }
    muc_room_locking = false
    muc_room_default_public_jids = true

-- internal muc component
Component "internal.auth.jitsi.rescuehub.com" "muc"
    storage = "memory"
    modules_enabled = {
      "ping";
    }
    admins = { "focus@auth.jitsi.rescuehub.com", "jvb@auth.jitsi.rescuehub.com" }

VirtualHost "auth.jitsi.rescuehub.com"
    ssl = {
        key = "/etc/prosody/certs/auth.jitsi.rescuehub.com.key";
        certificate = "/etc/prosody/certs/auth.jitsi.rescuehub.com.crt";
    }
    authentication = "internal_plain"

Component "focus.jitsi.rescuehub.com"
    component_secret = "<SECRET3>"

Component "speakerstats.jitsi.rescuehub.com" "speakerstats_component"
    muc_component = "conference.jitsi.rescuehub.com"

Component "conferenceduration.jitsi.rescuehub.com" "conference_duration_component"
    muc_component = "conference.jitsi.rescuehub.com"

Visiting this address:

https://jitsi.rescuehub.com/siptest?jwt=eyJhbGciOiJIUzI1NiJ9.eyJjb250ZXh0Ijp7InVzZXIiOnsibmFtZSI6IkplZmYgV2lnYWwifX0sImlzcyI6ImppdHNpLWp3dC5yZXNjdWVodWIuY29tIiwiYXVkIjoiaml0c2kucmVzY3VlaHViLmNvbSIsInJvb20iOiIqIiwiZXhwIjoxNTg1OTI2OTk3fQ.Q8vSVPpz9GXDkcWLWtvPFp_DNGW1U2u0ONzvHoTbzXg

First call is to

https://jitsi.rescuehub.com/http-bind?room=siptest&token=eyJhbGciOiJIUzI1NiJ9.eyJjb250ZXh0Ijp7InVzZXIiOnsibmFtZSI6IkplZmYgV2lnYWwifX0sImlzcyI6ImppdHNpLWp3dC5yZXNjdWVodWIuY29tIiwiYXVkIjoiaml0c2kucmVzY3VlaHViLmNvbSIsInJvb20iOiIqIiwiZXhwIjoxNTg1OTI2OTk3fQ.Q8vSVPpz9GXDkcWLWtvPFp_DNGW1U2u0ONzvHoTbzXg

with:

<body content="text/xml; charset=utf-8" hold="1" rid="1646996422" to="jitsi.rescuehub.com" ver="1.6" wait="60" xml:lang="en" xmlns="http://jabber.org/protocol/httpbind" xmlns:xmpp="urn:xmpp:xbosh" xmpp:version="1.0"/>

and a response of

<body xmlns:stream='http://etherx.jabber.org/streams' xmpp:version='1.0' xmlns='http://jabber.org/protocol/httpbind' inactivity='60' xmlns:xmpp='urn:xmpp:xbosh' requests='2' polling='5' secure='true' hold='1' from='jitsi.rescuehub.com' wait='60' authid='3a8ce1a5-8911-4693-a7f5-8f0e53645e0e' ver='1.6' sid='3a8ce1a5-8911-4693-a7f5-8f0e53645e0e'>
  <stream:features xmlns='jabber:client'>
    <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
    <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> 
     <mechanism>ANONYMOUS</mechanism>
    </mechanisms>
  </stream:features>
</body>

Next a POST to

https://jitsi.rescuehub.com/http-bind?room=siptest&token=eyJhbGciOiJIUzI1NiJ9.eyJjb250ZXh0Ijp7InVzZXIiOnsibmFtZSI6IkplZmYgV2lnYWwifX0sImlzcyI6ImppdHNpLWp3dC5yZXNjdWVodWIuY29tIiwiYXVkIjoiaml0c2kucmVzY3VlaHViLmNvbSIsInJvb20iOiIqIiwiZXhwIjoxNTg1OTI2OTk3fQ.Q8vSVPpz9GXDkcWLWtvPFp_DNGW1U2u0ONzvHoTbzXg

with the response of:

<body xmlns:stream='http://etherx.jabber.org/streams' xmlns='http://jabber.org/protocol/httpbind' sid='3a8ce1a5-8911-4693-a7f5-8f0e53645e0e'>
  <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
    <not-allowed/>
    <text>token required</text>
  </failure>
</body>

and a UI message of “authentication failed”. Prosody logs look like this:

Apr 03 14:59:55 startup	info	Hello and welcome to Prosody version trunk nightly build 1247 (2020-04-01, 0230ceecb8a9)
Apr 03 14:59:55 startup	info	Prosody is using the select backend for connection handling
Apr 03 14:59:55 conference.jitsi.rescuehub.com:muc_domain_mapper	info	Loading mod_muc_domain_mapper for host conference.jitsi.rescuehub.com!
Apr 03 14:59:55 portmanager	info	Activated service 's2s' on [::]:5269, [*]:5269
Apr 03 14:59:55 conference.jitsi.rescuehub.com:muc_domain_mapper	info	Loading mod_muc_domain_mapper for host jitsi.rescuehub.com!
Apr 03 14:59:55 mod_bosh	info	The 'cross_domain_bosh' option has been deprecated
Apr 03 14:59:55 portmanager	info	Activated service 'http' on [::]:5280, [*]:5280
Apr 03 14:59:55 certmanager	info	No certificate present in SSL/TLS configuration for https port 5281. SNI will be required.
Apr 03 14:59:55 certmanager	info	No certificate present in SSL/TLS configuration for https port 5281. SNI will be required.
Apr 03 14:59:55 portmanager	info	Activated service 'https' on [::]:5281, [*]:5281
Apr 03 14:59:55 mod_http	info	Serving 'bosh' at https://*:5281/http-bind
Apr 03 14:59:55 portmanager	info	Activated service 'c2s' on [::]:5222, [*]:5222
Apr 03 14:59:55 portmanager	info	Activated service 'legacy_ssl' on no ports
Apr 03 14:59:55 conference.jitsi.rescuehub.com:muc_domain_mapper	info	Loading mod_muc_domain_mapper for host conferenceduration.jitsi.rescuehub.com!
Apr 03 14:59:55 general	info	Starting conference duration timer for conference.jitsi.rescuehub.com
Apr 03 14:59:55 conferenceduration.jitsi.rescuehub.com:conference_duration_component	info	Hook to muc events on conference.jitsi.rescuehub.com
Apr 03 14:59:55 conference.jitsi.rescuehub.com:muc_domain_mapper	info	Loading mod_muc_domain_mapper for host auth.jitsi.rescuehub.com!
Apr 03 14:59:55 conference.jitsi.rescuehub.com:muc_domain_mapper	info	Loading mod_muc_domain_mapper for host localhost!
Apr 03 14:59:55 conference.jitsi.rescuehub.com:muc_domain_mapper	info	Loading mod_muc_domain_mapper for host focus.jitsi.rescuehub.com!
Apr 03 14:59:55 portmanager	info	Activated service 'component' on [127.0.0.1]:5347, [::1]:5347
Apr 03 14:59:55 conference.jitsi.rescuehub.com:muc_domain_mapper	info	Loading mod_muc_domain_mapper for host speakerstats.jitsi.rescuehub.com!
Apr 03 14:59:55 general	info	Starting speakerstats for conference.jitsi.rescuehub.com
Apr 03 14:59:55 speakerstats.jitsi.rescuehub.com:speakerstats_component	info	Hook to muc events on conference.jitsi.rescuehub.com
Apr 03 14:59:55 conference.jitsi.rescuehub.com:muc_domain_mapper	info	Loading mod_muc_domain_mapper for host internal.auth.jitsi.rescuehub.com!
Apr 03 14:59:59 conference.jitsi.rescuehub.com:muc_domain_mapper	warn	Session filters applied
Apr 03 14:59:59 c2s56012389e020	info	Client connected
Apr 03 14:59:59 c2s56012389e020	info	Stream encrypted (TLSv1.2 with ECDHE-RSA-AES256-GCM-SHA384)
Apr 03 14:59:59 c2s56012389e020	info	Authenticated as jvb@auth.jitsi.rescuehub.com
Apr 03 15:00:02 jcp5601237023d0	info	Incoming Jabber component connection
Apr 03 15:00:02 focus.jitsi.rescuehub.com:component	info	External component successfully authenticated
Apr 03 15:00:06 conference.jitsi.rescuehub.com:muc_domain_mapper	warn	Session filters applied
Apr 03 15:00:06 c2s5601233accb0	info	Client connected
Apr 03 15:00:06 c2s5601233accb0	info	Stream encrypted (TLSv1.2 with ECDHE-RSA-AES256-GCM-SHA384)
Apr 03 15:00:06 c2s5601233accb0	info	Authenticated as focus@auth.jitsi.rescuehub.com
Apr 03 15:00:09 mod_bosh	info	Client tried to use sid '15bcc747-5595-4b4b-b6e2-7a4e348e2378' which we don't know about
Apr 03 15:00:20 conference.jitsi.rescuehub.com:muc_domain_mapper	warn	Session filters applied
Apr 03 15:00:20 mod_bosh	info	New BOSH session, assigned it sid '058f560d-e204-430f-9ae9-c2f4d7fa8ae7'
Apr 03 15:00:26 general	warn	Error verifying token err:not-allowed, reason:token required
Apr 03 15:02:03 mod_bosh	info	Client tried to use sid '058f560d-e204-430f-9ae9-c2f4d7fa8ae7' which we don't know about
Apr 03 15:02:07 conference.jitsi.rescuehub.com:muc_domain_mapper	warn	Session filters applied
Apr 03 15:02:07 mod_bosh	info	New BOSH session, assigned it sid '1b9d1be1-7f4d-4c5f-8a8b-ea781fcfd211'
Apr 03 15:02:13 general	warn	Error verifying token err:not-allowed, reason:token required

Looks to me like the JWT is not being passed along to where it needs to go. Any ideas what’s happening here?

Hello,

Did you solve this ?
I have the same issue

Unfortunately not. However, I was able to get the Docker version of this up and running yesterday. I wanted my setup to a) require JWT auth to create a room (for admins) and b) allow non-admins to join an existing room without JWT auth.

Ran into two more issues that I found work-arounds for:

Problem: Docker complaining about a missing nginx configuration file

Solution: Prior to running docker-compse, do this:

mkdir -p ~/.jitsi-meet-cfg/web/nginx
curl https://raw.githubusercontent.com/jitsi/docker-jitsi-meet/master/web/rootfs/defaults/nginx.conf > ~/.jitsi-meet-cfg/web/nginx/nginx.conf

Problem: Guest users are still seeing a login prompt, even after a JWT authenticated user has created the room.

Solution: until the docker image is fixed, login to the prosody docker container and edit the configuration file as shown here.

I have near zero experience with Docker, so I had to look up how to do this. I believe this is how to get in:

root@meet:~# cd docker-jitsi-meet/
root@meet:~/docker-jitsi-meet# docker-compose exec prosody /bin/bash
root@cbb6da2bb6d9:/# 

The docker container is very bare-bones, and I had to install nano in order to edit the file:

apt-get update
apt-get install nano
nano /prosody-plugins/mod_auth_token.lua

Relevant changes I had to make in my docker .env file:

HTTP_PORT=80
HTTPS_PORT=443
DOCKER_HOST_ADDRESS=my.ipv4.address.here
ENABLE_AUTH=1
ENABLE_GUESTS=1
AUTH_TYPE=jwt
JWT_APP_ID=my.app.id.here
JWT_APP_SECRET=supersecretlongkey
# pretty sure this is not in the env.example file, so I added this
JWT_ALLOW_EMPTY=1
#had some problems getting LetsEncrypt to generate a cert, so I disabled this:
#ENABLE_HTTP_REDIRECT=1

I solved the problem by downgrading the prosody version to Prosody(0.11.2,Linux)

Facing the same issue as OP.
Using Prosody version trunk nightly build 1248 (2020-04-03, 6119e4f87c32) on Ubuntu Bionic.

Same response to second POST, and same log entry in prosody.log

Went through some other posts here and did some debugging by adding print lines in prosody-plugins/token/util.lib.lua and prosody-plugins/mod_auth_token.lua

In mod_auth_token.lua at provider.get_sasl_handler added a log line as shown:

    function provider.get_sasl_handler(session)
       log("info", "My auth_token:%s", session.auth_token);
       local function get_username_from_token(self, message)
       local res, error, reason = token_util:process_and_verify_token(session);

It gives following msg in logs:
general info My auth_token:<nil>

Kind of stumped here, any help to move ahead is much appreciated.

Thanks!

Made this change to /usr/share/jitsi-meet/prosody-plugins/mod_auth_token.lua as seen here

sed -i 's/module:hook/module:hook_global/g' /usr/share/jitsi-meet/prosody-plugins/mod_auth_token.lua

This touched two lines of code, and it seems to be working for me after doing a manual install.

2 Likes

That did the trick. Now I am able to authenticate using token. No other changes were required.

Does this needs to be added as a bug report some where?

I think they took care of it in the Github source code.

1 Like

I created the follow doc to install Jitsi Meet (with new JVB2) and Jitsi meet tokens in ubuntu 18.04, it’s working perfectly.

Jitsi Installation Doc

Hi
Have you tried using public/private key instead of app-id/app-secret?

Having the same problem - how did you install Prosody 0.11.2?

I’m also getting the dreaded “token required” error. I’ve done everything I can find on this site.

Does anyone have any other ideas? I’m using Ubuntu 18.04 and following the instructions from Laurence here: Token authentication working with prosody 747 but not with latest version. Ubuntu 18.04

I don’t have anything in /var/log/prosody.err - prosody.log follows:

|May 21 19:46:46 startup|info|Hello and welcome to Prosody version 0.11.5|
|---|---|---|
|May 21 19:46:46 startup|info|Prosody is using the select backend for connection handling|
|May 21 19:46:46 portmanager|info|Activated service 's2s' on [::]:5269, [*]:5269|
|May 21 19:46:46 conference.meet.jrbcs.com:muc_domain_mapper|info|Loading mod_muc_domain_mapper for host conference.meet.jrbcs.com!|
|May 21 19:46:46 conference.meet.jrbcs.com:muc_domain_mapper|info|Loading mod_muc_domain_mapper for host internal.auth.meet.jrbcs.com!|
|May 21 19:46:46 conference.meet.jrbcs.com:muc_domain_mapper|info|Loading mod_muc_domain_mapper for host conferenceduration.meet.jrbcs.com!|
|May 21 19:46:46 general|info|Starting conference duration timer for conference.meet.jrbcs.com|
|May 21 19:46:46 conferenceduration.meet.jrbcs.com:conference_duration_component|info|Hook to muc events on conference.meet.jrbcs.com|
|May 21 19:46:46 conference.meet.jrbcs.com:muc_domain_mapper|info|Loading mod_muc_domain_mapper for host auth.meet.jrbcs.com!|
|May 21 19:46:46 portmanager|info|Activated service 'c2s' on [::]:5222, [*]:5222|
|May 21 19:46:46 portmanager|info|Activated service 'legacy_ssl' on no ports|
|May 21 19:46:46 conference.meet.jrbcs.com:muc_domain_mapper|info|Loading mod_muc_domain_mapper for host meet.jrbcs.com!|
|May 21 19:46:46 portmanager|info|Activated service 'http' on [::]:5280, [*]:5280|
|May 21 19:46:46 portmanager|error|Error binding encrypted port for https: No certificate present in SSL/TLS configuration for https port 5281|
|May 21 19:46:46 portmanager|error|Error binding encrypted port for https: No certificate present in SSL/TLS configuration for https port 5281|
|May 21 19:46:46 portmanager|info|Activated service 'https' on no ports|
|May 21 19:46:46 conference.meet.jrbcs.com:muc_domain_mapper|info|Loading mod_muc_domain_mapper for host speakerstats.meet.jrbcs.com!|
|May 21 19:46:46 general|info|Starting speakerstats for conference.meet.jrbcs.com|
|May 21 19:46:46 speakerstats.meet.jrbcs.com:speakerstats_component|info|Hook to muc events on conference.meet.jrbcs.com|
|May 21 19:46:46 conference.meet.jrbcs.com:muc_domain_mapper|info|Loading mod_muc_domain_mapper for host localhost!|
|May 21 19:46:46 conference.meet.jrbcs.com:muc_domain_mapper|info|Loading mod_muc_domain_mapper for host focus.meet.jrbcs.com!|
|May 21 19:46:46 portmanager|info|Activated service 'component' on [127.0.0.1]:5347, [::1]:5347|
|May 21 19:46:56 conference.meet.jrbcs.com:muc_domain_mapper|warn|Session filters applied|
|May 21 19:46:56 mod_bosh|info|New BOSH session, assigned it sid '1fd61b58-d427-48ff-b38e-bbf6f06cc10e'|
|May 21 19:46:56 general|warn|Error verifying token err:not-allowed, reason:token required|

sudo apt install prosody=0.11.2

Thanks for the quick reply . However my system says:

root@zeta:~# apt-get install prosody=0.11.2
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Version '0.11.2' for 'prosody' was not found

Are you using a different repository? I’m using prosody:

deb https://packages.prosody.im/debian bionic main

You actually have to add Prosody repo https://prosody.im/download/package_repository

Yes - I have added the prosody repo - perhaps you also have an unstable or backported repo in your sources where it is located?

No but actually, I’ve just installed a new jitsi-meet server and, by default, the script installed prosody 0.11.2…

Nevermind - it is working with prosody 0.11.5 - my token was invalid - thanks again.

Good news :slight_smile: