JWT: token required


#1

Hello,

I have implemented jwt in my Jitsi server, following this documentation https://github.com/jitsi/lib-jitsi-meet/blob/master/doc/tokens.md

When I try to connect to any room using a token, I get an error “authentication failed”. So I looked into prosody’s logs and I found this error :

So I looked at the resquest sent to the BOSH server :
image
To me this request looks good, but the server is answering :

It looks like the token is not delivered well to the BOSH Server…

Do you have an idea of what is the problem? Or a lead to continue my searches?
thanks :slight_smile:


Jwt authentication bug
#2

Not sure I have any answers right now but here are some leads where you might be able to debug further on your install. The query param is parsed:

And the error you are hitting is that there is not auth token set via query param here:

If you have familiarity you can add debug statements to the code and restart prosody.
Also, just looking at some authenticated links we generate for meet.jit.si with our slack integration I see that the query param is jwt and not token Can you try changing the query param to jwt as seen in the following link where I’ve elided my complete token:

https://meet.jit.si/jitsihq/PassionateSoundsTeachThoughtfully?jwt=eyJhbGciOiJSUzI1N....


#3

Oh, I see now that the token query param was from the bosh connection so it may be fine. Hopefully the code pointers help.


#4

Oh, I see now that the token query param was from the bosh connection so it may be fine.

Yes, the address I used was https://swordvisio2.northeurope.cloudapp.azure.com/SolemnChimpsCrawlRandomly?jwt=eyJhbGciOiJI

If you have familiarity you can add debug statements to the code and restart prosody.

I’ve never done that, but I’m gonna try, thanks.


#5

Oh I just found out that there is another prosody log file : prosody.err
I have the following error :

Nov 16 09:21:27 portmanager error Error binding encrypted port for https: No certificate present in SSL/TLS configuration for https port 5281

So I wonder if the problem could come from nginx config? In my nginx config I have the following:

server_names_hash_bucket_size 64;

server {
    listen 80;
    server_name swordvisio2.northeurope.cloudapp.azure.com;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl;
    server_name swordvisio2.northeurope.cloudapp.azure.com;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";

add_header Strict-Transport-Security "max-age=31536000";

ssl_certificate /etc/jitsi/meet/swordvisio2.northeurope.cloudapp.azure.com.crt;
ssl_certificate_key /etc/jitsi/meet/swordvisio2.northeurope.cloudapp.azure.com.key;

root /usr/share/jitsi-meet;
index index.html index.htm;
error_page 404 /static/404.html;

location /config.js {
    alias /etc/jitsi/meet/swordvisio2.northeurope.cloudapp.azure.com-config.js;
}

location ~ ^/([a-zA-Z0-9=\?]+)$ {
    rewrite ^/(.*)$ / break;
}

location / {
    ssi on;
}

# Backward compatibility
location ~ /external_api.* {
    root /usr/share/jitsi-meet/libs;
}

# BOSH
location /http-bind {
    proxy_pass      http://localhost:5281/http-bind;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $http_host;
}

}


#6

Slt Jean,

Do you access to

https://YOURPUBIP/http-bind

I see this on my side

It works! Now point your BOSH client to this URL to connect to Prosody.
For more information see Prosody: Setting up BOSH.


#7

Yes! I have the exact same


#8

I think you need to check the prosody config.
Here’s mine for that part.

VirtualHost “jitsi.mydomain.org
enabled = true
authentication = “anonymous”
ssl = {
key = “/etc/prosody/certs/xmpp.mydomain.org.key”;
certificate = “/etc/prosody/certs/xmpp.mydomain.org.crt”;
}
modules_enabled = {
“bosh”;
“pubsub”;
“ping”;
}
c2s_require_encryption = false

VirtualHost “auth.jitsi.mydomain.org
enabled = true
ssl = {
key = “/etc/prosody/certs/xmpp.mydomain.org.key”;
certificate = “/etc/prosody/certs/xmpp.mydomain.org.crt”;
}
authentication = “internal_plain”


#9

You don’t have jwt authentification activated, have you?


#10

Oh sorry, I missed that part in your question.


#11

Okay, thanks for helping anyway :slight_smile:

So, @jmacelroy, I have added logs

After a restart of prosody I can see that I only have the first log “out of bosh-session”. So the query params is not parsed. That explains it. But I am not a lua developer so I don’t really understand why.