JWT token verification group attribute not working

Hello I followed the doc token verification where it mentions group attribute can be enabled by simply including group name, but group attribute has no effect.

{
  "context": {
    "user": {
      "id": 123,
      "name": "John Doe",
      "role": "mod",
      "avatar": "http://...",
      "email": "mail@example.com"
    },
    "group": "dev"
  },
  "room": "room_name",
  "moderator": true,
  "app_id": "name",
  "iat": 1653453850,
  "exp": 1653504299,
  "aud": "aud",
  "iss": "iss",
  "sub": "sub",
  "jti": "123"
}

I am getting “You are not allowed here page” when I visit, dev/room_name but excluding group name room_name works fine.

I’m using latest docker image, all other configuration looks fine as I am able to use jitsi meet normally without the group name.

AFAIK, the “group” field has no functional purpose and is there mainly to allow you to inject metadata for tracking/analytics/etc. From the docs

‘group’ is a string which specifies the group the user belongs to. Intended for use in reporting/analytics, not used for token validation.

If you’re visiting /dev/room_name then that is logically a different room from /room_name. In your token, try:

{
  "sub": "dev",
  "room": "room_name",
}

or

{
  "room": "[dev]room_name",
}

IIRC the tenant (“dev” in your case) is checked differently depending on whether enable_domain_verification flag is set, but I don’t recall the details.

If that fails too, check prosody logs for hints on why the token is being rejected.

Thanks.

But coming from this, it tells otherwise, or I misunderstood.

That PR was not merged as it detracts from the intention that “group” be just informational. See this comment.

This method works. not sure how sub supposed to work.

Prosody was checking like this on logs, [dev]room_name

1 Like

As described here: lib-jitsi-meet/tokens.md at master · jitsi/lib-jitsi-meet · GitHub

‘sub’ contains EITHER the lowercase name of the tenant (for a conference like TENANT1/ROOM
with would be ‘tenant1’) OR the lowercase name of the domain used when authenticating with this
token (for a conference like /ROOM).
By default assuming that we have full MUC ‘conference1@muc.server.net’ then ‘server.net’ should be used here. Alternately,
a ‘*’ may be provided, allowing access to rooms in all tenants within the domain or all domains within the server.

2 Likes