JWT tokens and guest access

Hi everyone,

We have a dedicated server for Jitsi that use tokens for authentication, we have users who are moderators and create rooms and normal users who join these created rooms.

Everything is working perfectly, but we need to make it easier for the normal users and only send them a link that does not include a token, so we need them to be treated as guests.

So, is it possible for normal users to login without a token into a room that has already been created by a moderator who logged earlier through a valid token?

There is an option allow_empty_token, I think was the name. But this one allows just guests to enter and there is no notion of creating rooms, so if there is no such room it will be created by the guest.

As we are logging using jwt authentication, how a system is to be set with ADMIN or First time user is only moderator and rest are not?

There are 3 groups - 1. group - Admins , 2. group - Intermediates, 3. group - GUEST/CLIENT. So either 1 or 2 will be the First time user with moderator access only.

How we handle that is that we enable all_owners module so everyone in the room is moderator, enable jwt and enable enableUserRolesBasedOnToken. The later make sure that guests(those with no token) cannot do stuff like calling, recording etc.

And how can this be possible? This was the part I wanted to know actually :thinking:

Enable enableUserRolesBasedOnToken in config.js

But how we will assign that group 1 and group 2 are not guest?

There is no such thing as group1 or group2. There are guests and non guests. Those using a token are not guests.

ok…that will not work on my system because we want guest enter with token.

Thanks, @damencho, I tried setting alow_empty_token =true; under /etc/prosody/conf.avail/my_domain.com.cfg.lua

Now when I use a URL that has token: https://my_domain.com/woohoo?jwt=legit-token
, then the room ‘woohoo’ is created. But my guests cannot use the link: https://my_domain.com/woohoo to join the room, as they are now given a popup for username and password!

Anything else I need to change before they can join directly?

1 Like

Have you added it under your main virtualhost?

Yes, here is my config for the main virtualhost:
VirtualHost “my_domain.com”
authentication = “token”;
allow_empty_token = true;
ssl = {
key = “/etc/prosody/certs/my_domain.com.key”;
certificate = “/etc/prosody/certs/my_domain.com.crt”;
modules_enabled = {
“ping”; – Enable mod_ping
c2s_require_encryption = false;
consider_bosh_secure = true;

Have you restarted prosody?
This is exactly how meet.jit.si is configured at the moment and you can enter without token.

I just restarted the server (just to make sure :)).

I am getting a pop-up asking for a username and password:


Maybe I forgot to say that this server is also configured as a secured domain, so maybe that is why it is throwing the username and password to the guests!?

But in the configuration, I also have the guest.my_domain.com virtual host, which is configured with anonymous authentication!

So, how does Jitsi chooses between my_domain.com (tokens), auth.my_domain.com(internal_plain) and guest.my_domain.com(anonymous)?

U can’t have both, either choose token or secure domain

@Tanvir I think I currently have both, when there is no token specified, I get the username and password popup, and that does work for users without tokens.

So, I guess I need to disable the secured domain to enable anonymous access with tokens.

A final update on this post.

The only way I was able to get anonymous users to work was to update ‘/etc/prosody/conf.avail/vc.my_domain.com.cfg.lua’ guest’s virtual host with the following config:

VirtualHost “guest.my_domain.com”
–authentication = “anonymous”;
authentication = “token”
c2s_require_encryption = false
allow_empty_token = true;

At the end, I have users authenticating through ‘JWT tokens’ and the guests wait until the room is created by the actual authenticated users.

1 Like

This is almost perfect, there is only one detail that does not work: if the user that has been authenticated with the JWT tries to create another room, even if the token has restriction to only create a single room, it will let the user create as many rooms as he wants, without restriction. It seems that it authenticates via the guest host together with his sessionId stored at the local storage. Cleaning it makes the user unable to create more rooms. Is there any explanation to this?