JWT Tokens Install Guide

enable JWT auth” seems like disabled

Yes, you are correct. I briefly turned it off during testing last night, but it was enabled when not authenticating.

You are using HS256 jwt, I need to check the code but I think asap_accepted_audiences is not used with these tokens, you need to use your app_id from the config when signing the token. Or change the app_id to match the token aud, value.

Nope, that is not correct.

Is your APP_ID RocketChat? As this claims to allow only “MY_APP_ID” and “smash”, while the token has “aud”: “RocketChat”, in it.
Add to that config and “RocketChat” and it should work.

No. My actual APP ID is 7CB62DC4. I ran the command to generate a few strings. I grabbed 8 characters from one string for the ID, and used the entire other string for the SECRET.

If you use asap_accepted_audiences = { "MY_APP_ID", "smash", “RocketChat” } does it work?

Interestingly, now, it briefly loads my camera, then goes to a black screen that says

Sorry! You are not allowed to be here : (

Response to below question due to community restrictions on new member replies:

Not exactly. Now, it appears to authenticate, because it’s not displaying the authentication failed banner. Instead, it’s now briefly loading my camera, then goes to the screen I posted an image of above.

And yes, I ran systemctl restart prosody jicofo jitsi-videobridge2 after making the change.

And you still see the same error about audience?
Did you restart prosody after the change?

Sorry for the delay. As discussed privately, I built a test VPS, deployed a Jitsi Docker image, enabled JWT, and it’s working perfectly!

Now, I have another question. With JWT authentication enabled, is it still possible to use the internal_plain authentication method?

Ideally, I would like to be able to launch chats via Nextcloud and RocketChat using JWT, but also have the ability of going to my Jitsi server directly and launching meetings as a regular host.

I’m stuck exactly where you are here. Did you find a solution?

Hey Edward,

I wound up building out a Matrix/Element server and incorporated Jitsi without JWT.

Here is a link to the guide I followed for the initial setup. It’s from the Matrix team.

Once that was setup and working, I followed this guide to enable Prosody Auth Matrix User Verification:

Just got Jibri running so recording is enabled. My next feat will be setting up a PBX with SIP trunking to enable dial-in functionality. So far, it’s very impressive!

I tried different info to get Jitsi installed on Ubuntu 22.04 LTS with JWT but always got some errors/problems.
Below is what I did to get it working. It is NOT perfect and contain steps that might be unnecessary etc.
The reason I post it here is so others might find solutions to some of the problems I had.
I got this info from multiple sources but mostly from Here and Here.

//install Jitsi on Ubuntu 22.04 with JWT

sudo apt-get update
sudo apt-get dist-upgrade
sudo shutdown -r now

//change ssh port and some security
sudo nano /etc/ssh/sshd_config
  Protocol 2 #add line
  Port 2222
  PermitRootLogin no
  MaxAuthTries 5
sudo service ssh restart


//#firewall
sudo ufw deny ssh
sudo ufw allow 2222
sudo ufw allow http
sudo ufw allow https
sudo ufw allow 3478/udp
sudo ufw allow 5349/tcp
sudo ufw allow 10000/udp
sudo ufw enable

//set correct timezone and locale for 24h
sudo timedatectl set-timezone Europe/Stockholm
sudo localectl set-locale LC_TIME=en_GB.UTF-8

sudo hostnamectl set-hostname jitsi.example.com

//add server ip to domain name
sudo nano /etc/hosts
  123.123.12.123 jitsi.example.com
  
curl https://download.jitsi.org/jitsi-key.gpg.key -o jitsi-key.gpg.key
sudo gpg --output /usr/share/keyrings/jitsi-key.gpg --dearmor jitsi-key.gpg.key
sudo nano /etc/apt/sources.list.d/jitsi-stable.list
  deb [signed-by=/usr/share/keyrings/jitsi-key.gpg] https://download.jitsi.org stable/
  
curl https://prosody.im/files/prosody-debian-packages.key -o prosody-debian-packages.key
sudo gpg --output /usr/share/keyrings/prosody-keyring.gpg --dearmor prosody-debian-packages.key
sudo nano /etc/apt/sources.list.d/prosody.list
  deb [signed-by=/usr/share/keyrings/prosody-keyring.gpg] http://packages.prosody.im/debian jammy main
  
rm jitsi-key.gpg.key prosody-debian-packages.key

sudo nano /etc/apt/sources.list
  deb http://security.ubuntu.com/ubuntu bionic-security main

//note: this should be done better with gpg somehow
sudo apt update && apt-cache policy libssl1.0-dev
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
sudo apt update && apt-cache policy libssl1.0-dev

//install stuff, line by line to check for errors etc
sudo su
cd
apt-get update
apt-get install gcc
apt-get install unzip
apt-get install lua5.2
apt-get install liblua5.2
apt-get install luarocks
luarocks install basexx
apt-get install libssl1.0-dev
luarocks install luacrypto
mkdir src
cd src
luarocks download lua-cjson
luarocks unpack lua-cjson-2.1.0.6-1.src.rock
cd lua-cjson-2.1.0.6-1/lua-cjson
sed -i 's/lua_objlen/lua_rawlen/g' lua_cjson.c
sed -i 's|$(PREFIX)/include|/usr/include/lua5.2|g' Makefile
luarocks make
luarocks install luajwtjitsi //Gives error: fpconv.h:15:20: warning: inline function ‘fpconv_init’ declared but never defined. Still works
cd 
apt-get install prosody
chown root:prosody /etc/prosody/certs/localhost.key //already the correct permissions?
chmod 644 /etc/prosody/certs/localhost.key
shutdown -r now

sudo apt-get install jitsi-meet
  //hostname of current installation: jitsi.example.com
  //generate a new self signed cert

//generate letsnecrypt cert
sudo apt install certbot
sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

//test server:
https://jitsi.example.com/

sudo apt-get install jitsi-meet-tokens
 //set App ID and Application Secret and domain (jitsi.example.com)
 
sudo nano /etc/prosody/conf.avail/jitsi.example.com.cfg.lua
//find: VirtualHost "jitsi.example.com"
change 'authentication = "anonymous"' to 'authentication = "token"'
Uncomment and add info for 'app_id' and 'app_secret'
Uncomment line '"token_verification";' under: Component "conference.jitsi.example.com" "muc"
Add to end of file:
  VirtualHost "guest.jitsi.example.com"
    authentication = "anonymous"
    c2s_require_encryption = false
    modules_enabled = {
            "bosh";
            "ping";
            "pubsub";
            "speakerstats";
            "turncredentials";
            "conference_duration";
    }

sudo shutdown -r now

//check log file for any big blocks of Java exceptions
sudo tail -n100 /var/log/prosody/prosody.log

//Got to https://jwt.io, and past this json into Header field:
{
  "alg": "HS256",
  "typ": "JWT"
}
//...and this into Payload:data (change app id and domain) :
{
  "aud": "jitsi",
  "iss": "<your app id>",
  "sub": "jitsi.example.com",
  "room": "*"
}

//copy the Encode string and use it in urls to meetings:
https://jitsi.example.com/TestMeeting?jwt=the-long-encoded-string-here

//disable root (sudo su)
sudo passwd -l root
1 Like

I think Ubuntu 22.04 LTS is not a good choice to install Jitsi because of Nginx's Lua module and coturn issues.

I don’t know anything about that. I just wanted to use Ubuntu 22.04 since I use it on all other servers.
Jitsi seems to be working great on 22.04, so far.

I’m trying to set up Jitsi with JWT on Ubuntu 22.04 at the moment. Does anyone know if these issues have been resolved? Or should I just use 20.04 instead?

I’m following this guide for setting up Jitsi with JWT on 20.04 but am having problems. The guide makes reference to the setting c2s_require_encryption in prosody.cfg.lua but the file I’ve got with the latest version of Prosody doesn’t include this setting. Should I add it?

Actually, looks like that setting has moved to conf.avail/<app_id>.cfg.lua, is that correct?

This guide doesn’t match to the current release