Jwt tokens not respecting the exp field

I missed a comma. I mean, show us your token and mask any private information in it.

Sorry @damencho, the token is shown below:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJjb250ZXh0Ijp7InVzZXIiOnsibmFtZSI6IlhYWCIsImVtYWlsIjoiWFhAWFhYLmNvbSJ9fSwic3ViIjoidmMuWFhYWC5jYSIsImlzcyI6ImhhbW1vZCIsInJvb20iOiJCUkhBTUVMSU5GOUtSIiwiYXVkIjoiT3NhbWEiLCJleHAiOjE1ODQ1OTA0MDB9.u46w_7O7UV_2TPUYTyeXRrxTcuBb8aPzT5evoiy9SB0

By the way, I noticed that any token works, even if it invalid!!

How do you pass it?

https://vc.mydomain.com/room?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJjb250ZXh0Ijp7InVzZXIiOnsibmFtZSI6IlhYWCIsImVtYWlsIjoiWFhAWFhYLmNvbSJ9fSwic3ViIjoidmMuWFhYWC5jYSIsImlzcyI6ImhhbW1vZCIsInJvb20iOiJCUkhBTUVMSU5GOUtSIiwiYXVkIjoiT3NhbWEiLCJleHAiOjE1ODQ1OTA0MDB9.u46w_7O7UV_2TPUYTyeXRrxTcuBb8aPzT5evoiy9SB0

I tried many possibilities but I couldn’t reproduce the same error for the stable packages. The authentication is always failed when the exp is outdated.

I am suspecting that the ‘allow_empty_token=True’ is forcing the token verification to be disabled!

I will try it after hours and see how that goes.

I tried this too but it works as expected. Do you allow guest login?

Yes, and this is the config for the guest config:

VirtualHost “guest.mydomain.com
authentication = “token”
app_id=“XXXXX”;
app_secret=“XXXXXXXXXXXXXXXXXXXXXX”;
allow_empty_token = true;
c2s_require_encryption = false

Wait guest is supposed to be used with username/password authentication, there is no point of having it with token. Every auth mechanism has its own path and by mixing them that breaks stuff, this is what I guess is going on … but not sure.

Thanks again for your help @damencho.

So, should I change the guest configuration from:

authentication = “token”
app_id=“XXXXX”;
app_secret=“XXXXXXXXXXXXXXXXXXXXXX”;
allow_empty_token = true;

to:

authentication = “anonymous”

No need a virtualhost for guest when JWT is enabled.

Should I remove the

guest virtual host from the /etc/prosody/conf.d/mydomain.com.cfg.lua

and the

anonymousdomain: ‘guest.mydomain.com’, from my /etc/jitsi/meet/mydomain.com-config.js also?

When JWT is enabled and “allow_empty_token = true” then the participants which have no token, become guest.

Therefore no need to anonymousdomain too. But if there are not removed I don’t know this will cause any problem or not…

Thanks @emrah, I will try this today after hours and report back tomorrow morning.

Thanks for you help and for @damencho help.

Good morning @emrah

I went through the suggested changes, but unfortunately non of them worked.

I am planning to reinstall everythig from scratch and I am looking for a Jitsi tokens guide, and I did find so many guides out there.

Should I follow this one:

or this one:

The second guide has so much details which is good, while the first one from Jitsi had like 4 steps only.

The installation steps vary depending on the choosen distro.

There is the lua and prosody version issue for the old distro (like Ubuntu 18.04)
And there is the libssl issue for the newer distro…

It’s better to use a newer distro like Ubuntu 20.04 or Debian 10.x

I will go with the latest Ubuntu, but which guide would you suggest?

I always use Debian, therefore not much experience with Ubuntu.

But the first guide seems to not cover the libssl-dev issue. The second forces to add the prosody repo ( I don’t understand why not use the prosody from the official Ubuntu repo) and there are many suspicious steps (for me). For examples

  • no need to TCP/4443, TCP/5347 and UDP range
  • no need anonymousdomain while allow_empty_token is active
  • IIRC org.jitsi.jicofo.auth.URL=XMPP: causes problems when JWT is active

If you mean “Ubuntu 20.04” when you say “latest Ubuntu” and you have an already working Jitsi system, I know that the steps on the following post work except one missing step. These steps for Debian Buster. They work for Ubuntu 20.04 but it’s needed to add Debian repo key first.

How I’m installing jitsi-meet-tokens now

I will go with Debian in this case, so I would need to install Jitsi (default), then follow this guide:

Sounds good, I will do the installation and report back with my findings.

Thanks again @emrah

If you are familiar with Ubuntu, no need to change the distro. The adding repo key is very simple step