"moderator" = false attribut in JWT not being read

keda82 · October 6, 2022, 1:56pm

Want the ability to disable moderator features via the moderator flag in the jwt. Authentication works and the user becomes moderator. Unfortunately the user becomes moderator even if “moderator” = false is set in the JWT

Are we missing something?

{
“context”: {
“user”: {
“name”: “User Name”,
“moderator”: “false”
}

},
“aud”: “jitsi”,
“iss”: “issID”,
“sub”: “meet.jitsi”,
“room”: “*”
}

shawn · October 6, 2022, 2:01pm

Did you install additional prosody plugins to control moderator role using JWT?

In a default Jitsi install, the context in JWT token does not control user role so you cannot just add a field to promote or demote users to moderators. This is instead controlled by Jicofo which will promote the first user in the meeting to moderator.

You can change this behaviour by disabling that feature in Jicofo and adding custom prosody plugins to implement the behaviour you want.

If you elaborate further on what you are trying to achieve, someone might be able to point you to the right direction.

emrah · October 6, 2022, 3:12pm

If you enable the externel authentication in jicofo config file, everybody becomes moderator if she has a valid token.

keda82 · October 6, 2022, 3:35pm

@emrah This could be of interest for certain use cases for us. Which settings is this? Does it have a docker yaml value?

@Shawn No additional plugins enabled for this, which ones should be go for? Our end goal is:

Usergroup A - if "moderator" = true in jwt then they become moderator. Maybe in combination with the jicofo config emrah mentions

Usergroup B - if "moderator" = false in jwt then they join as guests

emrah · October 6, 2022, 3:38pm

jicofo.authentication.enabled

No idea what is the Docker equivalent.

shawn · October 6, 2022, 4:04pm

In a non-docker setup, I would set both jicofo.authentication.enabled and jicofo.conference.enable-auto-owner to false so jicofo does not promote anyone to moderator.

I would then use something like this to promote users based on a value in their JWT:

That plugins looks at context.user.affiliation field to determine if a user should be moderator, but it should be relatively trivial to change that to context.user.moderator.

For docker, there is the ENABLE_AUTO_OWNER to disable Jicofo owner, but looks like jicofo.authentication.enabled is hardcoded to true if you enable auth.

github.com

jitsi/docker-jitsi-meet/blob/957a225d3cdcde5496973da10d7b19680b3fadd2/jicofo/rootfs/defaults/jicofo.conf#L23


      
          {{ $XMPP_MUC_DOMAIN := .Env.XMPP_MUC_DOMAIN | default "muc.meet.jitsi" -}}
          {{ $XMPP_INTERNAL_MUC_DOMAIN := .Env.XMPP_INTERNAL_MUC_DOMAIN | default "internal-muc.meet.jitsi" -}}
          {{ $XMPP_DOMAIN := .Env.XMPP_DOMAIN | default "meet.jitsi" -}}
          {{ $XMPP_RECORDER_DOMAIN := .Env.XMPP_RECORDER_DOMAIN | default "recorder.meet.jitsi" -}}
          {{ $XMPP_PORT := .Env.XMPP_PORT | default "5222" -}}
          {{ $XMPP_SERVER := .Env.XMPP_SERVER | default "xmpp.meet.jitsi" -}}
          
          
jicofo {
              {{ if $ENABLE_AUTH }}
              authentication {
                enabled = true
                // The type of authentication. Supported values are XMPP, JWT or SHIBBOLETH (default).
                {{ if eq $AUTH_TYPE "jwt" }}
                type = JWT
                {{ else if eq $AUTH_TYPE "shibboleth" }}
                type = SHIBBOLETH
                {{ else }}
                type = XMPP
                {{ end }}
                {{ if eq $AUTH_TYPE "shibboleth" }}
                login-url = "shibboleth:default"

I’m afraid I don’t use docker so I have no idea how best to deal with this. My guess is you either customise the config further to disable auth in Jicofo, or you leave it be and extend the plugin further to block Jicofo from promoting or actively demote users that do not have the correct flag.

keda82 · October 6, 2022, 4:24pm

Thanks! Looking at mod_token_affiliation.lua it appears to be accepting both “moderator” and “teacher” == owner

Set affiliation in token. The value may be owner or member

Is ‘member’ equivalent to a guest/non-moderator?

shawn · October 6, 2022, 4:31pm

Yup. An “owner” affiliation means moderator, and “member” is non-moderator.

keda82 · October 14, 2022, 2:35pm

@shawn we fail to get both mod_token_affiliation.lua and mod_frozen_nick.lua to work in our environment with the Jitsi 7648 release. The modules are loading but we do not get the expected outcome.

Are they compatible with prosody 0.12.x?

shawn · October 14, 2022, 2:46pm

Yes they are.

How are they not working? Do you see errors in prosody logs?

keda82 · October 19, 2022, 2:22pm

So this was also solved by updating the Jitsi images. However we noticed something strange

Moderator get their name set via jwt and they are allowed to change their displayname in the gui. The display name is changed for the moderator but it remains the jwt display name for guest in the meeting

Moderator → “JWT name” → Change name manually → “New name”
Guest → sets its own displayname → sees the “JWT name” of moderator

One solution could be to disable the ability to set displayname, but that would not be wanted behavior as we want guests to be able to set their displayname

Suggestions?

shawn · October 19, 2022, 2:32pm

This is expected. At present, there is nothing stopping JWT users from updating their display name.

If you want to enforce that, see this module – prosody-plugins/frozen_nick at main · jitsi-contrib/prosody-plugins · GitHub.

It’s not perfect, since when a JWT user updates their name in the UI they will still see the name change locally, but others will still see the original name. Which is why we use it in conjunction with readOnlyName config option, but this is only viable if all users use JWT.

That really should not happen. No idea why that’s happening in your case

keda82 · October 19, 2022, 4:29pm

@shawn you are a champ

Sorry for being unclear, what I meant was that guest sees the JWT displayname of the moderator, not the name moderator wrote manually after logging in. Reading from above explains this behavior

Display name of the guest account works OK