Multitenant deployment of Jitsi

swathikrishna_guru · February 24, 2021, 3:43pm

Thanks for explaining it.

So if I have have multiple pub keys in my asap server, how do I add all of them in configmap? Do I need to add multiple lines as below?

JWT_ASAP_KEYSERVER1
JWT_ASAP_KEYSERVER2
JWT_ASAP_KEYSERVER3

or this will be the folder where all pub keys resides.

regards
Swathi Ambujakshan

Aaron_K_van_Meerten · February 24, 2021, 3:56pm

It’s the latter: a single folder where all accepted public keys reside

swathikrishna_guru · February 25, 2021, 11:45am

@Aaron_K_van_Meerten @damencho

After some effort I could bring up the key server , prosody with required modules but I get the error below while accessing meeting with the token.

muc.test.mydomain.com:muc_domain_mapper warn Session filters applied
mod_bosh info New BOSH session, assigned it sid ‘5f7ea9d7-135c-4421-a26b-98cc5a3989a1’
test.mydomain.com:auth_token warn Error on public key request: Code 0, Content certificate-chain-invalid
general warn Error verifying token err:not-allowed, reason:could not obtain public key
jcp564a103d3be0 info Incoming Jabber component connection

Header

{
“kid”: “test.pub”,
“typ”: “JWT”,
“alg”: “RS256”
}

Payload

{
“context”: {
“user”: {
“avatar”: “https:/gravatar.com/avatar/abc123”,
“name”: “John Doe”,
“email”: “jdoe@example.com”
}
},
“aud”: “jitsi”,
“iss”: “my_app_id”,
“sub”: “https://test.mydomain.com/”,
“room”: “*”,
“moderator”: true
}

Verify signature

RSASHA256(
base64UrlEncode(header) + “.” +
base64UrlEncode(payload),
added my private key here
added my public key here

I can access the key using the website URL path added in the configmap as below.

AUTH_TYPE: jwt
JWT_APP_ID: my_app_id
JWT_ASAP_KEYSERVER: https://url.xxxx/keys

Any help would be highly appreciated.

swathikrishna_guru · February 25, 2021, 11:51am

@Aaron_K_van_Meerten

Also , I have created key pairs using ssh-key and the pub key ( test.pub) is copied under the nginx webserver where it severs key files.

so my url is https://keyserver/keys/test.pub
Is that correct way of doing it?

damencho · February 25, 2021, 12:48pm

Nope the name should be jitsi-meet/util.lib.lua at dd1f8339b18130627f441c36963e390acee66f09 · jitsi/jitsi-meet · GitHub
There is a simpler example I need to find

damencho · February 25, 2021, 12:53pm

Nope, cannot find it, but there are multiple posts in the forum if you search for kid and jwt

swathikrishna_guru · February 25, 2021, 1:20pm

@damencho That make sense , I have converted my kid to SHA256 using
below URL

SHA-256 Cryptographic Hash Algorithm implemented in JavaScript | Movable Type Scripts.

and renamed my pub key to sha256 name .pem ( something like ba7816bf8f01cfea414140de5dae2223b00361a39617.pem)

Now the error is as below.

warn Error on public key request: Code 0, Content certificate-chain-invalid
general warn Error verifying token err:not-allowed, reason:could not obtain public key

swathikrishna_guru · February 27, 2021, 5:22pm

@Aaron_K_van_Meerten will ssh RSA keys work here?

Aaron_K_van_Meerten · February 27, 2021, 6:24pm

No only rsa keys generated like via openssl

swathikrishna_guru · March 1, 2021, 4:56pm

@Aaron_K_van_Meerten Tried all the possible ways still not working.

Aaron_K_van_Meerten · March 1, 2021, 7:34pm

OK so here’s a breakdown of the process:
Decide on a new kid, like:
my-new-kid-2021-03-01

Calculate the sha256 of this string, like: a321cebb1ff30c9dd8f1f775c7fbcb16784bbee6403e42e1d069ce58062468db

Generate a new RSA private key via:

openssl genrsa -out my-new-kid-2021-03-1.pem 2048

Next, generate the public side:

openssl rsa -in my-new-kid-2021-03-1.pem -outform PEM -pubout -out a321cebb1ff30c9dd8f1f775c7fbcb16784bbee6403e42e1d069ce58062468db.pem

Copy the public side to a web-accessible URL like:
https://keyserver.example.com/keys/a321cebb1ff30c9dd8f1f775c7fbcb16784bbee6403e42e1d069ce58062468db.pem

Configure prosody to look for keys in this location via prosody.cfg.lua or other files (with indentation fixes I cannot seem to get right here, replace the periods with spaces in the asap_keyserver line):

asap_accepted_issuers = {“your_issuer”}
asap_accepted_audiences = {“your_audiences”}

VirtualHost “meet.example.com”
… asap_key_server = https://keyserver.example.com/keys

Finally, submit a JWT with the ‘kid’ in the header, and a payload that has aud, iss, exp, room and sub set as described here:

github.com

jitsi/lib-jitsi-meet/blob/master/doc/tokens.md

JWT token authentication Prosody plugin
==================

This plugin implements Prosody authentication provider that verifies client connection based on JWT token described in [RFC7519].
It allows to use any external form of authentication with lib-jitsi-meet. Once your user authenticates you need to
generate the JWT token as described in the RFC and pass it to your client app. Once it connects with valid token is considered authenticated by jitsi-meet system.

During configuration you will need to provide the *application ID* that identifies the client and a *secret* shared by both server and JWT token generator. Like described in the RFC, secret is used to compute HMAC hash value which allows to authenticate generated token. There are many existing libraries which can be used to implement token generator. More info can be found here: [http://jwt.io/#libraries-io]

JWT token authentication currently works only with BOSH connections.

[RFC7519]: https://tools.ietf.org/html/rfc7519
[http://jwt.io/#libraries-io]: http://jwt.io/#libraries-io

### Token structure

The following JWT claims are used in authentication token:
- 'iss' specifies *application ID* which identifies the client app connecting to the server. It should be negotiated with the service provider before generating the token.
- 'room' contains the name of the room for which the token has been allocated. This is *NOT* full MUC room address. Example assuming that we have full MUC 'conference1@muc.server.net' then 'conference1' should be used here.  Alternately, a '*' may be provided, allowing access to all rooms within the domain.
- 'exp' token expiration timestamp as defined in the RFC

This file has been truncated. show original

An example payload looks like the following for access to https://meet.example.com/sometenant/MyRoomName:
Header:

{
“alg”: “RS256”,
“kid”: “my-new-kid-2021-03-01”,
“typ”: “JWT”
}

Payload:

{
“aud”: “jitsi”,
“context”: {
“user”: {
“id”: “WTFBBQ12345”,
“name”: “some guy”,
“avatar”: “https://avatars.example.com/someguy.jpg”
},
“group”: “sometenantgroupid”
},
“exp”: 1614702388,
“iss”: “chat”,
“nbf”: 1614615988,
“room”: “MyRoomName”,
“sub”: “sometenant”
}

swathikrishna_guru · March 2, 2021, 5:25pm

@Aaron_K_van_Meerten I have exactly followed the same steps you have mentioned in the previous reply.

The only difference is in the payload. My payload as follows.

{
“context”: {
“user”: {
“avatar”: “https:/gravatar.com/avatar/abc123”,
“name”: “somthing”,
“email”: “some@example.com”
}
},
“aud”: “xxxx”,
“iss”: “app_id_custom_id”,
“sub”: “https://mydomain.com/mutipath”,
“room”: “*”,
“moderator”: true
}

Also I generated the payload from https://jwt.io/ where it also ask to add private key to generate the JWT.

Do you think this would cause some issues.

Regards
Swathi Krishna

Aaron_K_van_Meerten · March 2, 2021, 5:38pm

The problem is your sub. You’ll need it to just be ‘mutipath’

swathikrishna_guru · March 3, 2021, 8:06pm

@Aaron_K_van_Meerten

Tried that as well but no luck.

I dont have below config added. Do you think think that would cause some issues?

asap_accepted_issuers = {“your_issuer”}
asap_accepted_audiences = {“your_audiences”}

if so what would be the values here?

Regards
Swathikrishna

swathikrishna_guru · March 3, 2021, 8:16pm

@Aaron_K_van_Meerten Still gives me the error below.

warn Error on public key request: Code 0, Content certificate-chain-invalid
general warn Error verifying token err:not-allowed, reason:could not obtain public key
^C

Aaron_K_van_Meerten · March 3, 2021, 8:21pm

If the error is that you could not obtain the public key, then I would study the ‘kid’ field and ensure that you have the SHA256 correct. Ensure you have no newlines or any other whitespace when calculating this value, it should be just the SHA256 of the ‘kid’ field. Then ensure you can fetch this key from the URL you specify with no other configuration. Be sure the server doesn’t require SNI for its SSL access, as the lua http code currently doesn’t support this.

swathikrishna_guru · March 3, 2021, 8:27pm

@Aaron_K_van_Meerten I have validated that already my kid is testing and pem is cf80cd8aed482d5d1527d7dc72fceff84e6326592848447d2dc0b0e87dfc9a90.pem.

Aaron_K_van_Meerten · March 3, 2021, 8:46pm

Then the next step is to ensure you can actually fetch the key from your URL without using SNI. If you have the ability to temporarily use http instead of https, I suggest trying that and seeing if it fixes the issue. If so, then your host may require SNI for SSL (sites such as custom hostnames for AWS cloudfront require SNI, some shared hosts do too). If that’s the case, you may need to set up a proxy on nginx on the same host and then fetch keys through that proxy. This isn’t by default supported in the container setup, so it’s going a little far afield for this feature.

swathikrishna_guru · March 3, 2021, 9:19pm

Great, It worked with http. I will check on SNI part, Thank you very much.

I have another issue also, The JWT I generated for https://mydomain.com/tenant1/meeting1 is working for https://mydomain.com/tenant2/meeting as well. Is that expected behaviour?

swathikrishna_guru · March 3, 2021, 9:24pm

@Aaron_K_van_Meerten is this are you aware of?