Multitenant deployment of Jitsi

@Aaron_K_van_Meerten

Thanks for explaining it.

So if I have have multiple pub keys in my asap server, how do I add all of them in configmap? Do I need to add multiple lines as below?

JWT_ASAP_KEYSERVER1
JWT_ASAP_KEYSERVER2
JWT_ASAP_KEYSERVER3

or this will be the folder where all pub keys resides.

regards
Swathi Ambujakshan

It’s the latter: a single folder where all accepted public keys reside

1 Like

@Aaron_K_van_Meerten @damencho

After some effort I could bring up the key server , prosody with required modules but I get the error below while accessing meeting with the token.

muc.test.mydomain.com:muc_domain_mapper warn Session filters applied
mod_bosh info New BOSH session, assigned it sid ‘5f7ea9d7-135c-4421-a26b-98cc5a3989a1’
test.mydomain.com:auth_token warn Error on public key request: Code 0, Content certificate-chain-invalid
general warn Error verifying token err:not-allowed, reason:could not obtain public key
jcp564a103d3be0 info Incoming Jabber component connection

Header

{
“kid”: “test.pub”,
“typ”: “JWT”,
“alg”: “RS256”
}

Payload

{
“context”: {
“user”: {
“avatar”: “https:/gravatar.com/avatar/abc123”,
“name”: “John Doe”,
“email”: “jdoe@example.com
}
},
“aud”: “jitsi”,
“iss”: “my_app_id”,
“sub”: “https://test.mydomain.com/”,
“room”: “*”,
“moderator”: true
}

Verify signature

RSASHA256(
base64UrlEncode(header) + “.” +
base64UrlEncode(payload),
added my private key here
added my public key here

I can access the key using the website URL path added in the configmap as below.

AUTH_TYPE: jwt
JWT_APP_ID: my_app_id
JWT_ASAP_KEYSERVER: https://url.xxxx/keys

Any help would be highly appreciated.

@Aaron_K_van_Meerten

Also , I have created key pairs using ssh-key and the pub key ( test.pub) is copied under the nginx webserver where it severs key files.

so my url is https://keyserver/keys/test.pub
Is that correct way of doing it?

Nope the name should be jitsi-meet/util.lib.lua at dd1f8339b18130627f441c36963e390acee66f09 · jitsi/jitsi-meet · GitHub
There is a simpler example I need to find

Nope, cannot find it, but there are multiple posts in the forum if you search for kid and jwt

@damencho That make sense , I have converted my kid to SHA256 using
below URL

SHA-256 Cryptographic Hash Algorithm implemented in JavaScript | Movable Type Scripts.

and renamed my pub key to sha256 name .pem ( something like ba7816bf8f01cfea414140de5dae2223b00361a39617.pem)

Now the error is as below.

warn Error on public key request: Code 0, Content certificate-chain-invalid
general warn Error verifying token err:not-allowed, reason:could not obtain public key

@Aaron_K_van_Meerten will ssh RSA keys work here?

No only rsa keys generated like via openssl

@Aaron_K_van_Meerten Tried all the possible ways still not working.

OK so here’s a breakdown of the process:
Decide on a new kid, like:
my-new-kid-2021-03-01

Calculate the sha256 of this string, like: a321cebb1ff30c9dd8f1f775c7fbcb16784bbee6403e42e1d069ce58062468db

Generate a new RSA private key via:

openssl genrsa -out my-new-kid-2021-03-1.pem 2048

Next, generate the public side:

openssl rsa -in my-new-kid-2021-03-1.pem -outform PEM -pubout -out a321cebb1ff30c9dd8f1f775c7fbcb16784bbee6403e42e1d069ce58062468db.pem

Copy the public side to a web-accessible URL like:
https://keyserver.example.com/keys/a321cebb1ff30c9dd8f1f775c7fbcb16784bbee6403e42e1d069ce58062468db.pem

Configure prosody to look for keys in this location via prosody.cfg.lua or other files (with indentation fixes I cannot seem to get right here, replace the periods with spaces in the asap_keyserver line):

asap_accepted_issuers = {“your_issuer”}
asap_accepted_audiences = {“your_audiences”}

VirtualHost “meet.example.com
… asap_key_server = https://keyserver.example.com/keys

Finally, submit a JWT with the ‘kid’ in the header, and a payload that has aud, iss, exp, room and sub set as described here:

An example payload looks like the following for access to https://meet.example.com/sometenant/MyRoomName:
Header:

{
“alg”: “RS256”,
“kid”: “my-new-kid-2021-03-01”,
“typ”: “JWT”
}

Payload:

{
“aud”: “jitsi”,
“context”: {
“user”: {
“id”: “WTFBBQ12345”,
“name”: “some guy”,
“avatar”: “https://avatars.example.com/someguy.jpg
},
“group”: “sometenantgroupid”
},
“exp”: 1614702388,
“iss”: “chat”,
“nbf”: 1614615988,
“room”: “MyRoomName”,
“sub”: “sometenant”
}

3 Likes

@Aaron_K_van_Meerten I have exactly followed the same steps you have mentioned in the previous reply.

The only difference is in the payload. My payload as follows.

{
“context”: {
“user”: {
“avatar”: “https:/gravatar.com/avatar/abc123”,
“name”: “somthing”,
“email”: “some@example.com
}
},
“aud”: “xxxx”,
“iss”: “app_id_custom_id”,
“sub”: “https://mydomain.com/mutipath”,
“room”: “*”,
“moderator”: true
}

Also I generated the payload from https://jwt.io/ where it also ask to add private key to generate the JWT.

Do you think this would cause some issues.

Regards
Swathi Krishna

The problem is your sub. You’ll need it to just be ‘mutipath’

@Aaron_K_van_Meerten

Tried that as well but no luck.

I dont have below config added. Do you think think that would cause some issues?

asap_accepted_issuers = {“your_issuer”}
asap_accepted_audiences = {“your_audiences”}

if so what would be the values here?

Regards
Swathikrishna

@Aaron_K_van_Meerten Still gives me the error below.

warn Error on public key request: Code 0, Content certificate-chain-invalid
general warn Error verifying token err:not-allowed, reason:could not obtain public key
^C

If the error is that you could not obtain the public key, then I would study the ‘kid’ field and ensure that you have the SHA256 correct. Ensure you have no newlines or any other whitespace when calculating this value, it should be just the SHA256 of the ‘kid’ field. Then ensure you can fetch this key from the URL you specify with no other configuration. Be sure the server doesn’t require SNI for its SSL access, as the lua http code currently doesn’t support this.

@Aaron_K_van_Meerten I have validated that already my kid is testing and pem is cf80cd8aed482d5d1527d7dc72fceff84e6326592848447d2dc0b0e87dfc9a90.pem.

Then the next step is to ensure you can actually fetch the key from your URL without using SNI. If you have the ability to temporarily use http instead of https, I suggest trying that and seeing if it fixes the issue. If so, then your host may require SNI for SSL (sites such as custom hostnames for AWS cloudfront require SNI, some shared hosts do too). If that’s the case, you may need to set up a proxy on nginx on the same host and then fetch keys through that proxy. This isn’t by default supported in the container setup, so it’s going a little far afield for this feature.

1 Like

Great, It worked with http. I will check on SNI part, Thank you very much.

I have another issue also, The JWT I generated for https://mydomain.com/tenant1/meeting1 is working for https://mydomain.com/tenant2/meeting as well. Is that expected behaviour?

@Aaron_K_van_Meerten is this are you aware of?