New to Jitsi - this is what I try to achieve

Kerasit · March 9, 2023, 8:26am

Hi all and thank you for a wonderfull and living community!

I am rather new to Jitsi and I am struggling with a very specific requirement.

First a little bit about my setup:
I do not run the docker appliance. Instead jitsi runs in an Ubuntu 22.04 LTS LXC with snapshotting enabled. All works and I can reach my jitsi instance and start conferences as well as join them so all port forwardings, and reverse proxy rules using TCP ssl passthrough is working flawlessly. The current snapshot running is the result of following the official Jitsi setup guide - without secure domain.

Now to what I have been struggling with.

I am running Nextcloud aswell. Nextcloud has an app which is essentially just a bot and an iFrame. The bot is generating an URL that will create a room, and joining the conference, is also a button in the Nextcloud interface. It is optional to add a JWT token for authentication. When joining using the button, the bot ensures that you joins the meeting with your name and avatar taken from Nextcloud. It is rather simple and works very well.

However. I would like to allow only the specific JWT token to be able create rooms, and only if joining the meeting with that token, are you a moderator. Guests can join without any need for authentication, but will have to wait in the lobby until accepted by a moderator.

I have followed many threads here in community and other articles using the token plugin but so far nothing has worked as expected.

Please help.

saghul · March 9, 2023, 8:33am

Hi there and welcome to our community!

You probably want to use this plugin: prosody-plugins/token_affiliation at main · jitsi-contrib/prosody-plugins · GitHub

Kerasit · March 9, 2023, 9:09am

Yes, I tried that one. However I followed the guides in that one, and everyone could still join the room and be moderators. So I am very confident I knows which plugins to use, but so far the guides did not work for me.
However in truth I do not need to define specific tokens, only if authenticated BY token.

I will only have one token, which will be the same used by all my users of nextcloud (who will have access to use this bot). This bot has room for ONE token. EVERYONE else is guests. So I am pretty sure I could solve this with one domain for moderators which requires auth (that one token) and another which allows anonymous, but where I simply just have removed the features/comment blocked the moderator features including creating rooms. However this just an assumption based on nothing but logic and not on anything Jitsi.

emrah · March 9, 2023, 9:29am

After the standard installation:

Install jitsi-meet-tokens package

apt-get install jitsi-meet-tokens

Create guest domain (exactly with the same content below)

/etc/prosody/conf.avail/guest.cfg.lua

VirtualHost "guest.domain.loc"
    authentication = "anonymous"
    c2s_require_encryption = false

Create symbolic link for this domain

ln -s ../conf.avail/guest.cfg.lua /etc/prosody/conf.d/

Comment token_verification in your /etc/prosody/conf.d/YOUR-DOMAIN.cfg.lua (no, this is not a security issue)

--"token_verification";

Restart prosody

systemctl restart prosody.service

Enable external XMPP authentication for jicofo

DOMAIN=$(hocon -f /etc/jitsi/jicofo/jicofo.conf get jicofo.xmpp.client.xmpp-domain)

hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.enabled true
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.type XMPP
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.login-url $DOMAIN
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.authentication-lifetime "3600 seconds"
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.conference.enable-auto-owner false

systemctl restart jicofo.service

Set anonymousdomain in config.js

echo "config.hosts.anonymousdomain = 'guest.domain.loc';" >> /etc/jitsi/meet/*-config.js

Kerasit · March 9, 2023, 9:30am

Thank you! I will try this.

Kerasit · March 9, 2023, 9:35am

The guest domain as described in documentation? : guest.<domain as defined during install>
Or as a true seperate domain
eg:
meet.mydomain.dom → Set during installation
guest.meet.mydomain.dom → In the guest.cfg.lua ?

emrah · March 9, 2023, 9:37am

This is a virtualhost, so use exactly the same content and filename. Dont set your real domain name

Kerasit · March 9, 2023, 9:44am

Thank you. Authentication is there. when entering the room, but the room is created. But I guess it is destroyed again when leaving it?

emrah · March 9, 2023, 9:45am

Yes, rooms are ephemeral. It is created when moderator joins and destroyed when the last person leaves

Kerasit · March 9, 2023, 9:48am

Well I be damned. It works. Thank you!

Kerasit · March 9, 2023, 9:51am

Snap it seems I have to use that specified tokens approach after all.

Kerasit · March 9, 2023, 9:57am

Hmm. Using the link without logging in to nextcloud, I am still loggedin as moderator, but at least I has to manually provide profile (name, optional avatar etc). I cannot create rooms, but I still comes in as moderator.

emrah · March 9, 2023, 10:03am

If you are logged in, it keeps your session for 3600 seconds

See

hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.authentication-lifetime "3600 seconds"

Use incognito window while testing

Kerasit · March 9, 2023, 10:13am

I found the solution. It DOES work. It is just not so user friendly to invite participants. Just needs the right url to the right room and all is fine. Thank you.

Kerasit · March 9, 2023, 10:20am

Because it goes through the nextcloud server basically being an iframe, I just needs to setup some crossdomain policies.