New to Jitsi - this is what I try to achieve

Hi all and thank you for a wonderfull and living community!

I am rather new to Jitsi and I am struggling with a very specific requirement.

First a little bit about my setup:
I do not run the docker appliance. Instead jitsi runs in an Ubuntu 22.04 LTS LXC with snapshotting enabled. All works and I can reach my jitsi instance and start conferences as well as join them so all port forwardings, and reverse proxy rules using TCP ssl passthrough is working flawlessly. The current snapshot running is the result of following the official Jitsi setup guide - without secure domain.

Now to what I have been struggling with.

I am running Nextcloud aswell. Nextcloud has an app which is essentially just a bot and an iFrame. The bot is generating an URL that will create a room, and joining the conference, is also a button in the Nextcloud interface. It is optional to add a JWT token for authentication. When joining using the button, the bot ensures that you joins the meeting with your name and avatar taken from Nextcloud. It is rather simple and works very well.

However. I would like to allow only the specific JWT token to be able create rooms, and only if joining the meeting with that token, are you a moderator. Guests can join without any need for authentication, but will have to wait in the lobby until accepted by a moderator.

I have followed many threads here in community and other articles using the token plugin but so far nothing has worked as expected.

Please help.

Hi there and welcome to our community!

You probably want to use this plugin: prosody-plugins/token_affiliation at main · jitsi-contrib/prosody-plugins · GitHub

Yes, I tried that one. However I followed the guides in that one, and everyone could still join the room and be moderators. So I am very confident I knows which plugins to use, but so far the guides did not work for me.
However in truth I do not need to define specific tokens, only if authenticated BY token.

I will only have one token, which will be the same used by all my users of nextcloud (who will have access to use this bot). This bot has room for ONE token. EVERYONE else is guests. So I am pretty sure I could solve this with one domain for moderators which requires auth (that one token) and another which allows anonymous, but where I simply just have removed the features/comment blocked the moderator features including creating rooms. However this just an assumption based on nothing but logic and not on anything Jitsi.

After the standard installation:

  • Install jitsi-meet-tokens package
apt-get install jitsi-meet-tokens
  • Create guest domain (exactly with the same content below)


VirtualHost "guest.domain.loc"
    authentication = "anonymous"
    c2s_require_encryption = false
  • Create symbolic link for this domain
ln -s ../conf.avail/guest.cfg.lua /etc/prosody/conf.d/
  • Comment token_verification in your /etc/prosody/conf.d/YOUR-DOMAIN.cfg.lua (no, this is not a security issue)
  • Restart prosody
systemctl restart prosody.service
  • Enable external XMPP authentication for jicofo
DOMAIN=$(hocon -f /etc/jitsi/jicofo/jicofo.conf get jicofo.xmpp.client.xmpp-domain)

hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.enabled true
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.type XMPP
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.login-url $DOMAIN
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.authentication-lifetime "3600 seconds"
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.conference.enable-auto-owner false

systemctl restart jicofo.service
  • Set anonymousdomain in config.js
echo "config.hosts.anonymousdomain = 'guest.domain.loc';" >> /etc/jitsi/meet/*-config.js

Thank you! I will try this. :slight_smile:

The guest domain as described in documentation? : guest.<domain as defined during install>
Or as a true seperate domain
meet.mydomain.dom → Set during installation → In the guest.cfg.lua ?

This is a virtualhost, so use exactly the same content and filename. Dont set your real domain name

Thank you. Authentication is there. when entering the room, but the room is created. But I guess it is destroyed again when leaving it?

Yes, rooms are ephemeral. It is created when moderator joins and destroyed when the last person leaves

Well I be damned. It works. Thank you!

Snap it seems I have to use that specified tokens approach after all. :frowning:

Hmm. Using the link without logging in to nextcloud, I am still loggedin as moderator, but at least I has to manually provide profile (name, optional avatar etc). I cannot create rooms, but I still comes in as moderator. :frowning:

If you are logged in, it keeps your session for 3600 seconds


hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.authentication-lifetime "3600 seconds"

Use incognito window while testing

I found the solution. It DOES work. It is just not so user friendly to invite participants. :slight_smile: Just needs the right url to the right room and all is fine. Thank you.

Because it goes through the nextcloud server basically being an iframe, I just needs to setup some crossdomain policies.