Prosody JWT Auth, Specific Error

Hello,

Thanks for making Jitsi, it seems like a great project and the Docker images have been really good for helping me get a development version of an app to an MVP state.

We are now adding room authentication from our site to our custom Jitsi Meet server with JWT authentication.

I am getting the following error in the Prosody logs:

prosody_1 | general warn Error verifying token err:not-allowed, reason:Invalid typ

I read elsewhere in the forums that I could go stick some logs into the lua scripts that power this, so I did that. Here’s my own log of the token and a traceback to where the error is occurring:

prosody_1 | mod_bosh info New BOSH session, assigned it sid ‘fa7f1b49-75c2-46ad-8452-3f34b0322f2b’
prosody_1 | general info My token:eyJhbGciOiJIUzUxMiJ9.eyJhdWQiOiJ0b2dldGhyLmFwcCIsImlzcyI6InRvZ2V0aHIuYXBwIiwiZXhwIjoxNTg2MjIxNTQ1LCJyb29tIjoidGVzdGVyd2l0aGp3dGFlZWEyY2M1NmFmMjIwZGZmMTY4In0.iGoCbsj-bvSe8tbmg7Qyea0k8N7ajvYqyULMnpawx9s0_zMlL_A9MLjbgN3R16BnIputtKpGE1K9FGRzhSDeIQ
web_1 | 172.24.0.1 - - [06/Apr/2020:21:00:47 -0400] “POST /http-bind?room=testerwithjwtaeea2cc56af220dff168&token=eyJhbGciOiJIUzUxMiJ9.eyJhdWQiOiJ0b2dldGhyLmFwcCIsImlzcyI6InRvZ2V0aHIuYXBwIiwiZXhwIjoxNTg2MjIxNTQ1LCJyb29tIjoidGVzdGVyd2l0aGp3dGFlZWEyY2M1NmFmMjIwZGZmMTY4In0.iGoCbsj-bvSe8tbmg7Qyea0k8N7ajvYqyULMnpawx9s0_zMlL_A9MLjbgN3R16BnIputtKpGE1K9FGRzhSDeIQ HTTP/1.1” 200 549 “https://localhost:8443/testerwithjwtaeea2cc56af220dff168?jwt=eyJhbGciOiJIUzUxMiJ9.eyJhdWQiOiJ0b2dldGhyLmFwcCIsImlzcyI6InRvZ2V0aHIuYXBwIiwiZXhwIjoxNTg2MjIxNTQ1LCJyb29tIjoidGVzdGVyd2l0aGp3dGFlZWEyY2M1NmFmMjIwZGZmMTY4In0.iGoCbsj-bvSe8tbmg7Qyea0k8N7ajvYqyULMnpawx9s0_zMlL_A9MLjbgN3R16BnIputtKpGE1K9FGRzhSDeIQ” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0”
prosody_1 | general info TRACEBACK: [stack traceback:
prosody_1 | /prosody-plugins/token/util.lib.lua:199: in function ‘verify_token’
prosody_1 | /prosody-plugins/token/util.lib.lua:276: in function ‘process_and_verify_token’
prosody_1 | /prosody-plugins/mod_auth_token.lua:71: in function ‘anonymous’
prosody_1 | /prosody-plugins/mod_auth_token.lua:108: in function </prosody-plugins/mod_auth_token.lua:103>
prosody_1 | (…tail calls…)
prosody_1 | /usr/lib/prosody/modules/mod_saslauth.lua:77: in function </usr/lib/prosody/modules/mod_saslauth.lua:66>
prosody_1 | (…tail calls…)
prosody_1 | /usr/lib/prosody/util/events.lua:79: in function </usr/lib/prosody/util/events.lua:75>
prosody_1 | (…tail calls…)
prosody_1 | /usr/lib/prosody/core/stanza_router.lua:142: in function ‘dispatch_stanza’
prosody_1 | /usr/lib/prosody/modules/mod_bosh.lua:305: in function ‘func’
prosody_1 | /usr/lib/prosody/util/async.lua:127: in function </usr/lib/prosody/util/async.lua:125>]
prosody_1 | general info ERROR: [Invalid typ]
prosody_1 | general warn Error verifying token err:not-allowed, reason:Invalid typ

Here’s my JWT:

eyJhbGciOiJIUzUxMiJ9.eyJhdWQiOiJ0b2dldGhyLmFwcCIsImlzcyI6InRvZ2V0aHIuYXBwIiwiZXhwIjoxNTg2MjIxNTQ1LCJyb29tIjoidGVzdGVyd2l0aGp3dGFlZWEyY2M1NmFmMjIwZGZmMTY4In0.iGoCbsj-bvSe8tbmg7Qyea0k8N7ajvYqyULMnpawx9s0_zMlL_A9MLjbgN3R16BnIputtKpGE1K9FGRzhSDeIQ

The secret is: 51f1b46bda93ae5919785633437b2063xx

JWT.io confirms that the JWT is valid.

I have my Prosody config app_id set to togethr.app and the room name is correct.

What am I missing?
Thanks!

Note: I’ve included “secrets” in this post, but they are just dev data. Nothing private is being leaked.

According to JWT,io it’s an HS512 token. I think it needs to be HS256.

Hi DrMatt, thanks for the very quick reply!

Unfortunately, I get the same error with that algorithm selected.
Here’s the new JWT I tried:

eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJ0b2dldGhyLmFwcCIsImlzcyI6InRvZ2V0aHIuYXBwIiwiZXhwIjoxNTg2MjIyNDUwLCJyb29tIjoidGVzdGVyd2l0aGp3dGFlZWEyY2M1NmFmMjIwZGZmMTY4In0.oYYNKSXIj4uX7o4pRRqYmb0Spfc7UlAxXlHV9wNTxyA

Are there any docs that specify more about the parameters necessary when generating the JWT for Jitsi Meet?

Cheers,
Georges

Here’s the docs I used:


Looks like there’s a few parameters you’re missing. It also says something about needing valid values for all parameters, i.e. no null values

1 Like

DrMatt, you’ve cracked it. Thanks for the link to those docs.

I was missing the “typ” key in the header of the token. I’ve never seen that as required before, but adding it works.

There are so many Jitsi projects with so many docs spread around… it’s really incredibly hard to figure out the path forward sometimes.

Thanks a lot!

1 Like