Rocket + Jitsi - How setup authenticated and anonymous access together

Hi guys!

I’ve succesfully implemented the JWT Authentication from RocketChat to Jitsi, allowing only users coming from Rocket to succesfully create rooms.
Now I would like to let anonymous users who don’t have the token(e.g they have received the room link from an authenticated user) to join already existent rooms while still preventing them to create new ones.
Is it possible to do so? How?

I’m currently using prosody trunk 1186.

Thanks very much to anyone willing to help me.

No sorry, there is no such option.

not even by using the guest domain and the authenticated domain features?

This is possible, but you need to disable jwt.

1 Like

If I disable JWT which other method of authentication Is it possible to use? LDAP? CAS?

Whatever is supported by prosody and following: https://github.com/jitsi/jicofo#secure-domain
There are people from the community using LDAP, there are problems during setup I had seen, but know some are using it, but I have no experience with those.

Thanks for your reply and help. What if I do some scripting to allow that function of guest accessing only already created rooms? I think you stated something about that in this other thread:

So, at the moment, it is not possible to have JWT authorization enabled and allow anonymous joining of video calls at the same time?

Hi pjsft,

Actually I’ve managed to do it just by customizing the lua of the virtualhost, no modules modification involved. Don’t ask me how but it works. This way, only moderator with JWT token can create rooms. Guest user can only join room that have already been created by moderators, by using the link to the room.
Here’s the config (with secrets and host anonymized):

-- Plugins path gets uncommented during jitsi-meet-tokens package install - that's where token plugin is located
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
allow_registration = true
VirtualHost "test.myhost.it"
        allow_registration = true
        -- enabled = false -- Remove this line to enable this host
        authentication = "token"
        -- Properties below are modified by jitsi-meet-tokens package config
        -- and authentication above is switched to "token"
        app_id="******"
        app_secret="******"
        allow_empty_token=false
        -- Assign this host a certificate for TLS, otherwise it would use the one
        -- set in the global section (if any).
        -- Note that old-style SSL on port 5223 only supports one certificate, and will always
        -- use the global one.
        ssl = {
                key = "/etc/prosody/certs/test.myhost.it.key";
                certificate = "/etc/prosody/certs/test.myhost.it.crt";
        }
        -- we need bosh
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping"; -- Enable mod_ping
        }

        c2s_require_encryption = false

VirtualHost "guest.test.myhost.it"
authentication = "token"
app_id = "******"
app_secret = "*******"
allow_empty_token = true
c2s_require_encryption = false

Component "conference.test.myhost.it" "muc"
    storage = "internal"
    muc_room_cache_size = 100
    modules_enabled = { "token_verification" }
    restrict_room_creation = true
admins = { "focus@auth.test.myhost.it" }

Component "jitsi-videobridge.test.myhost.it"
    component_secret = "******"

VirtualHost "auth.test.myhost.it"
    ssl = {
        key = "/etc/prosody/certs/auth.test.myhost.it.key";
        certificate = "/etc/prosody/certs/auth.test.myhost.it.crt";
    }
    authentication = "internal_plain"

Component "focus.test.myhost.it"
    component_secret = "*******"
1 Like

Have been wrestling with this for a while, and this seems to work for me as well.

I think the key here is that both the primary domain and guest domain are token authenticated, just that the primary domain is allow_empty_token = false and the guest domain is allow_empty_token = true in /etc/prosody/conf.avail/jitsi.example.com.cfg.lua

VirtualHost "jitsi.example.com"
    authentication = "token"
    app_id = 'jitsi.example.com'
    app_secret = 'supersecret'
    ssl = {
        key = "/var/lib/prosody/jitsi.example.com.key";
        certificate = "/var/lib/prosody/jitsi.example.com.crt";
    }
    modules_enabled = {
        "bosh";
        "pubsub";
        "presence_identity";
    }
    allow_empty_token = false
    c2s_require_encryption = false

VirtualHost "guest.jitsi.example.com"
    authentication = "token"
    app_id = 'jitsi.example.com'
    app_secret = 'supersecret'
    allow_empty_token = true
    c2s_require_encryption = false

and later on…

Component "conference.jitsi.example.com" "muc"
    modules_enabled = { "token_verification" }

When setup this way, JWT authenticated users can create a room, but anonymous users see a “waiting for host” dialog rather than a username/password prompt.

Screen Shot 2020-04-08 at 8.56.52 PM

1 Like

Can I run a multiple domain Jicofo in a mixed authentication mode? We want to offer a “bulk” service, which is open and anonymous with lower quality (bandwidth, …) and a “pro.meeting.tld” domain, where only authenticated users can start a conference.

I already tried to set up a second prosody domain. But it seems that jicofo/config only allows to set exactly one JICOFO_HOSTNAME . When not setting this, jicofo says that focus.localhost is not found, but renaming that component in prosody lua to focus.localhost does not work either. Any ideas?

Hi @JohnLukeP and @jeffwigal ,

I’m very interested by your solution.
What are your configurations ? Debian, Ubuntu, Docker, other ?
And what is the configuration of your files ?

  • /etc/jitsi/meet/jitsi.example.com-config.js
  • /etc/jitsi/jicofo/sip-communicator.properties