Self-hosted jitsi meet - implementing jwt auth when using the iFrame API

Mehran_Aghazadeh · February 18, 2021, 8:18pm

I’m setting a self-hosting jitsi meet, looking for a solution for implementing jwt auth when using the iFrame API.

shawn · February 18, 2021, 8:41pm

You can enable JWT auth in your jitsi setup but installing and configuring the token plugin:

jitsi/lib-jitsi-meet/blob/master/doc/tokens.md#installing-token-plugin

JWT token authentication Prosody plugin
==================

This plugin implements Prosody authentication provider that verifies client connection based on JWT token described in [RFC7519].
It allows to use any external form of authentication with lib-jitsi-meet. Once your user authenticates you need to
generate the JWT token as described in the RFC and pass it to your client app. Once it connects with valid token is considered authenticated by jitsi-meet system.

During configuration you will need to provide the *application ID* that identifies the client and a *secret* shared by both server and JWT token generator. Like described in the RFC, secret is used to compute HMAC hash value which allows to authenticate generated token. There are many existing libraries which can be used to implement token generator. More info can be found here: [http://jwt.io/#libraries-io]

JWT token authentication currently works only with BOSH connections.

[RFC7519]: https://tools.ietf.org/html/rfc7519
[http://jwt.io/#libraries-io]: http://jwt.io/#libraries-io

### Token structure

The following JWT claims are used in authentication token:
- 'iss' specifies *application ID* which identifies the client app connecting to the server. It should be negotiated with the service provider before generating the token.
- 'room' contains the name of the room for which the token has been allocated. This is *NOT* full MUC room address. Example assuming that we have full MUC 'conference1@muc.server.net' then 'conference1' should be used here.  Alternately, a '*' may be provided, allowing access to all rooms within the domain.
- 'exp' token expiration timestamp as defined in the RFC

This file has been truncated. show original

There are also links to a few installation guides in this post that sets up Jitsi with JWT auth support - JWT Tokens Install Guide - #11 by umitdogan

As for the iFrame API, you should be able to pass in the token when initialising the API, i.e.

const options = {
   ...
   jwt: '<jwt_token>',
   ...
};
const api = new JitsiMeetExternalAPI(domain, options);

Mehran_Aghazadeh · February 18, 2021, 9:15pm

Thanks for replying my post. We will follow your instructions and hopefully get it work.

Would you know how can we implement websocket events, also when self-hosting and using iFrame?