Several Token Auth issues

I’m trying to configure a setup such that only users on my site with the proper permissions can create a new room, or be moderators in an existing room, but anybody can join an existing room with an invite. Also, I want moderators to be able to stream or record meetings.

Anyways, I’m running into a few problems using token authorization… a couple of them are probably config issues, but I think a couple of them might either be bugs, or complete misunderstanding on my part.

I’m using these values in my config.js:

  // If true all users without a token will be considered guests and all users
  // with token will be considered non-guests. Only guests will be allowed to
  // edit their profile.
  enableUserRolesBasedOnToken: true,

  // Whether or not some features are checked based on token.
  enableFeaturesBasedOnToken: true,

  // Custom page on my site that authenticates users, builds a jwt and redirects back to {REFERER_URL}?jwt=x.y.z
  tokenAuthUrl: 'https://myserver.mydomain.us/api/jitsi_token?room={room}&roleUpgrade={roleUpgrade}',
  1. If I create a new room, I’m blocked waiting for the host. I click “I am the host”, and it forwards me to my tokenAuthUrl. After authenticating on my server, it redirects me back to the room with the jwt. My display name shows up as the name in the token, and my profile is not available from the menu. I know the comment in the config says non-guests can’t edit their profile, but it would be nice to be able to view it…the profile is also the only way I know to log out. This is workable for now, but it doesn’t feel right. Not sure if this is a bug report or feature request, but it flows nicely into the next issue.

  2. If I’m logged in with a token and I refresh the page, it seems to lose the token. My profile is visible in the menu again and my display name changes to my profile name…I’m a guest now. Lobby option is gone. Oddly enough, though, I’m still a moderator. What’s more, I can create new rooms or join other rooms and I’m still a moderator. It never tries to fetch a new token, so now I’m always a moderator but also, always a “guest”. This behavior continues until I log out from my profile. It seems the moderator permission from the token gets permanently attached to my session, but none of the other token info persists beyond a page refresh. I don’t know if it’s using the same jid as before with the token, because I can’t view the profile/login info when the token is in use. Bug?

  3. If I create a room, authorize with a token and turn on lobby it seems to work ok at first. I’m prompted to approve when others try to join the room. But if I refresh the page and lose the token, I’m stuck in the lobby. Actually, even if I try to join the room with a jwt included in the URL, I’m still stuck in the lobby. Nobody left in the room gets prompts for lobby approval. Basically the room continues running for the people still in it, but it has become unjoinable. Seems like a bug.

  4. I’m not sure how to use enableFeaturesBasedOnToken. If I turn it on, then both the Live Streaming and Recording menu options are disabled with tooltip: “Guests can’t start live streaming.”, which is what I want. But if I do log in with a token, the buttons are still disabled, but with a different message: e.g. “Start Live Stream disabled”. It seems I need to somehow specifically enable streaming and recording when this config option is on, but I don’t know how to do that.

  5. If I connect to an existing room anonymously, I can open my profile and click the Login button. This opens a new window to my tokenAuthUrl page, which is great. The problem is that if I successfully authenticate, it starts a new session in that popup window and the original window remains connected anonymously. I assume my tokenAuthUrl page is doing the wrong thing here and instead of redirecting on completion, it should be returning the token data to the original page somehow… Just occurred to me: is this what the {roleUpgrade} parameter means? If this is so, what is the data format expected? e.g. http form data (jwt=x.y.z), json ({"jwt":"x.y.z"}), plain text (x.y.z), etc?

@damencho can you help me out?

Thanks!

re: roleUpgrade auth url

I looked back at the code and it seems like maybe the token is supposed to be sent in an sse message?
I’ve never used these before, but it seems pretty straightforward… tried making my token endpoint send something like:

...
Cache-Control: no-cache
Content-type: text/event-stream

event: message
data: {"jwtToken":"..."}

But no dice… Firefox just wants to save text/event-stream mime type as a file. Maybe I misunderstood the intent of the code in AuthHandler.js