[SOLVED] Token Authorization not working when room is specified

Developers Jitsi Meet API
#1

Jitsi Meet is setup to use Token authentication. It is working when the room is set to “*”, but not to any specific room.

Working

Header:
{
	"typ":"JWT",
	"alg":"HS256"
}
Payload:
{
	"context":
	{
		"user":
		{
			"avatar":"a080d4168333c9d21a98be2d05a4a27f",
			"name":"someuser",
			"email":"someuser@gmail.com",
                    "id":"1"
		},
		"group":"beerfarts"
	},
	"aud":"jitsi",
	"iss":"somehost.com",
	"sub":"beerfarts.somehost.com",
	"room":"*",
	"exp":1622042066
}

URL

https://somehost.com/beerfarts/curious?jwt=mytoken

Not Working

Header:

{
	"typ":"JWT",
	"alg":"HS256"
}

Payload:

{
	"context":
	{
		"user":
		{
			"avatar":"a080d4168333c9d21a98be2d05a4a27f",
			"name":"someuser",
			"email":"someuser@gmail.com",
			"id":"1"
		},
		"group":"beerfarts"
	},
	"aud":"jitsi",
	"iss":"somehost.com",
	"sub":"beerfarts.somehost.com",
	"room":"curious",
	"exp":1622046389
}

URL

https://somehost.com/beerfarts/curious?jwt=someothertoken

The error message is: token_verification error Token someothertoken not allowed to join: [beerfarts]curious@conference.somehost.com/ac0c2162

Can’t figure it out. Please help. @damencho

#2

That should be somehost.com if the link is

At least this is what the doc says: https://github.com/jitsi/lib-jitsi-meet/blob/master/doc/tokens.md

#3

Thank you for your reply. I looked at the existing code and I’m not sure this scenario is supported. So, I hacked up a new version of util.lib.lua that seems to work.

For the adventurous, here is a short howto…

This has been tested for token authentication only, no guest login.

Edit your /etc/prosody/conf.avail/[yourhost].cfg.lua.

Find app_secret = “xxxxx” and add these 2 lines:

allow_empty_token = false
enable_domain_verification = true

Make a backup of /usr/share/jitsi-meet/prosody-plugins/token/util.lib.lua

Download util.lib.lua and replace the existing version.

Restart everything (jifoco, jitsi-meet, prosody)

Generate tokens that look like this:

For wild card rooms (any room)

Header:

{
    "typ":"JWT",
    "alg":"HS256"
}

Payload:

{
    "context":
    {
        "user":
        {
            "avatar":"a080d4168333c9d21a98be2d05a4a27f",
            "name":"someuser",
            "email":"someuser@gmail.com","id":"1"
        },
        "group":"beerfarts"
    },
    "aud":"jitsi",
    "iss":"somehost.com",
    "sub":"somehost.com",
    "room":"*",
    "exp":1622042066
}

This works:

https://somehost.com/beerfarts/curious?jwt=yourtoken

So does this:

https://somehost.com/beerfarts/bobo?jwt=yourtoken

For room specific token:

Header:

{
    "typ":"JWT",
    "alg":"HS256"
}

Payload:

{
    "context":
    {
        "user":
        {
            "avatar":"a080d4168333c9d21a98be2d05a4a27f",
            "name":"someuser",
            "email":"someuser@gmail.com",
            "id":"1"
        },
        "group":"beerfarts"
    },
    "aud":"jitsi",
    "iss":"somehost.com",
    "sub":"somehost.com",
    "room":"curious",
    "exp":1622046389
}

This works:

https://somehost.com/beerfarts/curious?jwt=yourNewtoken

This does not:

https://somehost.com/beerfarts/bobo?jwt=yourNewtoken

All the best…

1 Like
How to enable multi-tenant