Sorry! You are not allowed to be here :( using JWT after new update (06-oct-2022)

Hello, Thank you for this amazing project.
I’m web developer and using it for last 3 years. It was working well (minor bugs was fixed after checking forum).
I used multiple scripts for auto installation and configuration.
Right now I’m using this one from @emrah

It worked well.
After that, I installed jwt token. using normal token installation.
Then it stopped working.
Its not working like before.
For guests: waiting for host
for Host: start meeting using token.
Even i used same configuration that i was doing earlier with previous version.
When Host join meeting using token after authenticating it redirect them to authError.html page. if there is invalid token it says invalid token (correct way). and If there is no token at all it asks for username and password (guest), meanwhile in earlier versions for guests it was showing message "Waiting for hosts…).

PS: I tried all solutions available on this forum.

Can any one confirm if there’s anything changed? why it’s breaking?

Thank you.

@emrah I tried to use your token installation too, but that’s not for cluster based jitsi. DO you have any solution for that? Token based meetings using cluster jitsi installation.
Thank you.

See this topic:

Normally only thing needed is to install the jitsi-meet-tokens package in eb-jitsi container. I have many servers with token authentication based on this cluster installation. But there are some changes on Jitsi side. You shouldn’t use guest virtualhost with token authentication.

I’m not using guest virtualhost, in fresh installation, i installed jitsi-meet-token package in eb-jitsi container. after that i used jitok token generator to test it (it didn’t worked though), i used my own backend and it was not working (above mentioned issue coming up).

I didn’t understand it, do they have updated doc for it? Because even in original doc it’s same as it was before. no changes.

Can you share your prosody config file?
Don’t forget to mask the private data.

Which prosody file i should share? /etc/prosody/prosody.cfg.lua or /etc/prosody/config.avail/domain.cfg.lua ?

Thank you :slight_smile:

Here is my /etc/prosody/config.avail/testing.jitsi.com.cfg.lua

plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }                                                                                                                                                                                     
-- domain mapper options, must at least have domain base set to use the mapper                                          
muc_mapper_domain_base = "testing.jitsi.com";                                                                                                                                                                                                  
external_service_secret = "LN6ySngQAppR5G28";                                                                           
external_services = {
	{ type = "stun", host = "testing.jitsi.com", port = 3478 },                                                            
	{ type = "turn", host = "testing.jitsi.com", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },                                                                                                                 
	{ type = "turns", host = "turning.jitsi.com", port = 443, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }                                                                                                             
};                                                                                                                                                                                                                                              
cross_domain_bosh = false;                                                                                              consider_bosh_secure = true;                                                                                            
https_ports = { }; -- Remove this line to prevent listening on port 5284                                                                                                                                                                        
-- by default prosody 0.12 sends cors headers, if you want to disable it uncomment the following (the config is available on 0.12.1)                                                                                                            
--http_cors_override = {                                                                                                
--    bosh = {                                                                                                          
--        enabled = 	false;                                                                                              
--    };                                                                                                                
--    websocket = 
	{                                                                                                     
--        enabled = 	false;                                                                                              
--    };                                                                                                                
--}                                                                                                                                                                                                                                             
-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4          
ssl = {                                                                                                                     
protocol = "tlsv1_2+";                                                                                                  
ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
}                                                                                                                                                                                                                                               
unlimited_jids = {
	"focus@auth.testing.jitsi.com",                                                                                        "jvb@auth.testing.jitsi.com"                                                                                       
	}                                                                                                                                                                                                                                               
	VirtualHost "testing.jitsi.com"                                                                                            authentication = "token" -- do not delete me                                                                            
	-- Properties below are modified by jitsi-meet-tokens package config                                                    
	-- and authentication above is switched to "token"                                                                      app_id="app_id_string"                                                                                           
	app_secret="app_secret_string"                                                                                                                                                                                                               
	allow_empty_token = false
	-- Assign this host a certificate for TLS, otherwise it would use the one                                               
	-- set in the global section (if any).                                                                                  
	-- Note that old-style SSL on port 5223 only supports one certificate, and will always                                  
	-- use the global one.                                                                                                  
	ssl = {                                                                                                                     
		key = "/etc/prosody/certs/testing.jitsi.com.key";                                                                      
		certificate = "/etc/prosody/certs/testing.jitsi.com.crt";
	}                                                                                                                       av_moderation_component = "avmoderation.testing.jitsi.com"                                                             speakerstats_component = "speakerstats.testing.jitsi.com"                                                              conference_duration_component = "conferenceduration.testing.jitsi.com"                                                 end_conference_component = "endconference.testing.jitsi.com"                                                           
	-- we need bosh                                                                                                         
	modules_enabled = {                                                                                                         "bosh";                                                                                                                 "pubsub";                                                                                                               
	"ping"; -- Enable mod_ping                                                                                              "speakerstats";                                                                                                         "external_services";                                                                                                    "conference_duration";                                                                                                  "end_conference";                                                                                                       "muc_lobby_rooms";                                                                                                      "muc_breakout_rooms";                                                                                                   "av_moderation";                                                                                                        "room_metadata";                                                                                                        "presence_identity";                                                                                                }                                                                                                                       c2s_require_encryption = false                                                                                          
	lobby_muc = "lobby.testing.jitsi.com"                                                                                  breakout_rooms_muc = "breakout.testing.jitsi.com"                                                                      room_metadata_component = "metadata.testing.jitsi.com"                                                                 
	main_muc = "conference.testing.jitsi.com"                                                                              
	-- muc_lobby_whitelist = { "recorder.testing.jitsi.com" } -- Here we can whitelist jibri to enter lobby enabled rooms                                                                                                                                                                                                                                              
	Component "conference.testing.jitsi.com" "muc"                                                                             restrict_room_creation = true                                                                                           
	storage = "memory"                                                                                                      
	modules_enabled = {                                                                                                         "muc_meeting_id";                                                                                                       "muc_domain_mapper";                                                                                                    "polls";                                                                                                                "token_verification";                                                                                                   "muc_rate_limit";                                                                                                   }                                                                                                                       
	admins = { "focus@auth.testing.jitsi.com" }                                                                            
	muc_room_locking = false                                                                                                muc_room_default_public_jids = true                                                                                                                                                                                                         
	Component "breakout.testing.jitsi.com" "muc"                                                                               restrict_room_creation = true                                                                                           
	storage = "memory"                                                                                                      
	modules_enabled = {                                                                                                         "muc_meeting_id";                                                                                                       "muc_domain_mapper";                                                                                                    "muc_rate_limit";                                                                                                       "polls";                                                                                                            }                                                                                                                       
	admins = { "focus@auth.testing.jitsi.com" }                                                                            
	muc_room_locking = false                                                                                                muc_room_default_public_jids = true                                                                                                                                                                                                         
	-- internal muc component                                                                                               
	Component "internal.auth.testing.jitsi.com" "muc"                                                                          
	storage = "memory"                                                                                                      
	modules_enabled = {                                                                                                         "ping";                                                                                                             }                                                                                                                       
	admins = { "focus@auth.testing.jitsi.com", "jvb@auth.testing.jitsi.com" }                                             
	muc_room_locking = false                                                                                                muc_room_default_public_jids = true                                                                                                                                                                                                         
	VirtualHost "auth.testing.jitsi.com"                                                                                       
	ssl = {                                                                                                                     
	key = "/etc/prosody/certs/auth.testing.jitsi.com.key";                                                                 
	certificate = "/etc/prosody/certs/auth.testing.jitsi.com.crt";                                                     }                                                                                                                       
	modules_enabled = {                                                                                                         "limits_exception";                                                                                                 }                                                                                                                       
	authentication = "internal_hashed"                                                                                                                                                                                                          
	-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.                                      
	Component "focus.testing.jitsi.com" "client_proxy"                                                                         target_address = "focus@auth.testing.jitsi.com"                                                                                                                                                                                            
	Component "speakerstats.testing.jitsi.com" "speakerstats_component"                                                        muc_component = "conference.testing.jitsi.com"                                                                                                                                                                                             
	Component "conferenceduration.testing.jitsi.com" "conference_duration_component"                                           muc_component = "conference.testing.jitsi.com"                                                                                                                                                                                             
	Component "endconference.testing.jitsi.com" "end_conference"                                                               muc_component = "conference.testing.jitsi.com"                                                                                                                                                                                             
	Component "avmoderation.testing.jitsi.com" "av_moderation_component"                                                       muc_component = "conference.testing.jitsi.com"                                                                                                                                                                                             
	Component "lobby.testing.jitsi.com" "muc"                                                                                  
	storage = "memory"                                                                                                      restrict_room_creation = true                                                                                           muc_room_locking = false                                                                                                muc_room_default_public_jids = true                                                                                     
	modules_enabled = {                                                                                                         "muc_rate_limit";                                                                                                       "polls";                                                                                                           
	}                                                                                                                                                                                                                                           
	Component "metadata.testing.jitsi.com" "room_metadata_component"                                                           muc_component = "conference.testing.jitsi.com"                                                                         breakout_rooms_component = "breakout.testing.jitsi.com"                                                                                                                                                                                    
	asap_accepted_issuers = { "*" }                                                                                         asap_accepted_audiences = { "*" }

*testing.jitsi.com is fake domain
Thank you.

I’m using local recorder only (not jibri for now)

I had similar issue.
In your jwt token check value of sub.
In previous versions it could work with https://myjtsidomain but I think now you have to remove https protocol.
Or use sub as *

Don’t you have app_id in your config?

And where are the enabled modules?

It’s still there in above file, it looks like indentation is not well. you might need to scroll right side.
Thank you.

Thank you for your response.
I tried that as well. But it didn’t worked. Same issue. After authentication user is being redirected to autherror.html page.

@emrah I figured it out somehow. But what’s difference btw affiliation parameters?
It says
member,
owner,
without that affiliation.
I don’t see any major difference.
Last thing, how to handle guests? If host has not started meeting, guests can directly join meeting (if token is attached) otherwise it asks for username/password.

How to handle all this?

Thank you advance.

It’s used when token_affiliation is enabled to set th moderator.

If someone has a token then she is not a guest user. allow_empty_token should be true to allow guests (users who have no token) to join.

token_owner_party may be helpful for some use-cases.

for token_affiliation i tested it and it works somehow. I tried moderator and owner is same. both token user gets moderator rights.
But for member or not-set (remove affiliation in token) user will act as normal user.
But he has access to recording and streaming features, meanwhile it should be for owner/moderator only as a normal scenario.
Kindly suggest that.

As for token_owner_party i think we don’t need that because we already have everything that this mod provides, only owner/moderator using affiliation can start meeting and now we have end meeting for all button too for owner/moderators.

I set allow_empty_token to true but still it’s not working for guests.
Guests are being asked to enter username/password using popup even meeting is already started by host or not.

This is not working in normal scenario like:
Only owner/moderator can start meeting using token. :white_check_mark:
Guests without token should be able to join meeting? :interrobang:

If we use token for guests too without affiliation (owner/moderator) they are able join meeting but we have two problems here.
:one: They have access to start recording and streaming too (it should be only moderator/owner)
:two: If during meeting they are disconnected or reload page they don’t have access to token anymore and they can’t join meeting now.
:three: If meeting is not started yet by host/moderator, they can still join meeting, may be we have to use reservation system to block guests untill meeting not started (not sure, old way was simple - waiting for host).

Kindly suggest if possible.

Thank you . :slight_smile:

I didn’t try the old way for the current stable. Maybe still working…
You may try to add guest virtualhost to prosody and to enable the external JWT authentication on jicofo.conf

It worked wow!
But after going with external jwt auth on jicofo.conf, token_affiliation is not working.
Whatever value in affiliation parameters is, gets ignored and that person is granted moderator rights.

What we want for guests is:
Either they should join meeting as a guest that’s working now.
Or may be some users might join meeting using token (but not moderators).

How can i achieve that as token_affiliation with value as member/none not working.

That’s last thing i am stuck with.

Thank you again.

When external JWT is enabled, everyone who has a token becomes moderator.

There is hacky way to set affiliation although the external JWT is enabled. It’s to add some delay before room:set_affiliation command.

You may change

room:set_affiliation(true, occupant.bare_jid, affiliation)

as

timer.add_task(3, function()
    room:set_affiliation(true, occupant.bare_jid, affiliation)
end)

in /usr/share/jitsi-meet/prosody-plugins/mod_token_affiliation.lua

1 Like