Token Setup


#1

I have followed: https://github.com/jitsi/lib-jitsi-meet/blob/master/doc/tokens.md

I’m using https://jwt.io/ to create tokens and test. I have some questions:

  1. In the header
    "kid": "jitsi/custom_key_name"
    What should I use for custom_key_name?

  2. in the example payload:

{
  "context": {
    "user": {
      "avatar": "https:/gravatar.com/avatar/abc123",
      "name": "John Doe",
      "email": "jdoe@example.com",
      "id": "abcd:a1b2c3-d4e5f6-0abc1-23de-abcdef01fedcba"
    },
    "group": "a123-123-456-789"
  },
  "aud": "jitsi",
  "iss": "my_client",
  "sub": "meet.jit.si",
  "room": "*",
  "exp": 1500006923
}

Should “aud” still be set as “jitsi”?


#2

There are a few things here:

  • kid is used when you configure your prosody to verify the token using a certificate stored on a server and custom_key_name is the name of the certificate file. From the doc: In this mode, the 'kid' header of the JWT must be set to the name of the public key.
  • sub value should be the name of your deployment
  • aud must be the same as the one configured in app_id or if using asap_accepted_audiences should be one of the values from there.
  • iss should be again same as your app_id or one of the asap_accepted_issuers
  • group, do not use group if your deployment is not configured for multi-tenant use (is not able to serve https://meet.jit.si/tesroom, https://meet.jit.si/companyA/testroom and https://meet.jit.si/companyB/testroom).

How to use jwt mode
#3

HI @damencho,
Is the public key you mentioned in first paragraph in the prosody config file’s ssl section?
For example next section:

VirtualHost “47.106.212.100”
authentication = “token”
app_id=“example_app_id”
app_secret=“example_app_secret”
allow_empty_token=false
ssl = {
key = “/var/lib/prosody/live.example.com.key”;
certificate = “/var/lib/prosody/live.example.com.crt”;
}
modules_enabled = {
“bosh”;
“pubsub”;
“ping”;
}
c2s_require_encryption = false


#4

There are two kinds of jwt configurations:

  • One where you have public/private key, you sign the token with a private key and you put the public key on some web server which is accessible by prosody asap_key_server = "https://keyserver.example.com/asap";. When prosody receives a token it will download the public key from https://keyserver.example.com/asap and will cache it and verify the token.
  • You can use a common secret used to sign the token and prosody will use the same secret to verify it: app_secret = "example_app_secret";
    It has nothing to do with the certificates used for the virtual hosts. Looking at your prosody config seems you are using the second one with the common secret.

#5

Thank you!

So I’m using the common secret, what do I put in the kid property? Or do I not include that property in the file?

I’ve got a weird behavior where I connect with the tokem but it then disconnects and reloads. Would this be due to a token issue or something else?


#6

No, you don’t put kid.
About the reloads, open the js console and check the error you see.


#7

Thanks @damencho for your help! I think my token setup is working, but I need to fix the disconnecting issue - I’ll create a separate post for that.


#8

Can the avatar value be set to base64 encoded data? Will jitsi display such an image properly?


#9

It is setting an image src so I suppose it will work if the value is data:image/png;base64, ....


#10

Thank you. Turns out what I thought were private avatar’s are publicly available, so I won’t need to implement this - but in theory it should work.

On a side note, found this blog article that I thought relevant to tokens: https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen

What’s the recommended expiry to place on a token? Is it just the time to connect to the jitsi app? Eg, if I put it to 1 or 2 minutes it should be safe. Or should I have token expiry set for the max duration of a meeting?


#11

Token is checked in the beginning, but there maybe actions later that can check the token, like recording for example … So I would say that it needs to be valid during the time of the meeting.