Token Setup

I have followed: https://github.com/jitsi/lib-jitsi-meet/blob/master/doc/tokens.md

I’m using https://jwt.io/ to create tokens and test. I have some questions:

  1. In the header
    "kid": "jitsi/custom_key_name"
    What should I use for custom_key_name?

  2. in the example payload:

{
  "context": {
    "user": {
      "avatar": "https:/gravatar.com/avatar/abc123",
      "name": "John Doe",
      "email": "jdoe@example.com",
      "id": "abcd:a1b2c3-d4e5f6-0abc1-23de-abcdef01fedcba"
    },
    "group": "a123-123-456-789"
  },
  "aud": "jitsi",
  "iss": "my_client",
  "sub": "meet.jit.si",
  "room": "*",
  "exp": 1500006923
}

Should “aud” still be set as “jitsi”?

There are a few things here:

  • kid is used when you configure your prosody to verify the token using a certificate stored on a server and custom_key_name is the name of the certificate file. From the doc: In this mode, the 'kid' header of the JWT must be set to the name of the public key.
  • sub value should be the name of your deployment
  • aud must be the same as the one configured in app_id or if using asap_accepted_audiences should be one of the values from there.
  • iss should be again same as your app_id or one of the asap_accepted_issuers
  • group, do not use group if your deployment is not configured for multi-tenant use (is not able to serve https://meet.jit.si/tesroom, https://meet.jit.si/companyA/testroom and https://meet.jit.si/companyB/testroom).

HI @damencho,
Is the public key you mentioned in first paragraph in the prosody config file’s ssl section?
For example next section:

VirtualHost “47.106.212.100”
authentication = “token”
app_id=“example_app_id”
app_secret=“example_app_secret”
allow_empty_token=false
ssl = {
key = “/var/lib/prosody/live.example.com.key”;
certificate = “/var/lib/prosody/live.example.com.crt”;
}
modules_enabled = {
“bosh”;
“pubsub”;
“ping”;
}
c2s_require_encryption = false

There are two kinds of jwt configurations:

  • One where you have public/private key, you sign the token with a private key and you put the public key on some web server which is accessible by prosody asap_key_server = "https://keyserver.example.com/asap";. When prosody receives a token it will download the public key from https://keyserver.example.com/asap and will cache it and verify the token.
  • You can use a common secret used to sign the token and prosody will use the same secret to verify it: app_secret = "example_app_secret";
    It has nothing to do with the certificates used for the virtual hosts. Looking at your prosody config seems you are using the second one with the common secret.

Thank you!

So I’m using the common secret, what do I put in the kid property? Or do I not include that property in the file?

I’ve got a weird behavior where I connect with the tokem but it then disconnects and reloads. Would this be due to a token issue or something else?

No, you don’t put kid.
About the reloads, open the js console and check the error you see.

1 Like

Thanks @damencho for your help! I think my token setup is working, but I need to fix the disconnecting issue - I’ll create a separate post for that.

Can the avatar value be set to base64 encoded data? Will jitsi display such an image properly?

It is setting an image src so I suppose it will work if the value is data:image/png;base64, ....

1 Like

Thank you. Turns out what I thought were private avatar’s are publicly available, so I won’t need to implement this - but in theory it should work.

On a side note, found this blog article that I thought relevant to tokens: https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen

What’s the recommended expiry to place on a token? Is it just the time to connect to the jitsi app? Eg, if I put it to 1 or 2 minutes it should be safe. Or should I have token expiry set for the max duration of a meeting?

Token is checked in the beginning, but there maybe actions later that can check the token, like recording for example … So I would say that it needs to be valid during the time of the meeting.

1 Like


i have setup token but after setup audio video are not showing can you please help me to find out i am very closed to success please help

1 Like

Were you able to find any solution for this ? I am also getting the same error.