Tokens or other auth method configurations

Hi,
I’m testing jitsi, and I’m confused on authentication and roles.

I installed it following https://github.com/jitsi/jitsi-meet/blob/master/doc/quick-install.md

What I would like to achieve is that users can join conferences from my website using a link like “https://example.com/room1?jwt_or_other_auth=somevalue” and they are always admins.
Other people instead join using “https://example.com/room1” and they are never granted admin permissions.

Am I correct about using jwt tokens? Or is this configurable in other ways?

Also, I tryed to change enableUserRolesBasedOnToken to true, but when I do that dialout breaks.


here’s the log from the developer console in chrome:

app.bundle.min.js?v=2942:sourcemap:2 [react/features/invite/functions.js] <>: Error searching directory: SyntaxError: Unexpected token < in JSON at position 0
app.bundle.min.js?v=2942:sourcemap:2 [react/features/base/react/components/web/MultiSelectAutocomplete.js] <>: MultiSelectAutocomplete error in query SyntaxError: Unexpected token < in JSON at position 0

Thanks all…

Currently jwt cannot control moderator role. You can have the first to join to be moderator or enabling a module, all participants to be moderators, the same way meet.jit.si is configured.
If you enable secure domain https://github.com/jitsi/jicofo#secure-domain, the first to join in a conference will be asked for username and password and after the authenticated user joins, guests can enter the room without authentication. If a guests try entering before the authenticated user, the guest will need to wait till the authenticated enters and will be automatically connected.

Thanks, but I have a further question now:
secure domain:
It is possible to allow only authenticated users for creating new conference rooms
this is done by setting authentication = “internal_plain”

If I enable secure domain and have this scenario:
authenticated user creates a room, he is the moderator
guests join
authenticated user leaves
who is the moderator now?

Also, can I use secure domain with authentication = “token”?

If this was the only moderator in the room, there will be no more a moderator and only guests.

No.

Thanks,
Maybe I’m starting to understand.
Between these options I would like to enable moderator rights for all users (if everyone is a moderator, no one is a moderator).
How do I install https://github.com/jitsi/jitsi-meet/blob/master/resources/prosody-plugins/mod_muc_allowners.lua

This file is included in jitsi-meet-tokens, but If I enable the official repo for prosody and install jitsi-meet-tokens I get a whole new set of issues.
Is there a more straightforward documentation to install muc_allowners on top of the basic installation described in the quick-install document?
Thanks

You need to put that file in a folder and uncomment and add that folder like this:


Make sure the prosody user can read it.

Then under you need to enable it like:

Component "conference.your.domain.com" "muc"
....
modules_enabled = { "muc_allowners" }

Hey, I made a lua module that sets user’s moderator status based on a boolean in the jwt token, it might help you out (only a few months too late :slight_smile: ).

3 Likes

Hi Damencho
I would like to do that you explain here
if you can explain where i need to change

Thank you so much for this. Just what I needed!

@Niclas_von_Ahsen can you put in the documentation how to proceed with the docker install? I am not sure in what folder to place your module and what other configurations I may need. So far I could not enable it on docker install.

For anyone else who comes across this, I believe the statement “Currently jwt cannot control moderator role” is now false on account of Damian’s post in another forum.

I’m not so convinced :slight_smile:

Is my comment misleading? I can delete it if so! I’ve been on quite the adventure trying to get JWTs to work with guests going to the waiting room by default today, so I thought I would try to leave a trail where possible… :stuck_out_tongue:

Haha, well no, don’t worry.
You can validate jwt token so you can make sure someone authenticated that participant. In the open-source repo we have validation for accessing rooms ( mod_token_verification.lua).
But other than the allowners module there is nothing that sets the affiliation (moderator) based on token, allowners module do it for certain room names and tenants that are pre-configured in prosody (moderated tenant on meet.jit.si).

But there are custom modules that can do that for you, assign moderator based on token.

For 8x8.vc for example it is that case - we have a module that assign the role based on some conditions.

1 Like

I was able to get everything working! Thank you much for your help, @damencho! I also replicated my steps in a clean instance to ensure that they would be roughly repeatable in the future without all of the unnecessary garbage that I had done while figuring this out.

If it would be helpful for the community, I would be happy to share my steps and config files. Do you think that would be helpful? Is there a good place/way for me to do that?

Our requirements are thus:

  1. Authenticate all users with JWTs issued by our own HTTP server
  2. Designate some users as moderators, others as non-moderators. These roles are governed by claims in the JWT using token_affiliation
  3. Automatically initialize the lobby feature when a moderator joins, and allow other moderators (or the first) to bypass the lobby when they join/rejoin

I think the community would appreciate that. People often come in here looking for solutions, I’m sure this would be useful. You can create it right here as a new thread.

You may create a new topic to share the solution, something like this

@emrah @Freddie @damencho I posted a tutorial here. Please let me know if you think I should make any edits. Thanks for all your hard work!

1 Like