User creation on Jitsi

Alejandro_Biondo · May 11, 2020, 3:34pm

Hi.
I have installed and running Jitsi-meet on my server.
It’s working perfect, and I can create users for using it… The issue is that I create users like this:

prosodyctl register

So there are 2 things I need.

I need to create the user inside my java code with an API,
I need to open the my Jitsi conference with the user logged (because it’s already logged in my platform)

How can I do both?

Regards

reset · May 11, 2020, 3:36pm

This might work better in your use case

github.com

jitsi/lib-jitsi-meet/blob/master/doc/tokens.md

JWT token authentication Prosody plugin
==================

This plugin implements Prosody authentication provider that verifies client connection based on JWT token described in [RFC7519].
It allows to use any external form of authentication with lib-jitsi-meet. Once your user authenticates you need to
generate the JWT token as described in the RFC and pass it to your client app. Once it connects with valid token is considered authenticated by jitsi-meet system.

During configuration you will need to provide the *application ID* that identifies the client and a *secret* shared by both server and JWT token generator. Like described in the RFC, secret is used to compute HMAC hash value which allows to authenticate generated token. There are many existing libraries which can be used to implement token generator. More info can be found here: [http://jwt.io/#libraries-io]

JWT token authentication currently works only with BOSH connections.

[RFC7519]: https://tools.ietf.org/html/rfc7519
[http://jwt.io/#libraries-io]: http://jwt.io/#libraries-io

### Token structure

The following JWT claims are used in authentication token:
- 'iss' specifies *application ID* which identifies the client app connecting to the server. It should be negotiated with the service provider before generating the token.
- 'room' contains the name of the room for which the token has been allocated. This is *NOT* full MUC room address. Example assuming that we have full MUC 'conference1@muc.server.net' then 'conference1' should be used here.  Alternately, a '*' may be provided, allowing access to all rooms within the domain.
- 'exp' token expiration timestamp as defined in the RFC

This file has been truncated. show original

mlynchdev · May 11, 2020, 5:17pm

I’m seeing an issue with JWT tokens that a valid token can open many instances in the same room, the auth only checks that the JWT token is valid and doesn’t block same user from multiple entries. Could be exploited to sign in a non trivial amount of users into a meeting and cause some chaos on the server. Is there a way to make it so one JWT token is valid only once in an instance, i.e. no duplicate users allowed entry?

Alejandro_Biondo · May 19, 2020, 10:05pm

Hi.

I take some days testing and testing and I couldn’t get it done…

I think that I’m writing wrong the token.

Once I broke a server, I create a brand new server and installed it 2 days ago jitsi again.
The server is: Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-101-generic x86_64)

If I use the server without tokens (in anonymous mode), it works just fine and also in that mode, if I send the jwt parameter, it uses the avatar and the name…

However I need to be used in token mode (or any other user mode…)…

----I’m not sure if I create the token ok

So I configured my https://jitsi4.inxpirius.com server (this is my test server)

I modify the /etc/prosody/conf.d/jitsi4.inxpirius.com.cfg.lua file with the following:

On the VirtualHost “jitsi4.inxpirius.com”
I replaced authentication with “token”
Add:
app_id=“MYAPP_ID_TEST”
app_secret=“MySecretPassword123”
(I know this is senstivite information, but this is a test server, and I want this to work)
I verified that c2s_require_encryption = false (it was like this previously)
And added to the muc the token_verification:
Component “conference.jitsi4.inxpirius.com” “muc”
storage = “none”
modules_enabled = {
“muc_meeting_id”;
“muc_domain_mapper”;
“token_verification”;
}
admins = { “focus@auth.jitsi4.inxpirius.com” }
muc_room_locking = false
muc_room_default_public_jids = true

Restarted everything:
service jicofo stop && service jitsi-videobridge2 stop && service prosody restart && service jicofo start && service jitsi-videobridge2 start

And then I create a jwt to test it with “https://jwt.io/”
Header
{
“alg”: “HS256”,
“typ”: “JWT”
}
Payload
{
“context”: {
“user”: {
“avatar”: “http://www.gym-gy.com/images/playstore.png”,
“name”: “Nombre Ejemplo”,
“email”: “nombre@ejemplo.com”,
“id”: “1”
},
“group”: “grupo_1”
},
“aud”: “jitsi4”,
“iss”: “MYAPP_ID_TEST”,
“sub”: “inxpirius.com”,
“room”: “ReunionTest”
}

The iss is the same as the configuration, the Room is the same as the URL, the groups does not exists (I understand that is something that is not used by JITSI…
And in the signature I haven’t choose the “secret base 64 encode”

Later I entered:

That is what the web page https://jwt.io/ created…

What am I doing wrong? I think I’m doing something wrong with the token… ON the jicofo.log There is nothing strange…

On the jvb.log it keep saying something like this:
2020-05-20 00:04:23.743 INFO: [21] Videobridge.createConference#320: create_conf, id=f5208d86a9f097fc gid=null logging=false
2020-05-20 00:04:23.751 INFO: [21] AbstractHealthCheckService.run#171: Performed a successful health check in PT0.009226S. Sticky failure: false

But it doesn’t seem to be the problem…

Can you help me on this?

reset · May 20, 2020, 1:41pm

It doesn’t look like you test server is working without token. Although the meeting start, the mic and camera are disabled.

Check the console log in the browser. What is your prosody version? It needs to be 0.11 or higher for JWT.

Alejandro_Biondo · May 20, 2020, 5:58pm

I meant that it Works in annonymous mode just fine (if I put authetication=“anonymous” on the .com.cfg.lua file), but once I turn into “token” mode, it seems that nothing Works.

Your are right I’m using:

prosody/bionic,now 0.10.0-1build1 amd64 [installed,automatic]

How can I change it without breaking anything? I tried to put apt install jitsi-meet-token in another server and I broke everything. Is there any sources I can add to install 0.11? Or I have to go to the unstable versión?

Alejandro_Biondo · May 20, 2020, 11:30pm

I have update it to 0.11
prosody/unknown,now 0.11.5-1~bionic6 amd64 [installed]

However, now it doesn’t work at all, not even putting it into anonymous mode

I’m really loose here: https://jitsi4.inxpirius.com/MyMeting it does not work and the only change was the prosody.

I really don’t know where to look. If I look at the logs:

PROSODY.ERR

May 21 01:26:42 certmanager error SSL/TLS: Failed to load ‘/etc/prosody/certs/localhost.key’: Check that the permissions allow Prosody to read this file. (for localhost)
May 21 01:26:42 localhost:tls error Error creating context for c2s: error loading private key (Permission denied)
May 21 01:26:42 certmanager error SSL/TLS: Failed to load ‘/etc/prosody/certs/localhost.key’: Previous error (see logs), or other system error. (for localhost)
May 21 01:26:42 localhost:tls error Error creating contexts for s2sout: error loading private key (system lib)
May 21 01:26:42 certmanager error SSL/TLS: Failed to load ‘/etc/prosody/certs/localhost.key’: Previous error (see logs), or other system error. (for localhost)
May 21 01:26:42 localhost:tls error Error creating contexts for s2sin: error loading private key (system lib)

PROSODY.LOG

May 21 01:26:42 startup info Hello and welcome to Prosody version 0.11.5
May 21 01:26:42 startup info Prosody is using the select backend for connection handling
May 21 01:26:42 certmanager error SSL/TLS: Failed to load ‘/etc/prosody/certs/localhost.key’: Check that the permissions allow Prosody to read this file. (for localhost)
May 21 01:26:42 localhost:tls error Error creating context for c2s: error loading private key (Permission denied)
May 21 01:26:42 certmanager error SSL/TLS: Failed to load ‘/etc/prosody/certs/localhost.key’: Previous error (see logs), or other system error. (for localhost)
May 21 01:26:42 localhost:tls error Error creating contexts for s2sout: error loading private key (system lib)
May 21 01:26:42 certmanager error SSL/TLS: Failed to load ‘/etc/prosody/certs/localhost.key’: Previous error (see logs), or other system error. (for localhost)
May 21 01:26:42 localhost:tls error Error creating contexts for s2sin: error loading private key (system lib)
May 21 01:26:42 portmanager info Activated service ‘c2s’ on [::]:5222, []:5222
May 21 01:26:42 portmanager info Activated service ‘legacy_ssl’ on no ports
May 21 01:26:42 portmanager info Activated service ‘s2s’ on [::]:5269, []:5269
May 21 01:26:43 c2s55fdfd7b28f0 info Client connected
May 21 01:26:43 c2s55fdfd7b28f0 info Client disconnected: connection closed
May 21 01:26:43 c2s55fdfd7bc130 info Client connected
May 21 01:26:43 c2s55fdfd7bc130 info Client disconnected: connection closed
May 21 01:26:48 c2s55fdfd7c50d0 info Client connected

JICOFO.LOG

Jicofo 2020-05-21 01:26:43.670 SEVERE: [20] org.jitsi.impl.protocol.xmpp.XmppProtocolProvider.doConnect().303 Failed to connect/login: host-unknown You can read more about the meaning of this stream error at http://xmpp.org/rfcs/rfc6120.html#streams-error-conditions
stream:errorThis server does not serve auth.jitsi4.inxpirius.com</stream:error>
org.jivesoftware.smack.XMPPException$StreamErrorException: host-unknown You can read more about the meaning of this stream error at http://xmpp.org/rfcs/rfc6120.html#streams-error-conditions
stream:errorThis server does not serve auth.jitsi4.inxpirius.com</stream:error>
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1059)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
at java.base/java.lang.Thread.run(Thread.java:834)
Jicofo 2020-05-21 01:26:43.671 WARNING: [22] org.jivesoftware.smack.AbstractXMPPConnection.callConnectionClosedOnErrorListener() Connection XMPPTCPConnection[not-authenticated] (0) closed with error
org.jivesoftware.smack.XMPPException$StreamErrorException: host-unknown You can read more about the meaning of this stream error at http://xmpp.org/rfcs/rfc6120.html#streams-error-conditions
stream:errorThis server does not serve auth.jitsi4.inxpirius.com</stream:error>
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1064)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
at java.base/java.lang.Thread.run(Thread.java:834)
Jicofo 2020-05-21 01:26:43.715 INFO: [14] org.eclipse.jetty.server.Server.doStart() jetty-9.4.15.v20190215; built: 2019-02-15T16:53:49.381Z; git: eb70b240169fcf1abbd86af36482d1c49826fa0b; jvm 11.0.7+10-post-Ubuntu-2ubuntu218.04
Jicofo 2020-05-21 01:26:44.081 INFO: [14] org.eclipse.jetty.server.handler.ContextHandler.doStart() Started o.e.j.s.ServletContextHandler@75af1637{/,null,AVAILABLE}
Jicofo 2020-05-21 01:26:44.089 INFO: [14] org.eclipse.jetty.server.AbstractConnector.doStart() Started ServerConnector@608bd564{HTTP/1.1,[http/1.1]}{0.0.0.0:8888}
Jicofo 2020-05-21 01:26:44.089 INFO: [14] org.eclipse.jetty.server.Server.doStart() Started @932ms
Jicofo 2020-05-21 01:26:44.092 INFO: [1] org.jitsi.impl.configuration.ConfigurationServiceImpl.log() org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.jitsi4.inxpirius.com
Jicofo 2020-05-21 01:26:44.099 INFO: [1] org.jitsi.xmpp.component.ComponentBase.log() Component org.jitsi.jicofo. config:
Jicofo 2020-05-21 01:26:44.100 INFO: [1] org.jitsi.xmpp.component.ComponentBase.log() ping interval: 10000 ms
Jicofo 2020-05-21 01:26:44.100 INFO: [1] org.jitsi.xmpp.component.ComponentBase.log() ping timeout: 5000 ms
Jicofo 2020-05-21 01:26:44.100 INFO: [1] org.jitsi.xmpp.component.ComponentBase.log() ping threshold: 3
Jicofo 2020-05-21 01:26:44.104 SEVERE: [36] org.jitsi.meet.ComponentMain.log() java.net.ConnectException: Connection refused (Connection refused), host:localhost, port:5347
org.xmpp.component.ComponentException: java.net.ConnectException: Connection refused (Connection refused)
at org.jivesoftware.whack.ExternalComponent.connect(ExternalComponent.java:296)
at org.jivesoftware.whack.ExternalComponentManager.addComponent(ExternalComponentManager.java:242)
at org.jivesoftware.whack.ExternalComponentManager.addComponent(ExternalComponentManager.java:222)
at org.jitsi.meet.ComponentMain.lambda$getConnectCallable$0(ComponentMain.java:285)
at org.jitsi.retry.RetryStrategy$TaskRunner.run(RetryStrategy.java:193)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.net.ConnectException: Connection refused (Connection refused)
at java.base/java.net.PlainSocketImpl.socketConnect(Native Method)
at java.base/java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:399)
at java.base/java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:242)
at java.base/java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:224)
at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:403)
at java.base/java.net.Socket.connect(Socket.java:609)
at org.jivesoftware.whack.ExternalComponent.connect(ExternalComponent.java:174)
… 10 more
Jicofo 2020-05-21 01:26:44.118 INFO: [14] org.jitsi.jicofo.health.Health.log() Internal health checks are disabled. No checks will be performed, but the REST API will always return 200.
Jicofo 2020-05-21 01:26:44.118 INFO: [14] org.jitsi.jicofo.health.Health.log() Performed a successful health check in PT0.000002S. Sticky failure: false
Jicofo 2020-05-21 01:26:44.119 INFO: [14] org.jitsi.jicofo.health.Health.log() Started with interval=9223372036854775807, timeout=PT30S, maxDuration=PT20S, stickyFailures=false.

AND SO ON…
—.

JVB.LOG

2020-05-21 01:26:43.359 WARNING: [22] [hostname=localhost id=shard] MucClient.lambda$getConnectAndLoginCallable$7#643: [MucClient id=shard hostname=localhost] error connecting
org.jivesoftware.smack.XMPPException$StreamErrorException: host-unknown You can read more about the meaning of this stream error at http://xmpp.org/rfcs/rfc6120.html#streams-error-conditions
stream:errorThis server does not serve auth.jitsi4.inxpirius.com</stream:error>
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1059)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
at java.base/java.lang.Thread.run(Thread.java:834)
2020-05-21 01:26:43.363 WARNING: [28] org.jivesoftware.smack.AbstractXMPPConnection.callConnectionClosedOnErrorListener: Connection XMPPTCPConnection[not-authenticated] (0) closed with error
org.jivesoftware.smack.XMPPException$StreamErrorException: host-unknown You can read more about the meaning of this stream error at http://xmpp.org/rfcs/rfc6120.html#streams-error-conditions
stream:errorThis server does not serve auth.jitsi4.inxpirius.com</stream:error>
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1064)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
at java.base/java.lang.Thread.run(Thread.java:834)
2020-05-21 01:26:43.365 WARNING: [28] [hostname=localhost id=shard] MucClient$1.connectionClosedOnError#295: Closed on error:
org.jivesoftware.smack.XMPPException$StreamErrorException: host-unknown You can read more about the meaning of this stream error at http://xmpp.org/rfcs/rfc6120.html#streams-error-conditions
stream:errorThis server does not serve auth.jitsi4.inxpirius.com</stream:error>
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1064)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1000)
at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1016)
at java.base/java.lang.Thread.run(Thread.java:834)
2020-05-21 01:26:43.386 INFO: [24] org.ice4j.ice.harvest.StunMappingCandidateHarvester.discover: Discovered public address 82.223.49.110:56284/udp from STUN server 15.236.83.15:443/udp using local address 82.223.49.110:0/udp
2020-05-21 01:26:43.386 INFO: [20] org.ice4j.ice.harvest.MappingCandidateHarvesters.initialize: Using org.ice4j.ice.harvest.StunMappingCandidateHarvester, face=/82.223.49.110, mask=/82.223.49.110
2020-05-21 01:26:43.386 INFO: [20] org.ice4j.ice.harvest.MappingCandidateHarvesters.initialize: Initialized mapping harvesters (delay=122ms). stunDiscoveryFailed=false
2020-05-21 01:26:48.366 WARNING: [22] [hostname=localhost id=shard] MucClient.lambda$getConnectAndLoginCallable$7#643: [MucClient id=shard hostname=localhost] error connecting

AND CONTINUES

Do you have a clue about what may be going on?

Alejandro_Biondo · May 21, 2020, 9:20pm

Now it’s working.

I found the issue. When upgrading the prosody from 0.10 to 0.11, it changes my prosody.cfg.lua and deleted the line (the last one) that says: <<<include “conf.d/*.cfg.lua”>>>

It was very simple at least.