What is Token and how to use it?

I installed Jitsi using the school-script of @emrah
I have read several guides, including this one.
but these are guides aimed at those who have understood the concept of token in Jitsi. I am at the beginning and I didn’t understand how the token system works.
Neither how to create it, nor how to use it.
What is the Token? Where is it?
When the user types jists.mydomain.tld from his browser or smartphone must he already have something installed on his PC or smartphone?
Is there a guide for beginners like me?

There are many doc and video which explain the concept. Search for “JWT

Jitsi tokens are basically JSON Web Tokens (JWT). See JSON Web Token Introduction - jwt.io

When the user types jists.mydomain.tld from his browser or smartphone must he already have something installed on his PC or smartphone?

They won’t need anything installed but neither is it something users can/should enter themselves.

One way token auth is used is when your users already authenticate with your own application and you want them to be able to access Jitsi without re-authenticating. In this case, your application would generate the token for the verified user and redirect/load Jitsi with the token supplied. The token would have been generated using a shared secret or cert, which allows Jitsi to validate the authenticity of the token without direct API calls to your app.

If you’re instead looking at users authenticating directly with Jitsi, you might want to use Secure Domains instead. See Secure Domain setup · Jitsi Meet Handbook

Forgive me, but I’m new to Jitsi and even with all my good will I can’t quite understand what you are saying to me.
I have read at least twenty guides and I found some clarifications on how the token works.
It is about the configuration of Jitsi and its use that I did not understand.

  1. in which file should I write the Payloads?
  2. Does each teacher / students need to have their own payload?
  3. In “Student token (payload) sample” there is the “room” parameter: “classroom-name”. This appears to be related to the classroom, not the Meet room. It’s right?
  4. How can I create a meeting? Before I was creating the room on the Home Page. How do I create it now?
  5. Before, it was enough to type https://meet.mydomain.com/room-name. Today I have to type https://meet.mydomain.com/room-name?jwt=very-long-jwt-value. However, I did not understand where and when this “very-long-jwt-value” should be defined. I also create 10 or 20 room-names a day.
  6. In another thread I was suggested to use LDAP. Can I use it together with Tokens? How?

Before we dive further into how to use JWT with Jitsi, mind if I asked what you end goal is here? As in, how do you envision your users joining a meeting?

  1. Going directly to the meeting URL
  2. Going directly to the meeting URL (but require username/password to join)
  3. Logging into a different application that you have built, then being directed to the meeting from the app?
  4. (something else)

Reason I’m asking is because if your answer is 1 or 2, then tokens is probably not what you need right now. If 3, then we’re on the right track. (and if 4, then it depends :slight_smile: )

@shawn
Having to manage a school I used the school-script of @emrah.
I believe the tokens are expected from his script. I don’t know if it’s possible to integrate it with other authentication systems or if how to remove the option if it’s not needed.
Teachers have to organize online lessons, but these are simple video conferences so I don’t need additional applications like Moodle.
Each teacher creates her own “meeting” and only his/her students participate in it, plus other people that the teacher can invite. For example, the teacher might invite another teacher or an external speaker.
So some people know them because they are teachers and students. We do not know the others because they are occasionally invited.
In another thread I posed the problem of not having to create individual invitations for each meeting because these are often repetitive activities.
I was thinking of something that allows a teacher to quickly create his/her “meeting” and send the link to the people I have to attend: students and guests.
No one else can participate in this particular meeting, while they can participate in other meetings as long as they are authorized to do so.

I was advised to use LDAP which I only know by name as I was studying how to use it.

My problem is with a school but it can be generalized for a company.
The sales manager can arrange a meeting with his salespeople, inviting an external partner or marketing officers.

As for point 3, as I said I am not thinking about an application, but I accept suggestions.
For example on how to use LDAP or different web pages, as long as these are also accessible to individual groups of people.
In my study case, teachers, students and another people are NOT users of the Linux server because only a few technicians work on the server.

Thank you for indulging my curiosity.

I’m afraid I have never explore school-script so cannot comment on that.

Based on my (limited) experience with Jitsi, my impression is that if all you need is simple video conference and no need to integrate with anything else, then implementing tokens is not going to help.

Assuming I understood your requirements correct, I personally would have gone for a simpler setup:

  1. Set up Secure Domain so only users authenticated with username+password can create rooms. (see Secure Domain setup · Jitsi Meet Handbook). Then create an account in Prosody for teachers and sales managers so they can create rooms and invite others.
  2. Anyone (students, guests, etc) will be able to join if they have the link to a room. If you wish to tighten this a little without creating accounts for all attendees, you could:
    a. Make sure the teachers use a new hard-to-guess room name for each session so only those that have been sent the link can access the room
    b. and/or enable the lobby feature so the room creator can manually vet and let in participants

I should clarify I am just a nosy lurker and not an expert in Jitsi, so do take my pondering with a pinch of salt.

But to answer you specific questions:

The payload is embedded within the JWT token. So the very long string that gets passed as the token is actually an encoded version of the full payload, plus some header and footer details to allow the consuming server (Jitsi in this case) to validate the authenticity of the token.

For example:

That’s a screenshot from the interactive debugger here: https://jwt.io/

Practically yes, since the token identifies a specific user and could be used to set the user’s role or bestow specific privileges or features to the user of the token.

The “room” parameter will have to match the jitsi room name for the token to be accepted. So for https://meet.mydomain.com/room-name?jwt=very-long-jwt-value, the “room” parameter will need to be “room-name”.

You can also use “*” in the token to indicate any room.

In Jitsi, a room is created when a user joins. So you could just enter any arbitrary page e.g. https://meet.jit.si/SomethingRandom17892 and room “SomethingRandom17892” will be created. The hope page just presents you with a nice form to do it.

As I alluded to previously, the token is usually generate by an application you integrate with. It is possible to generate them using scripts per attendee, then send them links to the meeting with the long ugly jwt token appended. But this is really not how it’s meant to be used.

Hence my comments on tokens possibly not being the right solution if you’re not integrating with something else that does this for you.

No idea. I don’t think so.

1 Like

@shawn
I try to summarize to see if I have understood correctly.
Solution 1) for each user I manually generate the Token with room = “*” with https://jwt.io/ and then I send several long link to all invited users.
Solution 2) is an application to manage tokens and send them to users; but what applications are we talking about? Doing some research on the net I have not found even one. In other words, are there any examples of how to use tokens in practice?

Tokens are used from within other applications when doing integration, applications where there is already authentication implemented.

^ what he said :slight_smile:

Solution 1) for each user I manually generate the Token with room = “*” with https://jwt.io/ and then I send several long link to all invited users.

Not really. This is not a scalable solution (time wise), and sending people links with JWT attached “works” but defeats the purpose of the token. Anyone that intercepts that link would be able to get into the room, so you might as well just send links to room without auth enabled.

I will reiterate that tokens are good if you already have an app that does auth and you want to be able to hand-off authenticated users to Jitsi.

If that is not the case, tokens may not be the solution for you.

P.S. Just noticed I made a horrific typo in my post above. I meant to say “not going to help”. Sorry :bowing_man:t4:

Jitsi only needs the link which contains the JWT token. Creating the token is not in the scope of Jitsi. You need another system/software which will create the token. The payload is related with this part.

The payload contains some specific data to user. Username, email, expire time, allowed room etc. Therefore it’s needed a suitable payload for each users and for each sessions in most use cases.

This is the meeting room. They are the same

The room will be created when the first user will coming in.

This is the token value and it should be creating using another system/software. It’s not in the scope of Jitsi. jitsi-school-installer has a folder /root/jwt which contains some sample PHP scripts. Check them

1 Like

OK. I understood, but can you give me some examples of applications where to integrate Jitsi?
At least I know what to look for.

The only thing that comes to mind is to integrate it into a website with Joomla or Wordpress, but I’m missing the purpose why I do not think it makes much sense to install Joomla only to manage token Jitsi.
How are you using Jitsi? In what context and for what?
Can I manage tokens with LDAP?

Apparently you don’t have anything in place to integrate with, so explore the secure domain instructions … users will authenticate with username and password, this can be integrated with LDAP.

OK. No Token. Many thanks.