JWT service for Jitsi

At fairkom we have developed our own token service for Keycloak https://git.fairkom.net/armin.felder/jitsi-token-service

For the records, there is also one from Jitsi. Here is a guide by an AI bot:

Generic Jitsi Token Service for HumHub

To enable JWT token authentication for Jitsi in HumHub, you'll need to configure both Jitsi and HumHub accordingly. This setup allows users to authenticate using JSON Web Tokens (JWTs) when accessing Jitsi meetings within HumHub. Here’s a step-by-step guide:

1. Set Up Jitsi Server with JWT Authentication

1. Install Prosody and Jitsi Meet: Make sure your Jitsi instance is running with the Prosody XMPP server, which handles user authentication.

2. Install the jitsi-meet-tokens package:

   • This package allows Jitsi to support JWT token-based authentication. You can install it by running:

     sudo apt install jitsi-meet-tokens

3. Configure Prosody for JWT Authentication:

   • Open your Jitsi Prosody configuration file (usually located at /etc/prosody/conf.avail/YOUR-DOMAIN.cfg.lua).
   • Add or modify the following sections to enable JWT authentication:

     VirtualHost "YOUR-DOMAIN"
         authentication = "token"
         app_id = "YOUR_APP_ID"  -- Replace with your app_id
         app_secret = "YOUR_APP_SECRET"  -- Replace with your app_secret
         allow_empty_token = false

4. Configure Jitsi Meet:

   • In your Jitsi Meet configuration file (/etc/jitsi/meet/YOUR-DOMAIN-config.js), set the JWT token authentication configuration to enable secure access:

     config.jwt = {
         enable: true,
         aud: 'YOUR_APP_ID' // Replace with your app_id
     };

5. Restart Jitsi Services:

   • After configuring Prosody and Jitsi Meet, restart the services for the changes to take effect:

     sudo systemctl restart prosody
     sudo systemctl restart jicofo
     sudo systemctl restart jitsi-videobridge2

2. Integrate JWT Authentication in HumHub

1. Install a Jitsi Module for HumHub (Optional):

   • If you're using a specific HumHub module for Jitsi, check if it has built-in support for JWT tokens.
   • You may find it in the HumHub Marketplace or GitHub.

2. Generate JWT Tokens in HumHub:

   • In HumHub, you’ll need to generate a JWT token when users initiate or join a Jitsi meeting.
   • Use the app_id and app_secret configured on your Jitsi server to generate the JWT. An example in PHP:

     use \Firebase\JWT\JWT;
     
     $appId = "YOUR_APP_ID";
     $appSecret = "YOUR_APP_SECRET";
     $room = "uniqueRoomIdentifier"; // Generate a unique identifier for each room
     
     $payload = [
         "aud" => $appId,
         "iss" => $appId,
         "sub" => "YOUR-DOMAIN",
         "room" => $room,
         "exp" => time() + (60 * 60), // Token expires in 1 hour
     ];
     
     $jwt = JWT::encode($payload, $appSecret);

3. Embed JWT Token in Jitsi URL:

   • When redirecting users to a Jitsi room from HumHub, append the JWT token as a URL parameter:

     $jitsiUrl = "https://YOUR-DOMAIN/$room?jwt=$jwt";

4. Test the Setup:

   • Log in to HumHub and start or join a Jitsi meeting. Verify that users are authenticated via JWT.

Troubleshooting

• Incorrect Configuration: If you encounter errors, check both your Jitsi and Prosody configuration files for syntax or parameter issues.
• JWT Errors: Ensure the app_id and app_secret used for encoding the JWT in HumHub match those on your Jitsi server.

This setup will enable JWT token-based authentication for your HumHub-Jitsi integration, securing access to meetings.

Jitsi Token Service in Docker for HumHub

To create a JWT token for Jitsi in HumHub using a Jitsi Docker image, follow these steps. This process typically involves configuring JWT in the Jitsi Docker setup, creating a token with the necessary payload and signing key, and then using it within HumHub.

Step 1: Configure Jitsi Docker for JWT Authentication

1. Set up the environment variables for JWT in your Jitsi Docker configuration. Modify the .env file in your Jitsi Docker setup and add the following JWT-related settings:

   # Enable JWT auth
   ENABLE_AUTH=1
   ENABLE_GUESTS=1
   AUTH_TYPE=jwt
   
   # JWT specific configuration
   JWT_APP_ID=your_app_id           # This should be your app ID (any string you choose)
   JWT_APP_SECRET=your_app_secret    # This should be a strong secret (random string)
   JWT_ACCEPTED_ISSUERS=your_app_id  # Should match JWT_APP_ID
   JWT_ACCEPTED_AUDIENCES=your_audience  # Optional, but useful if you have multiple apps

   Replace your_app_id, your_app_secret, and your_audience with your own values.

2. Rebuild and restart the Jitsi containers for the changes to take effect:

   docker-compose down
   docker-compose up -d

Step 2: Generate a JWT Token for Jitsi

To create the JWT token, you'll use the JWT_APP_ID and JWT_APP_SECRET you configured earlier. The token must contain specific claims for Jitsi to recognize it as valid. Here’s how to create the token:

1. Define the JWT payload in JSON format. For example:

   {
     "aud": "your_audience",         // Optional, must match JWT_ACCEPTED_AUDIENCES if set
     "iss": "your_app_id",           // Must match JWT_APP_ID
     "sub": "meet.jitsi",            // Fixed value for Jitsi
     "room": "*",                    // Or specify a room name if you want room-specific tokens
     "exp": 1735689600               // Expiration time in Unix format (e.g., 2035-01-01)
   }

2. Generate the token using a JWT library or an online JWT generator, signing it with HS256 and using the JWT_APP_SECRET as the signing key.

   Here’s an example of generating it with Node.js:

   const jwt = require('jsonwebtoken');
   
   const payload = {
     aud: 'your_audience',          // Audience
     iss: 'your_app_id',            // Issuer
     sub: 'meet.jitsi',             // Subject, fixed for Jitsi
     room: '*',                     // Room name or * for all rooms
     exp: Math.floor(Date.now() / 1000) + (60 * 60) // Expires in 1 hour
   };
   
   const token = jwt.sign(payload, 'your_app_secret', { algorithm: 'HS256' });
   
   console.log(token);

   Replace 'your_audience', 'your_app_id', and 'your_app_secret' with your values.

Step 3: Integrate JWT Token in HumHub

1. In HumHub, locate the configuration where you add the Jitsi integration URL. Typically, the Jitsi URL with JWT is formatted like:

   https://your-jitsi-domain/room-name?jwt=your_jwt_token

2. Replace your_jitsi_domain with your Jitsi server URL, and your_jwt_token with the token generated in Step 2.

3. Embed this URL in the appropriate place within HumHub to allow users to join Jitsi rooms with JWT authentication.

Example URL with JWT Token

Assuming the token generated is eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..., and your Jitsi server is https://meet.example.com, the URL would look like:

https://meet.example.com/room-name?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...

Users who access this URL in HumHub should be able to join the specified Jitsi room with JWT-based authentication.