Skip to content
Snippets Groups Projects
New look: Off

JWT service for Jitsi

    • Open Issue created by Roland Alton @roland.alton

    At fairkom we have developed our own token service for Keycloak https://git.fairkom.net/armin.felder/jitsi-token-service

    For the records, there is also one from Jitsi. Here is a guide by an AI bot:

    Generic Jitsi Token Service for HumHub

    To enable JWT token authentication for Jitsi in HumHub, you'll need to configure both Jitsi and HumHub accordingly. This setup allows users to authenticate using JSON Web Tokens (JWTs) when accessing Jitsi meetings within HumHub. Here’s a step-by-step guide:

    1. Set Up Jitsi Server with JWT Authentication

    1. Install Prosody and Jitsi Meet: Make sure your Jitsi instance is running with the Prosody XMPP server, which handles user authentication.

    2. Install the jitsi-meet-tokens package:

      • This package allows Jitsi to support JWT token-based authentication. You can install it by running: 
        sudo apt install jitsi-meet-tokens

    3. Configure Prosody for JWT Authentication:

      • Open your Jitsi Prosody configuration file (usually located at /etc/prosody/conf.avail/YOUR-DOMAIN.cfg.lua).
      • Add or modify the following sections to enable JWT authentication: 
        VirtualHost "YOUR-DOMAIN"
    authentication = "token"
    app_id = "YOUR_APP_ID"  -- Replace with your app_id
    app_secret = "YOUR_APP_SECRET"  -- Replace with your app_secret
    allow_empty_token = false

    4. Configure Jitsi Meet:

      • In your Jitsi Meet configuration file (/etc/jitsi/meet/YOUR-DOMAIN-config.js), set the JWT token authentication configuration to enable secure access: 
        config.jwt = {
    enable: true,
    aud: 'YOUR_APP_ID' // Replace with your app_id
};

    5. Restart Jitsi Services:

      • After configuring Prosody and Jitsi Meet, restart the services for the changes to take effect: 
        sudo systemctl restart prosody
sudo systemctl restart jicofo
sudo systemctl restart jitsi-videobridge2

    2. Integrate JWT Authentication in HumHub

    1. Install a Jitsi Module for HumHub (Optional):

      • If you're using a specific HumHub module for Jitsi, check if it has built-in support for JWT tokens.
      • You may find it in the HumHub Marketplace or GitHub.

    2. Generate JWT Tokens in HumHub:

      • In HumHub, you’ll need to generate a JWT token when users initiate or join a Jitsi meeting.
      • Use the app_id and app_secret configured on your Jitsi server to generate the JWT. An example in PHP: 
        use \Firebase\JWT\JWT;

$appId = "YOUR_APP_ID";
$appSecret = "YOUR_APP_SECRET";
$room = "uniqueRoomIdentifier"; // Generate a unique identifier for each room

$payload = [
    "aud" => $appId,
    "iss" => $appId,
    "sub" => "YOUR-DOMAIN",
    "room" => $room,
    "exp" => time() + (60 * 60), // Token expires in 1 hour
];

$jwt = JWT::encode($payload, $appSecret);

    3. Embed JWT Token in Jitsi URL:

      • When redirecting users to a Jitsi room from HumHub, append the JWT token as a URL parameter: 
        $jitsiUrl = "https://YOUR-DOMAIN/$room?jwt=$jwt";

    4. Test the Setup:

      • Log in to HumHub and start or join a Jitsi meeting. Verify that users are authenticated via JWT.

    Troubleshooting

    • Incorrect Configuration: If you encounter errors, check both your Jitsi and Prosody configuration files for syntax or parameter issues.
    • JWT Errors: Ensure the app_id and app_secret used for encoding the JWT in HumHub match those on your Jitsi server.

    This setup will enable JWT token-based authentication for your HumHub-Jitsi integration, securing access to meetings.

    Jitsi Token Service in Docker for HumHub

    To create a JWT token for Jitsi in HumHub using a Jitsi Docker image, follow these steps. This process typically involves configuring JWT in the Jitsi Docker setup, creating a token with the necessary payload and signing key, and then using it within HumHub.

    Step 1: Configure Jitsi Docker for JWT Authentication

    1. Set up the environment variables for JWT in your Jitsi Docker configuration. Modify the .env file in your Jitsi Docker setup and add the following JWT-related settings:

      # Enable JWT auth
ENABLE_AUTH=1
ENABLE_GUESTS=1
AUTH_TYPE=jwt

# JWT specific configuration
JWT_APP_ID=your_app_id           # This should be your app ID (any string you choose)
JWT_APP_SECRET=your_app_secret    # This should be a strong secret (random string)
JWT_ACCEPTED_ISSUERS=your_app_id  # Should match JWT_APP_ID
JWT_ACCEPTED_AUDIENCES=your_audience  # Optional, but useful if you have multiple apps

      Replace your_app_id, your_app_secret, and your_audience with your own values.

    2. Rebuild and restart the Jitsi containers for the changes to take effect:

      docker-compose down
docker-compose up -d

    Step 2: Generate a JWT Token for Jitsi

    To create the JWT token, you'll use the JWT_APP_ID and JWT_APP_SECRET you configured earlier. The token must contain specific claims for Jitsi to recognize it as valid. Here’s how to create the token:

    1. Define the JWT payload in JSON format. For example:

      {
  "aud": "your_audience",         // Optional, must match JWT_ACCEPTED_AUDIENCES if set
  "iss": "your_app_id",           // Must match JWT_APP_ID
  "sub": "meet.jitsi",            // Fixed value for Jitsi
  "room": "*",                    // Or specify a room name if you want room-specific tokens
  "exp": 1735689600               // Expiration time in Unix format (e.g., 2035-01-01)
}

    2. Generate the token using a JWT library or an online JWT generator, signing it with HS256 and using the JWT_APP_SECRET as the signing key.

      Here’s an example of generating it with Node.js:

      const jwt = require('jsonwebtoken');

const payload = {
  aud: 'your_audience',          // Audience
  iss: 'your_app_id',            // Issuer
  sub: 'meet.jitsi',             // Subject, fixed for Jitsi
  room: '*',                     // Room name or * for all rooms
  exp: Math.floor(Date.now() / 1000) + (60 * 60) // Expires in 1 hour
};

const token = jwt.sign(payload, 'your_app_secret', { algorithm: 'HS256' });

console.log(token);

      Replace 'your_audience', 'your_app_id', and 'your_app_secret' with your values.

    Step 3: Integrate JWT Token in HumHub

    1. In HumHub, locate the configuration where you add the Jitsi integration URL. Typically, the Jitsi URL with JWT is formatted like:

      https://your-jitsi-domain/room-name?jwt=your_jwt_token

    2. Replace your_jitsi_domain with your Jitsi server URL, and your_jwt_token with the token generated in Step 2.

    3. Embed this URL in the appropriate place within HumHub to allow users to join Jitsi rooms with JWT authentication.

    Example URL with JWT Token

    Assuming the token generated is eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..., and your Jitsi server is https://meet.example.com, the URL would look like:

    https://meet.example.com/room-name?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...

    Users who access this URL in HumHub should be able to join the specified Jitsi room with JWT-based authentication.

    Edited

    Designs

      Child items ...

      2. Activity

      Please register or sign in to reply

      gitlab project and software management by fairkom.eu - more open source web apps at fairapps.net