question about the jitsi-admin API

H2-invent / jitsi-admin

Organize and fully controll your jitsi meet meetings. Make your meeting secure and be sure that only you and your fellows can join your meeting.

https://meetling.de

GNU Affero General Public License v3.0

133 stars 48 forks source link

question about the jitsi-admin API #339

Closed dvision1979 closed 1 year ago

dvision1979 commented 2 years ago

Hi @holema,

Long time, no see. Everything ok?

I have a burning question: How can I obtain a JWT token from the API, or any other way, so that I can programmatically authenticate from another app against Jitsi iframe.

I need to also have access to the Jitsi iframe API, that's why I need the above.

EDIT: And yes, of-course I got a license, so that I can use the API. :)

holema commented 2 years ago

Hello @danionescu2007 ,

It`s all good, we are working an some great new features of the jitsi-admin. I created your API-Key ;)

Up to now, there is no posibillity to get the JWT from the api. This can be an interesting feature but there are some security questions. Should we create a seperate API-endpont or should we add it to normal room-informations? I`m not sure what is the best solution.

The second question: I`m not sure what the reason for this use case is: If you build your own jitsi-iframe application with the JWT we can provide we api, you have full access to the Jitsi-Iframe API. In the jitsi-admin this is not possible, because we already consume the jitsi-iframe api.

holema commented 2 years ago

I just realized that is not that esay to giv you the JWT. The Problem is, that the JWT includes the name of the user, who wants to join the meeting. This name is not known up to now. And I dont`t think we should provide a moderator JWT with tha name of the organisator to almost everyone. This could lead to a security breach.

dvision1979 commented 2 years ago

Hi @holema and thanks for the answer.

There was only one question :)

Considering all the things all together, IMHO there should be a special api against which one should authenticate with API key along with the username and the password. This would ensure that some third party will never find out anything but what they already know ;). What do you think about this idea?

holema commented 2 years ago

Hello @danionescu2007,

The authentication with username is not that easy, because we use the keycloak. so the client has to authenticate against the keycloak and then against the jitsi-admin. This is only possible via a seperate JWT.

For what exacly do you need the JWT. Is the user who will consome the meeting registered at the jitsi-admin too, or is the user an anonymous user.

dvision1979 commented 2 years ago

Hi @holema

The users are registered in jitsi-admin and need to authenticate to jitsi-server from another app. I don't want to give access to the users to jitsi-admin, give them only the JWT. This way I can administer time slots etc and they can get authorized as moderators in jitsi-server. Thanks.

holema commented 1 year ago

closed because of inactivity