jitsi-keycloak does not issue scoped JWTs

[micolous]

Jitsi Meet uses two non-standard claims to scope a JWT:

• sub: which contains either a tenant identifier, domain, or * (allow all)
• room: which contains a room name or * (allow all)

jitsi-keycloak sets both of these to *:

https://github.com/d3473r/jitsi-keycloak/blob/5a895d88e735a89c8936a754c29545b676087aaf/server/src/app.js#L47-L48

https://github.com/d3473r/jitsi-keycloak/blob/5a895d88e735a89c8936a754c29545b676087aaf/server/src/app.js#L67

There does not appear to be any way to limit the scope of the issued tokens, so they will be valid for any Jitsi instance or room which accepts JWTs from the jitsi-keycloak instance.

[d3473r]

Hi, thank you for issue, with version v1.3.0 (commit https://github.com/d3473r/jitsi-keycloak/commit/1972e255b59808cfe1bb8bcb15f54e8ad6387556) it is now possible to use the ALLOWED_SUB and ALLOWED_ROOM environment variables to restrict the generated jwt