JWT token is not working

[narayansikarwar]

Please help me to achieve JWT token-based authorization.

[deleolajide]

Sorry. I have no intention of supporting JWT token-based authorization with Pade. The whole point of Pade is to use the user directory in Openfire which is very pluggable to authenticate users. JWT is for the standalone version of Jitsi Meet that needs a third party authority to authenticate users.

[narayansikarwar]

@deleolajide, thanks for your reply, actually I have developed the android app using smack, and Openfire. now I want to add video calling feature in my android app, can I use the smack android client with this?

[gjaekel]

Because one may chain up to three, it might be possible to write an (additional) Authorization Provider class for OpenFire. This might expect the JSON WebToken as the "password" and maybe a fixed (configurable) user "jwt". It might be possible to continue here with another value for the user or at least for the display name which is extracted from the token.

Then, our custom scripts may take the JWT passed to the URL and pass it as Login data via the XMPP credentials override mechanism to OpenFire. It will get authorized (or not) and continue as this special user (or the "real" user, if possible)

@deleolajide Sounds that to be a possible way?

[deleolajide]

@deleolajide Sounds that to be a possible way?

I still don't appreciate the purpose or the need of JWT token authentication with Pade. What problem are we solving?

[deleolajide]

I want to add video calling feature in my android app, can I use the smack android client with this?

Use the Jitsi Android SDK to embed a Jitsi Meet UI in your application. See https://github.com/igniterealtime/pademi

[gjaekel]

I may report an use case: Some weeks ago I had a discussion with an responsible person at a school. They currently using a "vanilla" Jitsi setup and have a homemade schedule board (called Dashboard https://leute.tagesspiegel.de/steglitz-zehlendorf/unter-nachbarn/2021/01/14/155025/ - https://translate.google.com/translate?sl=de&tl=en&u=https://leute.tagesspiegel.de/steglitz-zehlendorf/unter-nachbarn/2021/01/14/155025/ - https://www.youtube.com/watch?v=1x57yEzvjgI).

Every pupil have an personal login and get it's personal schedule. If there is e.g. some class test, he get it's own "proved" link to the test suite. If there is a a/v conference, he get a link to the "right" room with a proved identity. This integration works with JWTs.

Now, they really would like to test-out and probably use some of our features like Breakout Rooms, Shared Mouse Pointer or even the Raised Hands Count. But user and access-management via JWT is a must have for their workflow.

[deleolajide]

Now, they really would like to test-out and probably use some of our features like Breakout Rooms, Shared Mouse Pointer or even the Raised Hands Count. But user and access-management via JWT is a must have for their workflow.

A very good use case 👍

However, in my humble opinion, it makes sense to add the Breakout Rooms, Shared Mouse Pointer or even the Raised Hands Count directly to their vanilla Jitsi instance via JavaScript by modifying their index,html and adding custom-ofmeet.js as we do rather than trying to code an Openfire User Provider + SASL Mechanism + JWT Tokens server-side into Pade

[gjaekel]

I may propose that. But will Breakout Rooms need something on the XMPP server?

[narayansikarwar]

I want to add video calling feature in my android app, can I use the smack android client with this?

Use the Jitsi Android SDK to embed a Jitsi Meet UI in your application. See https://github.com/igniterealtime/pademi

I tried this but how I login into this, because it's required authorization and in this android SDK there is no way to log in with username and password, the only way to log in is jwt token. I want to skip this thing in because user already logged in (connected with openfire xmpp server using smack) mobile app. @deleolajide does it make sence?

[deleolajide]

I have not used the Jitsi Android SDK for a while, but in lib-jitsi-meet, to remove that screen, you call xmpp connection connect method with username and password

https://jitsi.github.io/handbook/docs/dev-guide/dev-guide-ljm-api

var connection = new JitsiMeetJS.JitsiConnection(null, null, options);

See code https://github.com/jitsi/lib-jitsi-meet/blob/baa78aca40541b87b44d5218bcdef2a7be5fee59/JitsiConnection.js#L60

[deleolajide]

I may propose that. But will Breakout Rooms need something on the XMPP server?

No. It uses localStorage on the client. No server-side code required.

Checkout my ipade project that runs the Pade version of Jitsi-Meet from GitHub Pages with static pages only. https://github.com/inspired-futures/ipade https://inspired-futures.github.io/ipade/index.html?room=AnyRoomNameYouLike

[gjaekel]

Then, they should be able to simply replace the upstream version of the Jitsi Web Client by our code tree, i.e. in fact just add a few files and the index.js that hooks them!

[narayansikarwar]

@deleolajide After spending time on your suggestion, I could not found anything helpful, the JitsiConnection is still wants a JWT token for authentication. See below code-

So in your suggestion var connection = new JitsiMeetJS.JitsiConnection(null, null, options); the first argument is appID, and the second one is jwt token. I hope you understand what I mean. Note: you can check it out below link- https://github.com/jitsi/lib-jitsi-meet/blob/master/doc/tokens.md

[deleolajide]

I could not found anything helpful, the JitsiConnection is still wants a JWT token for authentication.

JitsiConnection.prototype.connect = function(options = {}) {
    this.xmpp.connect(options.id, options.password);
};

The JWT is optional. See the code of the link I posted. You set username and password in the options

I would be very surprised if username/password authentication with XMPP server is disabled as Jicofo needs it and it is a core feature of XMPP

[gjaekel]

To my understanding, a JWT is a stateless authorization: A receiver can trust the contents, if he is able to verify the integrity of the signature. The payload is public and typical includes the purpose, an expiration date and here probably items to identify the user the token is issued for.

The Jitsi Web Client might verify and readout the contents of the JWT, but the server side must eighter know and authorize "that" user. Or just trust the token to represent an complimentary ticket and map it to an anonymous pseudo user