Jitsi Meet Tokens¶
Presentation¶
Jitsi Meet is a WEBRTC-based video conferencing application, powering the meet.jit.si online service.
Users may install their own instance of Jitsi Meet for private use, in which case, they may use authentication to control the creation of conference rooms.
Jitsi Meet uses a custom JWT-based protocol to authenticate users. Some technical details can be found in the documentation repo
LemonLDAP::NG can act as a JWT issuer for Jitsi Meet.
As of 2.19.0, only a single Jitsi server per LemonLDAP::NG installation is supported.
Configuring LemonLDAP::NG¶
Jitsi Meet Tokens issuer¶
Go in General Parameters
» Issuer modules
» Jitsi Meet Tokens
and
configure:
Activation: set to
On
.Path: keep
^/jitsi/
unless you want to change the prefix of endpointsUse rule: a rule to select which users can use this module, set to
1
to allow all users
Tip
For example, to allow only members of the jitsi-meet group:
inGroup('jitsi-meet')
Options¶
Jitsi Meet server URL: The base URL of your Jitsi Meet server
Application ID: The application identifier
Shared secret: The application shared secret, only needed if you use
HS*
signature algorithmsSignature algorithm: The signature algorithm to use. By default
HS256
is used, which requires a shared secret.
Signature algorithms¶
There are two ways for the Jitsi Meet server to validate the token authenticity:
Using
HS*
signature algorithms. In that case, LemonLDAP::NG and the Jitsi Meet server will use a shared secret. This is simpler to setup, but less secure than public keys.Using a different signature algorithm. In that case, the Jitsi Meet server will use LemonLDAP::NG’s public key to validate the token.
RS256
is recommended.
Important
LemonLDAP::NG will attempt to use the OpenID Connect private key to emit JWTs, which means you need to create a key in OpenID Connect Service > Security > Keys if you intend to use public-key signature.
Attribute mapping¶
Identifier attribute: Specify the LemonLDAP::NG session attribute to be used for the
context.user.id
field in the token. By default, the main LemonLDAP::NG identifier is used.Name attribute: Specify the LemonLDAP::NG session attribute to be used for the
context.user.name
field in the token.Mail attribute: Specify the LemonLDAP::NG session attribute to be used for the
context.user.email
field in the token.
Configuring Jitsi Meet¶
If you are using the Docker based install, refer to the Jitsi Meet documentation on token authentication
Here are the variables you need to adjust when using LemonLDAP::NG:
Variable |
Value |
---|---|
ENABLE_AUTH |
1 |
AUTH_TYPE |
jwt |
JWT_APP_ID |
Same as Application ID |
JWT_APP_SECRET |
If |
JWT_ACCEPTED_ISSUERS |
|
JWT_ACCEPTED_AUDIENCES |
Same as Application ID |
JWT_ASAP_KEYSERVER |
If public-key signature is used: |
TOKEN_AUTH_URL |
|