Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mattermost generating a invalid JWT token #222

Open
arifulislamat opened this issue Sep 17, 2022 · 5 comments
Open

Mattermost generating a invalid JWT token #222

arifulislamat opened this issue Sep 17, 2022 · 5 comments

Comments

@arifulislamat
Copy link

arifulislamat commented Sep 17, 2022

Mattermost Version: 7.1.3 (Enterprise Edition)

Plugin Version:2.0.0

Describe the issue: JWT token isn't working. Jitsi is working fine with other software with JWT. The token generate from mattermost plugin has a Invalid Signature reported by jwt.io

Server Error Logs:
muc.meet.jitsi:token_verification error Token .... not allowed to join: [email protected]/04f87ad7

Google Chrome Error Logs: VM232 app.bundle.min.js:138 2022-09-17T11:24:37.358Z [conference.js] <Nce._onConferenceFailed>: CONFERENCE FAILED: conference.connectionError.notAllowed

Screenshots:
image

Additional context
So, I have Mattermost and Jitsi self-hosted instance. both are running as docker container behind Nginx proxy server. Everything is in order, and the Jitsi plugin for Mattermost also functions without JWT. However, it doesn't work when I activate JWT on the Jitsi server and set the app-id and secret appropriately on Mattermost.

@arifulislamat arifulislamat changed the title Mattermost generating invalid JWT token Mattermost generating a invalid JWT token Sep 17, 2022
@x1h0
Copy link

x1h0 commented Oct 5, 2022

I had the same error and was able to bypass it for now by adjusting the envars at docker-jitsi-meet with:

JWT_ENABLE_DOMAIN_VERIFICATION=0

@arifulislamat
Copy link
Author

Thanks for your reply. I tried to added it on my .env file, didn't workout for me.

# Enable authentication
ENABLE_AUTH=1

# Enable guest access
ENABLE_GUESTS=1

# Select authentication type: internal, jwt, ldap or matrix
AUTH_TYPE=jwt

# JWT authentication
#
JWT_ENABLE_DOMAIN_VERIFICATION=0

image

@domibarton
Copy link

We do have on-prem hosting of Mattermost & Jitsi as well. As @arifulislamat, we get the same error:

muc.meet.jitsi:token_verification                            error      Token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJtZWV0IiwiaXNzIjoibWVldCIsInN1YiI6Im1lZXQuY29uZmlybS5jaCIsImV4cCI6MTY2NzgxOTI4NiwiY29udGV4dCI6eyJ1c2VyIjp7ImF2YXRhciI6IiIsIm5hbWUiOiIiLCJlbWFpbCI6IiIsImlkIjoiIn0sImdyb3VwIjoiIn0sInJvb20iOiJTdHJvbmdCcmlkZXNEZWxlZ2F0ZVNseWx5In0.00nhE10I9eqXoEDeojroqjdaZx4Z44DuZA3RSpgbXnw not allowed to join: [email protected]/92d7e3b9

I also tried setting JWT_ENABLE_DOMAIN_VERIFICATION as by @x1h0 suggested, but it didn't work:

I had the same error and was able to bypass it for now by adjusting the envars at docker-jitsi-meet with:

JWT_ENABLE_DOMAIN_VERIFICATION=0

Still the same error.

Environment:

  • Official Jitsi Docker images
  • Image version stable-7882
  • Plugin version 2.0.0

@domibarton
Copy link

domibarton commented Nov 7, 2022

Still the same error.

Stupid stupid me! I made a typo in the variable. Overriding JWT_ENABLE_DOMAIN_VERIFICATION worked!
Here are our .env overrides with stable-7882:

# System time zone
TZ=Europe/Zurich

# Public URL for the web service (required)
PUBLIC_URL=<URL>

# Control whether the lobby feature should be enabled or not
ENABLE_LOBBY=1

# Show a prejoin page before entering a conference
ENABLE_PREJOIN_PAGE=1

# Enable recording
ENABLE_RECORDING=1

# Enable authentication
ENABLE_AUTH=1

# Enable guest access
ENABLE_GUESTS=1

# Select authentication type: internal, jwt or ldap
AUTH_TYPE=jwt

# Application identifier
JWT_APP_ID=meet

# Disable JWT domain verification (see https://github.com/mattermost/mattermost-plugin-jitsi/issues/222).
JWT_ENABLE_DOMAIN_VERIFICATION=0

# Set etherpad-lite URL in docker local network
ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001

# Name your etherpad instance!
ETHERPAD_TITLE=Etherpad

# The default text of a pad
ETHERPAD_DEFAULT_PAD_TEXT="Welcome to the Etherpad of confirm IT solutions!\n\n"

# Name of the skin for etherpad
ETHERPAD_SKIN_NAME=colibris

# Skin variants for etherpad
ETHERPAD_SKIN_VARIANTS="super-dark-toolbar super-dark-editor dark-background full-width-editor"

# Directory for recordings inside Jibri container
JIBRI_RECORDING_DIR=/recordings

# The finalizing script. Will run after recording is complete
JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/finalise.sh

As well as these CI/CD variables:

image

Please note we're simply fetching the origin Docker Compose & .env file and overriding what's necessary:

VERSION=stable-7882
GIT_URL=https://raw.githubusercontent.com/jitsi/docker-jitsi-meet/${VERSION}

env:
	curl -sSfLo .env ${GIT_URL}/env.example
	cat .env.confirm >>.env

@arifulislamat
Copy link
Author

I gave it another try because it was working for you. It didn't work out for me, sadly. To match your version, I've also tried using an upgraded version of Jitsi.

However, this time I was able to discover exactly why it was giving me that error.

Mattermost generated token takes the Jitsi hostname and puts it on the subject, it looks like this:
https://github.com/mattermost/mattermost-plugin-jitsi/blob/f52f77ee59f80507809a6f472d68138c9dccad94/server/plugin.go#L281

{
  "aud": "meet",
  "iss": "meet",
  "sub": "meet.domain.tld",
  "room": "my_room",
  "exp": 1667895840
}

The same token operates if I replace an asterisk (*) for the subject string.

 "sub": "*"

I realized as I read more about this that what @x1h0 proposed ought to work. Nevertheless, perhaps I am still missing something.

@domibarton Thanks for sharing your workaround!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants