xmpp: add jwt authentication support

pull/50/head
Paul Tiedtke 6 years ago committed by Saúl Ibarra Corretgé
parent a235af06d0
commit df36d71542
  1. 11
      README.md
  2. 5
      docker-compose.yml
  3. 15
      env.example
  4. 16
      prosody/Dockerfile
  5. 21
      prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua
  6. 8
      prosody/rootfs/etc/cont-init.d/10-config

@ -140,6 +140,17 @@ Once in the container, run the following command to create a user:
``prosodyctl --config /config/prosody.cfg.lua register user meet.jitsi password``
#### Authentication using JWT tokens
You can also use JWT tokens to authenticate users. To enable it you have to enable authentication via both `ENABLE_AUTH` & `JWT_ENABLE_TOKEN_AUTH` environment variables and configure the settings you can see below.
Variable | Description | Example
--- | --- | ---
`JWT_ENABLE_TOKEN_AUTH` | Enable authentication via JWT tokens | 1
`JWT_APP_ID` | Application identifier | my_jitsi_app_id
`JWT_APP_SECRET` | Application secret known only to your token | my_jitsi_app_secret
`JWT_ACCEPTED_ISSUERS` | (Optional) Set asap_accepted_issuers as a comma separated list | my_web_client,my_app_client
`JWT_ACCEPTED_AUDIENCES` | (Optional) Set asap_accepted_audiences as a comma separated list | my_server1,my_server2
### Advanced configuration
These configuration options are already set and generally don't need to be changed.

@ -54,6 +54,11 @@ services:
- JVB_AUTH_PASSWORD
- JIGASI_XMPP_USER
- JIGASI_XMPP_PASSWORD
- JWT_ENABLE_TOKEN_AUTH
- JWT_APP_ID
- JWT_APP_SECRET
- JWT_ACCEPTED_ISSUERS
- JWT_ACCEPTED_AUDIENCES
- TZ
networks:
meet.jitsi:

@ -62,6 +62,21 @@ TZ=Europe/Amsterdam
# Enable guest access.
#ENABLE_GUESTS=1
# Enable authentication via JWT tokens.
#JWT_ENABLE_TOKEN_AUTH=1
# Application identifier.
#JWT_APP_ID=my_jitsi_app_id
# Application secret known only to your token.
#JWT_APP_SECRET=my_jitsi_app_secret
# (Optional) Set asap_accepted_issuers as a comma separated list.
#JWT_ACCEPTED_ISSUERS=my_web_client,my_app_client
# (Optional) Set asap_accepted_audiences as a comma separated list.
#JWT_ACCEPTED_AUDIENCES=my_server1,my_server2
#
# Advanced configuration options (you generally don't need to change these)
#

@ -1,11 +1,25 @@
FROM jitsi/base
ADD https://raw.githubusercontent.com/jitsi/jitsi-meet/fc129d9849ca5e26245d54df6451931b6c179987/resources/prosody-plugins/token/util.lib.lua /prosody-plugins/token/util.lib.lua
ADD https://raw.githubusercontent.com/jitsi/jitsi-meet/fc129d9849ca5e26245d54df6451931b6c179987/resources/prosody-plugins/mod_token_verification.lua /prosody-plugins/mod_token_verification.lua
ADD https://raw.githubusercontent.com/jitsi/jitsi-meet/fc129d9849ca5e26245d54df6451931b6c179987/resources/prosody-plugins/mod_auth_token.lua /prosody-plugins/mod_auth_token.lua
RUN sed -i s/hook/hook_global/g /prosody-plugins/mod_auth_token.lua
RUN \
apt-dpkg-wrap apt-get update && \
apt-dpkg-wrap apt-get install -y lua5.2 liblua5.2-dev libssl1.0-dev lua-basexx luarocks gcc git && \
apt-dpkg-wrap apt-get install -t stretch-backports -y prosody && \
apt-cleanup && \
rm -rf /etc/prosody
RUN \
luarocks install lua-cjson 2.1.0-1 && \
luarocks install luajwtjitsi
RUN \
apt-dpkg-wrap apt-get remove -y liblua5.2-dev libssl1.0-dev gcc git && \
apt-cleanup
COPY rootfs/ /
EXPOSE 5222 5269 5347 5280

@ -1,10 +1,25 @@
admins = { "{{ .Env.JICOFO_AUTH_USER }}@{{ .Env.XMPP_AUTH_DOMAIN }}" }
plugin_paths = { "/prosody-plugins-custom" }
plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom" }
http_default_host = "{{ .Env.XMPP_DOMAIN }}"
{{ if and (.Env.ENABLE_AUTH | default "0" | toBool) (.Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool) .Env.JWT_ACCEPTED_ISSUERS }}
asap_accepted_issuers = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_ISSUERS) }}" }
{{ end }}
{{ if and (.Env.ENABLE_AUTH | default "0" | toBool) (.Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool) .Env.JWT_ACCEPTED_AUDIENCES }}
asap_accepted_audiences = { "{{ join "\",\"" (splitList "," .Env.JWT_ACCEPTED_AUDIENCES) }}" }
{{ end }}
VirtualHost "{{ .Env.XMPP_DOMAIN }}"
{{ if .Env.ENABLE_AUTH | default "0" | toBool }}
{{ if .Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool }}
authentication = "token"
app_id = "{{ .Env.JWT_APP_ID }}"
app_secret = "{{ .Env.JWT_APP_SECRET }}"
allow_empty_token = false
{{ else }}
authentication = "internal_plain"
{{ end }}
{{ else }}
authentication = "anonymous"
{{ end }}
@ -52,8 +67,10 @@ Component "{{ .Env.XMPP_MUC_DOMAIN }}" "muc"
{{ if .Env.XMPP_MUC_MODULES }}
"{{ join "\";\n\"" (splitList "," .Env.XMPP_MUC_MODULES) }}";
{{ end }}
{{ if .Env.JWT_ENABLE_TOKEN_AUTH | default "0" | toBool }}
"token_verification";
{{ end }}
}
Component "focus.{{ .Env.XMPP_DOMAIN }}"
component_secret = "{{ .Env.JICOFO_COMPONENT_SECRET }}"

@ -10,6 +10,14 @@ if [[ "$(stat -c %U /config)" != "prosody" ]]; then
chown -R prosody /config
fi
if [[ "$(stat -c %U /prosody-plugins)" != "prosody" ]]; then
chown -R prosody /prosody-plugins
fi
if [[ "$(stat -c %U /prosody-plugins-custom)" != "prosody" ]]; then
chown -R prosody /prosody-plugins-custom
fi
if [[ ! -f $PROSODY_CFG ]]; then
cp -r /defaults/* /config
tpl /defaults/conf.d/jitsi-meet.cfg.lua > /config/conf.d/jitsi-meet.cfg.lua

Loading…
Cancel
Save