JWT Auth - RS512 unsupported, because cannot possibly supply private key in the JWT_APP_SECRET variable

[DevelopingEntitiesWithFuntations]

In JWT Auth environment variables there's no alternative to provide a private key file or to add it directly to the JWT_APP_SECRET variable, because it will complain about the first "+" in the private key.

I wanted to implement RS512 JWT checking, but realized it's not possible to do that with Docker at least, because the Lua script will simply fail at one of those characters.

It would be nice to mention that in the documentation with the supported algs.

[DevelopingEntitiesWithFuntations]

Weird because here they mention RS256 for example: https://github.com/jitsi/lib-jitsi-meet/blob/master/doc/tokens.md

[saghul]

What images version are you using and how does your .env file look like?

[DevelopingEntitiesWithFuntations]

@saghul Thank you for your prompt reply. I am running stable-9364 and the .env looks like this (only the essential stuff so that I don't flood with unnecessary entries):

# Enable authentication
ENABLE_AUTH=1

# Enable guest access
ENABLE_GUESTS=1

# Select authentication type: internal, jwt, ldap or matrix
AUTH_TYPE=jwt

# JWT authentication
#

# Application identifier
JWT_APP_ID=myjitsiid

# Application secret known only to your token generator
JWT_APP_SECRET=-----BEGIN RSA PRIVATE KEY-----
keycontentshere
-----END RSA PRIVATE KEY-----

Perhaps I just need to dearmor it, but I haven't seen any functionality in the code to actually support RS512 like that as mentioned above

[damencho]

To use RS512 you need to setup: JWT_ASAP_KEYSERVER

docker-jitsi-meet/prosody/rootfs/defaults/conf.d/jitsi-meet.cfg.lua

Line 151 in 03b6ca2

asap_key_server = "{{ .Env.JWT_ASAP_KEYSERVER }}"

For the Public Key Validation a key server must be provided via asap_key_server .... 

[DevelopingEntitiesWithFuntations]

@damencho ahh the documentation states or looks as if the two variables JWT_APP_ID and JWT_APP_SECRET were required, but blog posts and similar seem to state that the latter one is optional in that case...

[damencho]

Yep it is secret or asap server.

[damencho]

https://github.com/jitsi/jitsi-meet/blob/5d84a4cc9055dca1d03150eb537cd78eea73c99a/resources/prosody-plugins/token/util.lib.lua#L96

[DevelopingEntitiesWithFuntations]

Yup, so that specific part of documentation is weirdly written, but the code is correct.

[DevelopingEntitiesWithFuntations]

Please reopen, since when I try using RS512 with a static kid and a static pubkey and privkey I get the following error:

2024-03-26 19:14:22 meet.jitsi:auth_token                                        warn   Error verifying token err:not-allowed, reason:Invalid or incorrect alg

[damencho]

What it is the jwt header?

[DevelopingEntitiesWithFuntations]

I've used static kid and pubkey to minimize the amount of variables at play here if you're wondering.. in an OIDC flow it would be hard to comprehend where is the error originating from

[saghul]

There is a parameter to co figure the key mode, did you set it?

[DevelopingEntitiesWithFuntations]

What it is the jwt header?

{
  "alg": "RS512",
  "typ": "JWT",
  "kid": "RS512.key.pub"
}

[DevelopingEntitiesWithFuntations]

There is a parameter to co figure the key mode, did you set it?

You mean JWT_AUTH_TYPE ?

[damencho]

And you have on the public key server file with the public key: 1e498e0c1d6dd521618c0da2fd301aa9f9a5e44986b52a617c078cfb5c554c1b.pem?

[DevelopingEntitiesWithFuntations]

And you have on the public key server file with the public key: 1e498e0c1d6dd521618c0da2fd301aa9f9a5e44986b52a617c078cfb5c554c1b.pem?

Yes, it doesn't get 404 anymore. I fixed it beforehand, initially I named it just the hash without the .pem file ending

[DevelopingEntitiesWithFuntations]

It fetches the cert for sure, that's what I wanted to say. I don't get it why I get the error. It seems to originate from luajwtjitsi.lib.lua

[DevelopingEntitiesWithFuntations]

I'm gonna post the contents of the payload for safety as well. For example, I didn't set nbf to 0...

[DevelopingEntitiesWithFuntations]

{
  "context": {
    "user": {
      "avatar": "https://assets1.cbsnewsstatic.com/hub/i/r/2016/03/11/6c23251d-8ace-457d-a99b-55b7b8141354/thumbnail/1240x1748/60fcbf89ce937196e5a5bfc9f5af3ab2/gettyimages-514174416.jpg",
      "name": "Dev",
      "email": "me@homeboy.home"
    }
  },
  "moderator": true,
  "iat": 1711474277,
  "nbf": 1711474297,
  "exp": 1719363545,
  "aud": "jitsi-app",
  "iss": "jitsi-app",
  "sub": "meet.jitsi",
  "room": "*"
}

[saghul]

https://github.com/jitsi/jitsi-meet/blob/bb49c92cc40f23d8203173b5b538d5dc789216c9/resources/prosody-plugins/token/util.lib.lua#L47

This needs to be configured to RS512. If there is an ASAP key server we default to RS256.

I don't think we expose a setting for it in Docker, we'd need to add one.

[DevelopingEntitiesWithFuntations]

https://github.com/jitsi/jitsi-meet/blob/bb49c92cc40f23d8203173b5b538d5dc789216c9/resources/prosody-plugins/token/util.lib.lua#L47

This needs to be configured to RS512. If there is an ASAP key server we default to RS256.

I don't think we expose a setting for it in Docker, we'd need to add one.

I tried manually setting the default to RS512, but I need to reload the config to test it. Is it possible somehow within the container? (only for testing purposes)

[saghul]

Alas i don't think so. You could volume mount a modified file.

[DevelopingEntitiesWithFuntations]

Managed to reload it with prosodyctl --config /config/prosody.cfg.lua restart, that's the fix, yeah, silly silly default :P

[damencho]

Not sure you can do that in docker, but:

prosodyctl reload
prosodyctl module reload auth_token

[DevelopingEntitiesWithFuntations]

What's the best approach to fix this? To detect the alg instead of relying on defaults?

[damencho]

To expose a setting to be able to change default in docker.

[DevelopingEntitiesWithFuntations]

To expose a setting to be able to change default in docker.

The problem is that it's not part of the prosody/rootfs folder...

I wanted to add it like this:

{{ $JWT_TOKEN_TYPE := .Env.PROSODY_JWT_TOKEN_TYPE | default "RS512" -}}

but it would not work :/

[saghul]

It can be because it's a Prosody module setting.

[DevelopingEntitiesWithFuntations]

How do I expose it then? With a static volume mount / bind mount?

[saghul]

An option with the name signature_algorithm needs to be exposed, akin to app_id.

[DevelopingEntitiesWithFuntations]

Didn't have any rights to make a new branch and/or make a PR so forked it and edited it accordingly: https://github.com/DevelopingEntitiesWithFuntations/docker-jitsi-meet/ (it's forked from master though...) This should solve the issue

[DevelopingEntitiesWithFuntations]

Nvm, managed to create a pull request, please look into it :)

[DevelopingEntitiesWithFuntations]

Please reopen..

In the .env I added the following: JWT_SIGN_TYPE=RS512

And yet in the prosody latest stable container I get the following error:
Error verifying token err:not-allowed, reason:Invalid or incorrect alg

[damencho]

And do you see in the result configuration the correct parameter signature_algorithm?

[damencho]

That param was added on the wrong place, just for jigasi virtual host.

[damencho]

That needs to go under the VirtualHost "{{ $XMPP_DOMAIN }}" and you should remove it from the jigasi.meet.jitsi host.

[DevelopingEntitiesWithFuntations]

Silly mistake from my side, sorry... Created new PR..