Mattermost generating a invalid JWT token

[arifulislamat]

Mattermost Version: 7.1.3 (Enterprise Edition)

Plugin Version:2.0.0

Describe the issue: JWT token isn't working. Jitsi is working fine with other software with JWT. The token generate from mattermost plugin has a Invalid Signature reported by jwt.io

Server Error Logs:
muc.meet.jitsi:token_verification error Token .... not allowed to join: admin-sqxnrreiqlejibpnrpyc@muc.meet.jitsi/04f87ad7

Google Chrome Error Logs: VM232 app.bundle.min.js:138 2022-09-17T11:24:37.358Z [conference.js] <Nce._onConferenceFailed>: CONFERENCE FAILED: conference.connectionError.notAllowed

Screenshots:

Additional context
So, I have Mattermost and Jitsi self-hosted instance. both are running as docker container behind Nginx proxy server. Everything is in order, and the Jitsi plugin for Mattermost also functions without JWT. However, it doesn't work when I activate JWT on the Jitsi server and set the app-id and secret appropriately on Mattermost.

[x1h0]

I had the same error and was able to bypass it for now by adjusting the envars at docker-jitsi-meet with:

JWT_ENABLE_DOMAIN_VERIFICATION=0

[arifulislamat]

Thanks for your reply. I tried to added it on my .env file, didn't workout for me.

# Enable authentication
ENABLE_AUTH=1

# Enable guest access
ENABLE_GUESTS=1

# Select authentication type: internal, jwt, ldap or matrix
AUTH_TYPE=jwt

# JWT authentication
#
JWT_ENABLE_DOMAIN_VERIFICATION=0

[domibarton]

We do have on-prem hosting of Mattermost & Jitsi as well. As @arifulislamat, we get the same error:

muc.meet.jitsi:token_verification                            error      Token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJtZWV0IiwiaXNzIjoibWVldCIsInN1YiI6Im1lZXQuY29uZmlybS5jaCIsImV4cCI6MTY2NzgxOTI4NiwiY29udGV4dCI6eyJ1c2VyIjp7ImF2YXRhciI6IiIsIm5hbWUiOiIiLCJlbWFpbCI6IiIsImlkIjoiIn0sImdyb3VwIjoiIn0sInJvb20iOiJTdHJvbmdCcmlkZXNEZWxlZ2F0ZVNseWx5In0.00nhE10I9eqXoEDeojroqjdaZx4Z44DuZA3RSpgbXnw not allowed to join: strongbridesdelegateslyly@muc.meet.jitsi/92d7e3b9

I also tried setting JWT_ENABLE_DOMAIN_VERIFICATION as by @x1h0 suggested, but it didn't work:

I had the same error and was able to bypass it for now by adjusting the envars at docker-jitsi-meet with:

JWT_ENABLE_DOMAIN_VERIFICATION=0

Still the same error.

Environment:

• Official Jitsi Docker images
• Image version stable-7882
• Plugin version 2.0.0

[domibarton]

Still the same error.

Stupid stupid me! I made a typo in the variable. Overriding JWT_ENABLE_DOMAIN_VERIFICATION worked!
Here are our .env overrides with stable-7882:

# System time zone
TZ=Europe/Zurich

# Public URL for the web service (required)
PUBLIC_URL=<URL>

# Control whether the lobby feature should be enabled or not
ENABLE_LOBBY=1

# Show a prejoin page before entering a conference
ENABLE_PREJOIN_PAGE=1

# Enable recording
ENABLE_RECORDING=1

# Enable authentication
ENABLE_AUTH=1

# Enable guest access
ENABLE_GUESTS=1

# Select authentication type: internal, jwt or ldap
AUTH_TYPE=jwt

# Application identifier
JWT_APP_ID=meet

# Disable JWT domain verification (see https://github.com/mattermost/mattermost-plugin-jitsi/issues/222).
JWT_ENABLE_DOMAIN_VERIFICATION=0

# Set etherpad-lite URL in docker local network
ETHERPAD_URL_BASE=http://etherpad.meet.jitsi:9001

# Name your etherpad instance!
ETHERPAD_TITLE=Etherpad

# The default text of a pad
ETHERPAD_DEFAULT_PAD_TEXT="Welcome to the Etherpad of confirm IT solutions!\n\n"

# Name of the skin for etherpad
ETHERPAD_SKIN_NAME=colibris

# Skin variants for etherpad
ETHERPAD_SKIN_VARIANTS="super-dark-toolbar super-dark-editor dark-background full-width-editor"

# Directory for recordings inside Jibri container
JIBRI_RECORDING_DIR=/recordings

# The finalizing script. Will run after recording is complete
JIBRI_FINALIZE_RECORDING_SCRIPT_PATH=/finalise.sh

As well as these CI/CD variables:

Please note we're simply fetching the origin Docker Compose & .env file and overriding what's necessary:

VERSION=stable-7882
GIT_URL=https://raw.githubusercontent.com/jitsi/docker-jitsi-meet/${VERSION}

env:
	curl -sSfLo .env ${GIT_URL}/env.example
	cat .env.confirm >>.env

[arifulislamat]

I gave it another try because it was working for you. It didn't work out for me, sadly. To match your version, I've also tried using an upgraded version of Jitsi.

However, this time I was able to discover exactly why it was giving me that error.

Mattermost generated token takes the Jitsi hostname and puts it on the subject, it looks like this:
https://github.com/mattermost/mattermost-plugin-jitsi/blob/f52f77ee59f80507809a6f472d68138c9dccad94/server/plugin.go#L281

{
  "aud": "meet",
  "iss": "meet",
  "sub": "meet.domain.tld",
  "room": "my_room",
  "exp": 1667895840
}

The same token operates if I replace an asterisk (*) for the subject string.

 "sub": "*"

I realized as I read more about this that what @x1h0 proposed ought to work. Nevertheless, perhaps I am still missing something.

@domibarton Thanks for sharing your workaround!