![]() The Jitsi server takes the sha256 hash of the kid property and requests the key server in this case which is [ In this case sha256("1DKOk8q4Dc9BSgDLmksFemg5lEGuoYQvYrHVOnXNj3k") is "e15452c2c03fc8afdb1d558953ab30ffd235a622fad1175de7f791a3c86eb08d". The kid of a jwt will remain same as long as the it uses the same private public key pair for signing the token. The Jitsi server requests the public key by using the kid property in the jwt header. For this you have to create a service that retrieves the public key in a. The JWT_ASAP_KEYSERVER is the property which tells jitsi from where to get the public key so as to verify the jwt token. Likewise we can use JWT_ACCEPTED_AUDIENCES to control it using the aud property of the jwt. JWT_ACCEPTED_ISSUERS is a field where you can specify the iss or issuers of the jwt token, so that only tokens with the ones specified in the configuration are permitted to access the rooms. JWT_ACCEPTED_ISSUERS= test # (Optional) Set asap_accepted_audiences as a comma separated list # JWT_ACCEPTED_AUDIENCES=my_server1,my_server2 JWT_ASAP_KEYSERVER= # (Optional) Set asap_accepted_issuers as a comma separated list # JWT authentication # Application identifier # Select authentication type: internal, jwt or ldap env file and put the following configs into it. Payload of the jwt token with new claims Jitsi Configuration If you check the jwt token provided to your application using a tool like you can verify that the claims are actually there. But, for this example I’ll be using a hardcoded value “*” which tells Jitsi that the token has access to every room.įter creating these mappers, your client should have its mappers section populated with the two created mappers. The “bnf” claim can be set to a constant 0 (zero).įor the “room” claim you can either take it from the user properties where it can be controlled using the admin apis available for you. The “room” claim is to check whether the user has access to a certain room. Jitsi needs two claims inside of the jwt, which are “room” and “bnf”. You can click on the “Create” button on the top right to create custom mappers which we need to do. Head over to the “Mappers” tab which shows the different custom or builtin claims that have been setup. Navigate to the client that you are using for the app, in the keycloak admin panel. Verifying JWT Signature using Public Key Keycloak Configuration To verify the authenticity of a jwt token we take the public key, the received jwt header and jwt payload and verify it with the signature of the jwt. Generating JWT Signature using Private Key For this keycloak signs the jwt using its private key, this is done by taking the jwt header and jwt payload and signing it with the private key as shown in the diagram below. The other approach for verifying jwt tokens is using private and public keys which keycloak also supports. This is an easier approach but it is a bit tedious since we have to keep the secret synched with the applications. First is by using a shared secret that is known by the systems that needs to verify the tokens. JWT Tokens can use two methods to prove its authenticity. The figure below gives an overview of how the process works, the app first authenticates itself with keycloak to retrieve the jwt token after which it can use it to access jitsi.īasic Jitsi Keycloak Authentication Flow Private Key-Public Key JWT Tokens The goal of this article is to show how to secure your jitsi service using keycloak. This article assumes that you have a basic understanding about jwt tokens, keycloak and jitsi. Jitsi, which is an open source video conferencing platform, allows us to authenticate using different methods. Authentication is an important aspect in software.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |