You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In both cases, when $_REQUEST["tenant"] is unset, it falls back to jitsi_domain.
However, because the tenant query parameter is under client control, it could set it to tenant=*. jitsi-saml2jwt will then issue a JWT with wildcard sub which may be accepted by multiple Jitsi instances.
Jitsi Meet uses two non-standard claims to scope a JWT:
sub: which contains either a tenant identifier, domain, or*(allow all)room: which contains a room name or*(allow all)getToken.phpcan call two different implementations of the token generator. These both pass$_REQUESTinto the generator here:Jitsi-SAML2JWT/src/services/getToken.php
Line 15 in 5a38452
AdvancedTokenGeneratorconditionally setssubbased on$_REQUEST["tenant"]here:Jitsi-SAML2JWT/src/classes/AdvancedTokenGenerator.class.php
Lines 71 to 72 in 5a38452
TokenGeneratorconditionally setssubbased on$_REQUEST["tenant"]here:Jitsi-SAML2JWT/src/classes/TokenGenerator.class.php
Lines 50 to 51 in 5a38452
In both cases, when
$_REQUEST["tenant"]is unset, it falls back tojitsi_domain.However, because the
tenantquery parameter is under client control, it could set it totenant=*.jitsi-saml2jwtwill then issue a JWT with wildcardsubwhich may be accepted by multiple Jitsi instances.This part I don't fully understand, but
AdvancedTokenGeneratorappears to perform some other checks to see if it is a valid room, but they only check for the presence of the room name in the debug output somewhere; butemailValidConferencewill returntrueifroom=*or iftenant != private.The text was updated successfully, but these errors were encountered: