You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Restrict access to LiveKit SFU by differentiating full-access and restricted Matrix users for room creation (#67)
* add new ENV variable LIVEKIT_FULL_ACCESS_HOMESERVERS to allow different handling between full-access and restricted users * full-access / restricted user detection * Create LiveKit room on the SFU in case of a full-acceess user prior to issuing the JWT token * Support full-access for all users via wildcard `*`for all homeservers * make the wildcard '*' the default of LIVEKIT_FULL_ACCESS_HOMESERVERS to mimic the previous behaviour * more idomatic variable nameing * More ideomatic order for of functions in main.go
Copy file name to clipboardExpand all lines: README.md
+14-1Lines changed: 14 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,11 +1,17 @@
1
1
# LiveKit Token Management Service
2
2
3
-
This service is currently used for a single reason: generate JWT tokens with a given identity for a given room, so that users can use them to authenticate against LiveKit SFU.
3
+
This service is used for two reasons:
4
+
- generate JWT tokens with a given LiveKit identity for a given LiveKit room, so that users can use them to authenticate against LiveKit SFU,
5
+
- In case of local Matrix users which belong to the same deployment, the corresponding LiveKit room on the SFU will be created if necessary.
4
6
5
7
It works by allowing a token obtained via the Matrix Client-Server API [OpenID endpoint](https://spec.matrix.org/v1.13/client-server-api/#openid) to be exchanged for a LiveKit JWT token which can be used to access a LiveKit SFU.
6
8
7
9
This functionality is defined by [MSC4195: MatrixRTC using LiveKit backend](https://github.com/matrix-org/matrix-spec-proposals/pull/4195).
8
10
11
+
Only for Matrix users of homeservers belonging to the same deployment (called local users) corresponding rooms on the LiveKit SFU will be automatically created. Hence, local homeservers need to be declared via the `LIVEKIT_FULL_ACCESS_HOMESERVERS` environment variable (see below).
12
+
13
+
Note access to LiveKit SFU is restricted for remote users (not belonging to the same deployment). Those users can join existing LiveKit SFU rooms, but missing rooms will not be automatically created to prevent misuse of infrastructure. Due to the SFU selection algorithm and the order of events this will NOT limit or prevent video conferences across Matrix federation.
14
+
9
15
## Usage
10
16
11
17
This service is used when hosting the [Element Call](https://github.com/element-hq/element-call) video conferencing application against a LiveKit backend.
`LIVEKIT_SECRET` or `LIVEKIT_SECRET_FROM_FILE` | The secret or secret file path for the LiveKit SFU | Yes
57
63
`LIVEKIT_KEY_FILE` | file path to LiveKit SFU key-file format (`APIkey: secret`) | mutually exclusive with `LIVEKIT_KEY` and `LIVEKIT_SECRET`
58
64
`LIVEKIT_JWT_PORT` | The port the service listens on | No - defaults to 8080
65
+
`LIVEKIT_FULL_ACCESS_HOMESERVERS` | Comma-separated list of Matrix homeservers whose users are authorized with full access to LiveKit SFU features (supports `*` as a wildcard to allow all homeservers) | No - defaults to `*`
66
+
67
+
Please double check that LiveKit SFU room default settings ([config.yaml](https://github.com/livekit/livekit/blob/7350e9933107ecdea4ada8f8bcb0d6ca78b3f8f7/config-sample.yaml#L170)) are configured as
0 commit comments