Ejabberd: Message to offline users gets 503 error when using JWT auth method

The ejabberd auth modules should provide the functions get_password (like mnesia and SQL auth modules do) or user_exists (like external auth module does). In this case, JWT auth module provides user_exists function, but returns false always.

So, this is not a misconfiguration in your part or a bug in the code. It's probably a feature request.

Hi @badlop, in my opinion, all built-in auth modules should support sending messages to offline users by default because sending messages is a core requirement, not a feature that is good to have. Can we guess that if the token is valid, the user exists and user_exists should return true?

There is no way to check if a user exists when using only JWT auth, so this behaviour is to avoid spamming database with offline messages to non-existing users. Now there is a patch in master which allows to use JWT-only auth for some users using access rules, and do the rest of checks with mnesia or SQL. Here is an example configuration:

# the order is important here, don't use [sql, jwt]
auth_method: [jwt, sql]

access_rules:
  ...
  jwt_only: 
    deny: admin
    allow: all

jwt_auth_only_rule: jwt_only

This way admins can use both JWT and plain passwords, while the rest of users can use only JWT.

@alexeyshch Where do we have to add the jwt_auth_only_rule parameter in the config file ?

[error] Configuration reload aborted: Unknown option: jwt_auth_only_rule. Did you mean extauth_pool_name?

@alexeyshch Where do we have to add the jwt_auth_only_rule parameter in the config file ?

At top level, make sure that you use the latest master branch.

@alexeyshch, the patch is working great so far. Thanks so much. Today I got an issue with STUN: failed long-term STUN authentication for <user> from <ip>. It works with sql only auth_method but fails with the patch.

@sha256 STUN doesn't allow anything except password-based authentication. This is a limitation of STUN RFC itself, not ejabberd.