🐛 fix(auth): Use Django user ID for LiveKit token identity #747
Conversation
gigi206
force-pushed
the
fix_django_id_livekit
branch
3 times, most recently
from
f99dcf7 to
3015144
Compare
|
Hi, Thanks for your contribution, good catch! I agree with your point regarding the bug/issue; however, I would recommend updating the broken section within the LiveKit authentication class itself rather than modifying this part of the code, which is tied to much more logic. I would also prefer not to rely heavily on the database’s application ID and would rather continue using sub as the identifier.
I’m not sure why this change would be necessary. By definition, Thanks, |
Fixes "Invalid LiveKit token" errors caused by field mismatch between token generation and authentication lookup. Previously: - generate_token() used user.sub as token identity - LiveKitTokenAuthentication tried to retrieve user via user.id field - This failed when sub was not a UUID (e.g., from LemonLDAP OIDC provider) Now: - generate_token() continues using user.sub (canonical OIDC identifier) - LiveKitTokenAuthentication correctly looks up by sub field - Both sides now consistently use the same field This ensures compatibility with all RFC 7519-compliant OIDC providers, regardless of their sub claim format.
gigi206
force-pushed
the
fix_django_id_livekit
branch
from
3015144 to
28e9a8c
Compare
|
|
Thanks for your review and feedback! You're right - fixing the The actual bug: the issue isn't that
This means we were looking up by the Specific OIDC provider: we encountered this issue with LemonLDAP::NG, where the sub claim is not formatted as a UUID. When the authentication class tries Updated fix: I've updated the PR to implement your suggested approach:
This ensures both sides consistently use the same field and maintains compatibility with all RFC 7519-compliant OIDC providers, regardless of their sub claim format. The commit has been updated accordingly. Thanks for the guidance! |
|
Perfect that exactly what I had in mind! |
2 participants
Problem:
When using certain OpenID Connect (OIDC) providers (e.g., LemonLDAP) where the
subclaim (subject identifier) is not formatted as a UUID, users encountered an "Invalid LiveKit token" error when attempting to activate features requiring LiveKit token authentication (e.g., real-time subtitles).The error message indicated that the value provided was "not a valid UUID", specifically during the
UserModel.objects.get(id=user_id)lookup in theLiveKitTokenAuthenticationprocess.Root Cause:
The
LiveKitTokenAuthenticationclass insrc/backend/core/authentication/livekit.pyattempts to retrieve a DjangoUserobject usingUserModel.objects.get(id=user_id), whereuser_idis derived from theidentityfield of the LiveKit token. Theidentityfor authenticated users was previously set tostr(user.sub)in thegenerate_tokenutility function.While LiveKit itself expects an identity string, the Django
Usermodel'sidfield is a UUID. If the OIDCsubclaim (which populatesuser.sub) is not a UUID, a mismatch occurs when the application tries to fetch the user by theiridusing this non-UUIDsubvalue. This leads to aFieldErrororValidationErrorduring the database lookup, causing the LiveKit token validation to fail.Solution:
To ensure robust compatibility with all OIDC providers, the
generate_tokenfunction insrc/backend/core/utils.pyhas been modified. Instead of usingstr(user.sub)as theidentityfor the LiveKit token, it now consistently usesstr(user.id).The
user.idfield is the internal Django User ID, which is guaranteed to be a valid UUID. This change ensures that the LiveKit token'sidentityalways matches the format expected by theUserModel.objects.get(id=...)lookup, regardless of the format of the OIDCsubclaim.Impact:
This fix resolves the "Invalid LiveKit token" error for users authenticated via OIDC providers that do not provide UUIDs in their
subclaims. It improves the application's compatibility and reliability across diverse authentication environments.