MSC4195: MatrixRTC Transport using LiveKit Backend#4195
Open
hughns wants to merge 26 commits into
Open
Conversation
054a23c to
6072744
Compare
|
|
||
| The homeserver restriction could be applied by checking the `matrix_server_name` field of the OpenID token before validating the token. | ||
|
|
||
| The `room_id` could be validated too, and checking that the Matrix user from the OpenID token is a member of the room. |
There was a problem hiding this comment.
From my understanding there's no API that allows room_id validation. Without that implementing access control in a federated environment seems infeasible however.
Given that all members in a session use one SFU via oldest_membership, just validating against matrix_server_name (authenticated using TLS / OpenID) would require allowlisting any server that users might want to join from.
Ideally access control could check either for an allowlisted server or for an existing session with the oldest member being on an allowlisted server, gating an SFU to sessions being started by their "own" users.
There was a problem hiding this comment.
The implementation in element-hq/lk-jwt-service#67 does allow limiting creation of new SFU rooms based on servers in a given allowlist, but still allows arbitrary users to join
There was a problem hiding this comment.
With the context provided in element-hq/synapse#18967, I believe we can do better by not using ID tokens or a lk-jwt-service altogether.
Instead of a client authenticating against all remote SFUs using an ID token, an extended /transports Client-Server API can return matching credentials, obtained by the user's homeserver over federation. This removes the need for the somewhat bespoke ID token mechanism (which needs to do server name lookup over HTTP and DNS as a fallback. By design that also doesn't play nicely with MAS and OIDC native Matrix), reusing existing server to server authentication. Crucially, this allows for proper per-room tokens.
…seudonymous `livekit_alias` Derivation"
…urity considerations
onestacked
reviewed
Nov 10, 2025
Comment on lines
+362
to
+375
| End-to-end encryption is mapped into the LiveKit frame level encryption mechanism described | ||
| [here](https://github.com/livekit/livekit/issues/1035). | ||
|
|
||
| Where a shared password is used by the application it is used as the `string` input to the LiveKit | ||
| key derivation function (which uses PBKDF2) and all participants use the same derived key for | ||
| encryption and decryption. | ||
|
|
||
| Where a per-participant key is used it is imported as the byte array input to the LiveKit key | ||
| derivation function (which uses HKDF). The `index` field of the `m.rtc.encryption_keys` event is | ||
| used as the key index for the key provider. | ||
|
|
||
| On receipt of the `m.rtc.encryption_keys` event the application can associate the received key with | ||
| the LiveKit participant identity by calculating the pseudonymous LiveKit participant identity as | ||
| described above. |
There was a problem hiding this comment.
I would like more details on how to implement this.
I've been trying to get it to work in matrix-jukebox, but had no success in getting compatibility with Element Call.
(I'm implementing the old version of the spec without slots and multiSFU for now)
Airyzz
reviewed
Feb 3, 2026
| encryption and decryption. | ||
|
|
||
| Where a per-participant key is used it is imported as the byte array input to the LiveKit key | ||
| derivation function (which uses HKDF). The `index` field of the `m.rtc.encryption_keys` event is |
There was a problem hiding this comment.
It seems like multiple LiveKit SDKs (Rust, Flutter) only support using PBKDF2, so using HKDF here is going to limit compatibility with non-web based clients out of the box
There was a problem hiding this comment.
This also affects the SDKs using Rust-FFI (like python and maybe others)
Member
|
This is blocked on MSC4143's block: #4143 (comment) |
toger5
reviewed
Apr 10, 2026
hughns
commented
Apr 14, 2026
hughns
commented
Apr 14, 2026
hughns
commented
Apr 14, 2026
Co-authored-by: Hugh Nimmo-Smith <hughns@users.noreply.github.com>
eleboucher
pushed a commit
to eleboucher/homelab
that referenced
this pull request
May 15, 2026
…0 → 0.4.4) (#485) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [ghcr.io/element-hq/lk-jwt-service](https://github.com/element-hq/lk-jwt-service) | minor | `0.3.0` → `0.4.4` | --- ### Release Notes <details> <summary>element-hq/lk-jwt-service (ghcr.io/element-hq/lk-jwt-service)</summary> ### [`v0.4.4`](https://github.com/element-hq/lk-jwt-service/releases/tag/v0.4.4) [Compare Source](element-hq/lk-jwt-service@v0.4.3...v0.4.4) ##### Towards Delegation of Delayed Events This release updates the service to accept the JSON signature required for the delegation of MatrixRTC membership leave events, as specified in [MSC4195](matrix-org/matrix-spec-proposals#4195). Note: This update specifically addresses the JSON signature for JWT request. Comprehensive parsing and handling of the additional delegation data are currently in development (PR [#​171](element-hq/lk-jwt-service#171)). ##### Docker image The service is available as a Docker image from the [GitHub Container Registry](https://github.com/element-hq/lk-jwt-service/pkgs/container/lk-jwt-service). ``` docker pull ghcr.io/element-hq/lk-jwt-service:0.4.4 ``` ##### Precompiled binaries The service is available as static precompiled binaries for amd64 and arm64 on linux attached to this release below. ##### What's Changed - Update Docker image version in installation steps by [@​her001](https://github.com/her001) in [#​175](element-hq/lk-jwt-service#175) - Adapted the lastest JSON signature from MSC4195 for SFURequest by [@​fkwp](https://github.com/fkwp) in [#​176](element-hq/lk-jwt-service#176) ##### New Contributors - [@​her001](https://github.com/her001) made their first contribution in [#​175](element-hq/lk-jwt-service#175) **Full Changelog**: <element-hq/lk-jwt-service@v0.4.3...v0.4.4> ### [`v0.4.3`](https://github.com/element-hq/lk-jwt-service/releases/tag/v0.4.3) [Compare Source](element-hq/lk-jwt-service@v0.4.2...v0.4.3) ##### Security Update and MSC4195 Identity Alignment This release introduces important security updates and aligns the LiveKit identity calculation with the latest MSC4195 specification. #####⚠️ Breaking Change The update to the LiveKit Identity hash calculation ([#​172](element-hq/lk-jwt-service#172)) impacts two experimental modes in Element Call: **Compatibility: state events & multi SFU** and **Matrix 2.0**. Note that by default, these modes are not activated and Element Call will remain working with this release. For these experimental features to function correctly, the versions of Element Call and the JWT Service must be aligned: - Compatible: Element Call v0.19.2 or higher AND lk-jwt-service v0.4.3 or higher - Incompatible: - Element Call v0.19.1 or lower AND lk-jwt-service v0.4.3 or higher - Element Call v0.19.2 or higher AND lk-jwt-service v0.4.2 or lower ##### Docker image The service is available as a Docker image from the [GitHub Container Registry](https://github.com/element-hq/lk-jwt-service/pkgs/container/lk-jwt-service). ``` docker pull ghcr.io/element-hq/lk-jwt-service:0.4.3 ``` ##### Precompiled binaries The service is available as static precompiled binaries for amd64 and arm64 on linux attached to this release below. ##### What's Changed - Pin element-hq/setup-ess-cluster-action action to [`aac02ff`](element-hq/lk-jwt-service@aac02ff) by [@​renovate](https://github.com/renovate)\[bot] in [#​169](element-hq/lk-jwt-service#169) - Update module github.com/go-jose/go-jose/v3 to v3.0.5 \[SECURITY] by [@​renovate](https://github.com/renovate)\[bot] in [#​170](element-hq/lk-jwt-service#170) - Update all non-major dependencies by [@​renovate](https://github.com/renovate)\[bot] in [#​173](element-hq/lk-jwt-service#173) - Update softprops/action-gh-release action to v3 by [@​renovate](https://github.com/renovate)\[bot] in [#​174](element-hq/lk-jwt-service#174) - Adapt LiveKit Identity hash calculation to latest MSC4195 update by [@​fkwp](https://github.com/fkwp) in [#​172](element-hq/lk-jwt-service#172) **Full Changelog**: <element-hq/lk-jwt-service@v0.4.2...v0.4.3> ### [`v0.4.2`](https://github.com/element-hq/lk-jwt-service/releases/tag/v0.4.2) [Compare Source](element-hq/lk-jwt-service@v0.4.1...v0.4.2) ##### Healthcheck Improvement & Security Updates This is a minor release focused on maintenance and small improvements. Highlights: Added support for the HEAD method on the healthcheck endpoint, improving compatibility with monitoring tools. Included multiple security-related dependency updates to ensure the service remains up to date and secure. No breaking changes are introduced in this release. ##### Docker image The service is available as a Docker image from the [GitHub Container Registry](https://github.com/element-hq/lk-jwt-service/pkgs/container/lk-jwt-service). ``` docker pull ghcr.io/element-hq/lk-jwt-service:0.4.2 ``` ##### Precompiled binaries The service is available as static precompiled binaries for amd64 and arm64 on linux attached to this release below. ##### What's Changed - Consolidate non-major dependency updates into larger batches by [@​robintown](https://github.com/robintown) in [#​160](element-hq/lk-jwt-service#160) - Update module github.com/pion/dtls/v3 to v3.0.11 \[SECURITY] by [@​renovate](https://github.com/renovate)\[bot] in [#​154](element-hq/lk-jwt-service#154) - Update module google.golang.org/grpc to v1.79.3 \[SECURITY] by [@​renovate](https://github.com/renovate)\[bot] in [#​162](element-hq/lk-jwt-service#162) - Add tests against ESS by [@​gaelgatelement](https://github.com/gaelgatelement) in [#​164](element-hq/lk-jwt-service#164) - Update all non-major dependencies by [@​renovate](https://github.com/renovate)\[bot] in [#​165](element-hq/lk-jwt-service#165) - Update github.com/matrix-org/gomatrixserverlib digest to [`20c9de3`](element-hq/lk-jwt-service@20c9de3) by [@​renovate](https://github.com/renovate)\[bot] in [#​134](element-hq/lk-jwt-service#134) - Allow HEAD method on healthcheck by [@​VlaDexa](https://github.com/VlaDexa) in [#​151](element-hq/lk-jwt-service#151) - Push docker images also to oci.element.io by [@​fkwp](https://github.com/fkwp) in [#​166](element-hq/lk-jwt-service#166) - Update all non-major dependencies by [@​renovate](https://github.com/renovate)\[bot] in [#​167](element-hq/lk-jwt-service#167) - Update GitHub Actions (major) by [@​renovate](https://github.com/renovate)\[bot] in [#​168](element-hq/lk-jwt-service#168) ##### New Contributors - [@​VlaDexa](https://github.com/VlaDexa) made their first contribution in [#​151](element-hq/lk-jwt-service#151) **Full Changelog**: <element-hq/lk-jwt-service@v0.4.1...v0.4.2> ### [`v0.4.1`](https://github.com/element-hq/lk-jwt-service/releases/tag/v0.4.1) [Compare Source](element-hq/lk-jwt-service@v0.4.0...v0.4.1) ##### 🚀 Cont. Towards Matrix 2.0 – MatrixRTC-Authorisation Service This release is a minor update from 0.4.0 reflecting the lastest changes in **MSC4195: MatrixRTC Transport** which adds unpadded base64 encoding to hashes for room alias and participant ID. Furthermore, this release ensures compatibility between clients using the old `/sfu/get` endpoint and the new `/get_token` endpoint (details are [here](https://github.com/element-hq/lk-jwt-service/blob/fa226031ac7a9252996f8d038c45fc086d9d960b/main.go#L230)). ##### Docker image The service is available as a Docker image from the [GitHub Container Registry](https://github.com/element-hq/lk-jwt-service/pkgs/container/lk-jwt-service). ``` docker pull ghcr.io/element-hq/lk-jwt-service:0.4.1 ``` ##### Precompiled binaries The service is available as static precompiled binaries for amd64 and arm64 on linux attached to this release below. ##### What's Changed - README: Use LIVEKIT\_FULL\_ACCESS\_HOMESERVERS consistently by [@​csett86](https://github.com/csett86) in [#​140](element-hq/lk-jwt-service#140) - README: Describe the static binaries by [@​csett86](https://github.com/csett86) in [#​141](element-hq/lk-jwt-service#141) - refactor build.yaml into reusable chunks by [@​fkwp](https://github.com/fkwp) in [#​142](element-hq/lk-jwt-service#142) - fix build.yaml date determination by [@​fkwp](https://github.com/fkwp) in [#​143](element-hq/lk-jwt-service#143) - Use base64 encoded hashes for room alias and participant ID (minimize identifying metadata sent to SFU) by [@​robintown](https://github.com/robintown) in [#​144](element-hq/lk-jwt-service#144) - Add 'synchronize' and 'opened' types to PR trigger by [@​fkwp](https://github.com/fkwp) in [#​146](element-hq/lk-jwt-service#146) - Update room alias handling in token generation for LegacySfuRequest by [@​fkwp](https://github.com/fkwp) in [#​147](element-hq/lk-jwt-service#147) ##### New Contributors - [@​robintown](https://github.com/robintown) made their first contribution in [#​144](element-hq/lk-jwt-service#144) **Full Changelog**: <element-hq/lk-jwt-service@v0.4.0...v0.4.1> ### [`v0.4.0`](https://github.com/element-hq/lk-jwt-service/releases/tag/v0.4.0) [Compare Source](element-hq/lk-jwt-service@v0.3.0...v0.4.0) ##### 🚀 Towards Matrix 2.0 – MatrixRTC-Authorisation Service This release brings major foundational work towards **MSC4195: MatrixRTC Transport**, introduces the new `/get_token` endpoint, improves validation and error-handling, and enhances deployment flexibility with improved bind controls. ##### ✨ What's New ##### **Implementation of MSC4195: MatrixRTC Transport using LiveKit Backend** This release introduces the new MSC4195-compliant request flow and `/get_token` endpoint, while keeping `/get/sfu` available for a transition period. Key changes: - Added unified error handling via `writeMatrixError`. - Introduced new Matrix 2.0 `SFURequest` type, alongside `LegacySFURequest`. - Refactored internal functions for better testability and structure. - Added extensive new tests across request mapping, processing, and JSON handling. - Updated logging, error codes, and user-identity checks. ##### **🔌 Allow Binding of Arbitrary Addresses** This release improves deployment flexibility by allowing the service to bind to any or a specific address. ##### Features & Fixes - **feat:** Introduced support for binding to arbitrary addresses.\ *Contributed by [@​matdup](https://github.com/matdup)* - **fix:** Documentation updated for environment variable changes. - **feat:** Reintroduced `LIVEKIT_JWT_PORT` for backward compatibility. - Now mutually exclusive with `LIVEKIT_JWT_BIND`. - Emits a warning when used. - **feat:** Enforced mutual exclusivity between `LIVEKIT_JWT_BIND` and `LIVEKIT_JWT_PORT`. ##### ⚙️ Configuration ##### Environment Variables | Variable | Description | | ------------------ | ------------------------------------------------------------------------------------- | | `LIVEKIT_JWT_BIND` | Binds the service to a specific host:port (new preferred method). Defaults to `:8080` | | `LIVEKIT_JWT_PORT` | Deprecated but still supported. Mutually exclusive with `LIVEKIT_JWT_BIND`. | ##### Endpoint Changes | Endpoint | Status | Notes | | ------------ | ------------------------- | ------------------------------------------------------------- | | `/get_token` | **New (Primary)** | Conforms to MSC4195. | | `/get/sfu` | **Legacy (Transitional)** | Auto-maps request types; will be removed in a future release. | ##### 🤝 Client Compatibility - Legacy MatrixRTC clients continue functioning via `/sfu/get`. - MSC4195-aware clients should migrate to **`/get_token`**. - Both request formats remain supported during the transition. - Stricter validation may require client-side updates: - Correct request field shapes - Accurate user identity claims (`claimed_user_id` vs OpenID `sub`) ##### Docker image The service is available as a Docker image from the [GitHub Container Registry](https://github.com/element-hq/lk-jwt-service/pkgs/container/lk-jwt-service). ``` docker pull ghcr.io/element-hq/lk-jwt-service:0.4.0 ``` ##### Precompiled binaries The service is available as static precompiled binaries for amd64 and arm64 on linux attached to this release below. ##### What's Changed - ci: add static go releases for linux arm64 and amd64 by [@​csett86](https://github.com/csett86) in [#​111](element-hq/lk-jwt-service#111) - fix(deps): update github.com/matrix-org/gomatrixserverlib digest to [`a234d6d`](element-hq/lk-jwt-service@a234d6d) by [@​renovate](https://github.com/renovate)\[bot] in [#​113](element-hq/lk-jwt-service#113) - chore(deps): update dependency go to v1.24.5 by [@​renovate](https://github.com/renovate)\[bot] in [#​114](element-hq/lk-jwt-service#114) - refactor README.md by [@​fkwp](https://github.com/fkwp) in [#​115](element-hq/lk-jwt-service#115) - feat: allow binding of arbitrary addresses by [@​MatthieuCoder](https://github.com/MatthieuCoder) in [#​118](element-hq/lk-jwt-service#118) - fix(deps): update github.com/matrix-org/gomatrixserverlib digest to [`6697d93`](element-hq/lk-jwt-service@6697d93) by [@​renovate](https://github.com/renovate)\[bot] in [#​120](element-hq/lk-jwt-service#120) - chore(deps): update dependency go to v1.25.3 by [@​renovate](https://github.com/renovate)\[bot] in [#​121](element-hq/lk-jwt-service#121) - Refactor config parsing by [@​fkwp](https://github.com/fkwp) in [#​125](element-hq/lk-jwt-service#125) - fix(deps): update module github.com/golang-jwt/jwt/v5 to v5.3.0 by [@​renovate](https://github.com/renovate)\[bot] in [#​127](element-hq/lk-jwt-service#127) - chore(deps): update github actions by [@​renovate](https://github.com/renovate)\[bot] in [#​126](element-hq/lk-jwt-service#126) - Implementation of MSC4195: MatrixRTC Transport using LiveKit Backend by [@​fkwp](https://github.com/fkwp) in [#​128](element-hq/lk-jwt-service#128) - fix: add `expires_in` field to `OpenIDTokenType` by [@​fkwp](https://github.com/fkwp) in [#​130](element-hq/lk-jwt-service#130) ##### New Contributors - [@​csett86](https://github.com/csett86) made their first contribution in [#​111](element-hq/lk-jwt-service#111) - [@​MatthieuCoder](https://github.com/MatthieuCoder) made their first contribution in [#​118](element-hq/lk-jwt-service#118) **Full Changelog**: <element-hq/lk-jwt-service@v0.3.0...v0.4.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjEwMS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJyZW5vdmF0ZS9jb250YWluZXIiLCJ0eXBlL21pbm9yIl19--> Reviewed-on: https://git.erwanleboucher.dev/eleboucher/homelab/pulls/485
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rendered
Implementation
Dependencies:
To-do:
POST /get_tokenSCT Stuff:
No MSC checklist
No FCP tickyboxes
BLOCKED on MSC4143 - #4195 (comment)