Allow Jitsi to use Keycloak as an identity and OIDC provider.
- SSO support for
JitsiviaOIDC - Supports config params in URL (such as
#config.prejoinConfig.enabled=true) - Allows
guestuser andwait for hostscreen if needed - Not based on
the external JWTwhich will be deprecated in the near future. - Not based on
tokenAuthUrl
Check flows if you are interested in how it works.
Enable the token authentication for prosody.
apt-get install jitsi-meet-tokensInstall deno
apt-get install unzip
cd /tmp
wget -T 30 -O deno.zip https://github.com/denoland/deno/releases/latest/download/deno-x86_64-unknown-linux-gnu.zip
unzip deno.zip
cp /tmp/deno /usr/local/bin/
deno --versionClone the repo.
git clone ssh://[email protected]:22/nordeck/jitsi-keycloak-adapter.gitCopy the static files.
cd jitsi-keycloak-adapter
cp /usr/share/jitsi-meet/{body.html,body.html.$(date +'%H%M%S').bck}
cp templates/usr/share/jitsi-meet/body.html /usr/share/jitsi-meet/
cp templates/usr/share/jitsi-meet/static/oidc-* /usr/share/jitsi-meet/static/Setup the adapter service.
adduser adapter --system --group --disabled-password --gecos ''
mkdir -p /home/adapter/app
cp config.ts /home/adapter/app/
cp adapter.sh /home/adapter/app/
cp adapter.ts /home/adapter/app/
chown adapter: /home/adapter/app -R
cp templates/etc/systemd/system/oidc-adapter.service /etc/systemd/system/Update the settings according to your environment. Edit /home/adapter/app/config.ts
Start the service
systemctl daemon-reload
systemctl enable oidc-adapter.service
systemctl start oidc-adapter.service
systemctl status oidc-adapter.serviceCustomize the nginx configuration. You may check
/etc/jitsi/sites-available/example.conf
Add the following lines as the first location blocks
# /oidc/redirect
location = /oidc/redirect {
proxy_pass http://127.0.0.1:9000;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
# /oidc/tokenize
location = /oidc/tokenize {
proxy_pass http://127.0.0.1:9000;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
# /oidc/auth
location = /oidc/auth {
proxy_pass http://127.0.0.1:9000;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
Change the location @root_path block as below
# oidc: customized @root_path
location @root_path {
if ($arg_oidc) {
rewrite ^/(.*)$ / break;
}
if ($arg_jwt) {
rewrite ^/(.*)$ / break;
}
rewrite ^/(.*)$ /static/oidc-redirect.html;
}
Restart the nginx service
systemctl restart nginxIf you want to allow guest users to join the meeting after it's created by a
moderator then add the guest domain for prosody
Create /etc/prosody/conf.avail/guest.cfg.lua file with the following contents.
VirtualHost "guest.domain.loc"
authentication = "anonymous"
c2s_require_encryption = falseCreate a symbolic link for this config file.
ln -s ../conf.avail/guest.cfg.lua /etc/prosody/conf.d/Comment token_verification in your /etc/prosody/conf.d/YOUR-DOMAIN.cfg.lua.
This does not disable token validation, it disables room and sub checking
which is acceptable in this use-case as there is no one defining the room in
this scenario.
--"token_verification";Restart the prosody service
systemctl restart prosody.serviceEnable external XMPP authentication for jicofo
DOMAIN=$(hocon -f /etc/jitsi/jicofo/jicofo.conf get jicofo.xmpp.client.xmpp-domain)
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.enabled true
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.type XMPP
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.login-url $DOMAIN
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.authentication-lifetime "10 seconds"
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.conference.enable-auto-owner false
systemctl restart jicofo.serviceSet anonymousdomain in config.js
echo "config.hosts.anonymousdomain = 'guest.domain.loc';" >> /etc/jitsi/meet/*-config.js