The setup guide to install Jitsi Keycloak Adapter on a standalone Jitsi
server.
Tested on Debian 11 Bullseye with Jitsi v2.0.8960. Use root account while
running the commands.
Enable the token authentication for prosody.
apt-get install jitsi-meet-tokensCheck related parameters in your /etc/prosody/conf.d/YOUR-DOMAIN.cfg.lua. They
should be already set by apt-get command.
VirtualHost "<YOUR-DOMAIN>"
authentication = "token";
app_id="<YOUR_APP_ID>"
app_secret="<YOUR_APP_SECRET>"Test the JWT authentication with a valid token. You may generate the token on Jitok. The meeting link should be like the following:
https://jitsi.mydomain.tld/myroom?jwt=<PASTE_TOKEN_HERE>Install deno
apt-get install unzip
cd /tmp
wget -T 30 -O deno.zip https://github.com/denoland/deno/releases/latest/download/deno-x86_64-unknown-linux-gnu.zip
unzip -o deno.zip
cp /tmp/deno /usr/local/bin/
deno --versionClone the repository.
apt-get install git
git clone https://github.com/nordeck/jitsi-keycloak-adapter.gitAs an alternative way, you may download the released package from Releases.
Copy the static files.
cd jitsi-keycloak-adapter
cp /usr/share/jitsi-meet/{body.html,body.html.$(date +'%H%M%S').bck}
cp templates/usr/share/jitsi-meet/body.html /usr/share/jitsi-meet/
cp templates/usr/share/jitsi-meet/static/oidc-* /usr/share/jitsi-meet/static/Setup the adapter service.
adduser adapter --system --group --disabled-password --shell /bin/bash --home /home/adaptermkdir -p /home/adapter/app
cp config.ts /home/adapter/app/
cp adapter.sh /home/adapter/app/
cp adapter.ts /home/adapter/app/
cp context.ts /home/adapter/app/
chown adapter: /home/adapter/app -RUpdate the adapter settings according to your environment. Edit /home/adapter/app/config.ts.
You may also use environment variables instead of updating this config file.
-
KEYCLOAK_ORIGINKeycloak address
-
KEYCLOAK_ORIGIN_INTERNALInternal Keycloak address if
KEYCLOAK_ORIGINis not accessible for the adapter service. -
KEYCLOAK_REALMKeycloak realm
-
KEYCLOAK_CLIENT_IDKeycloak client ID
-
JWT_APP_IDThe token
app_id. It must be the same with Prosodyapp_id. -
JWT_APP_SECRETThe token
app_secret. It must be the same with Prosodyapp_secret. -
JWT_EXP_SECONDThe token expire time
-
HOSTNAMEThe IP address for the adapter service. Don't update its default value since it is on the same server with
Nginx.
Disable the testing line and enable the prod line in
/home/adapter/app/adapter.sh if keycloak has a trusted
certificate. It should be for the production environment.
# testing: allow self-signed certificate for Keycloak
#deno run --allow-net --allow-env --unsafely-ignore-certificate-errors $BASEDIR/adapter.ts
# prod
deno run --allow-net --allow-env $BASEDIR/adapter.tscp templates/etc/systemd/system/oidc-adapter.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable oidc-adapter.service
systemctl start oidc-adapter.service
systemctl status oidc-adapter.serviceCustomize the nginx configuration for Jitsi domain. This file is
/etc/nginx/sites-available/YOUR_DOMAIN.conf for a typical Jitsi setup. You may
check
/etc/jitsi/sites-available/example.conf
as an example.
Add the following lines as the first location blocks
# /oidc/redirect
location = /oidc/redirect {
proxy_pass http://127.0.0.1:9000;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
# /oidc/tokenize
location = /oidc/tokenize {
proxy_pass http://127.0.0.1:9000;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
# /oidc/auth
location = /oidc/auth {
proxy_pass http://127.0.0.1:9000;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
Change the location @root_path block as below
# oidc: customized @root_path
location @root_path {
if ($arg_oidc) {
rewrite ^/(.*)$ / break;
}
if ($arg_jwt) {
rewrite ^/(.*)$ / break;
}
rewrite ^/(.*)$ /static/oidc-redirect.html;
}
Restart the nginx service
systemctl restart nginxIf you want to allow guest users to join the meeting after it's created by a moderator then apply the followings.
Add the guest domain for prosody. Create
/etc/prosody/conf.avail/guest.cfg.lua file with the following contents.
VirtualHost "guest.domain.loc"
authentication = "jitsi-anonymous"
c2s_require_encryption = falseCreate a symbolic link for this config file.
ln -s ../conf.avail/guest.cfg.lua /etc/prosody/conf.d/Set allow_empty_token in your /etc/prosody/conf.d/YOUR-DOMAIN.cfg.lua.
VirtualHost "<YOUR-DOMAIN>"
authentication = "token";
app_id="<YOUR_APP_ID>"
app_secret="<YOUR_APP_SECRET>"
allow_empty_token=trueRestart the prosody service
systemctl restart prosody.serviceEnable XMPP authentication for jicofo
DOMAIN=$(hocon -f /etc/jitsi/jicofo/jicofo.conf get jicofo.xmpp.client.xmpp-domain)
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.enabled true
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.type XMPP
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.login-url $DOMAIN
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.enable-auto-login false
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.authentication-lifetime '100 milliseconds'
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.conference.enable-auto-owner false
systemctl restart jicofo.serviceSet anonymousdomain in config.js
echo "config.hosts.anonymousdomain = 'guest.domain.loc';" >> /etc/jitsi/meet/*-config.js