The setup guide to install Jitsi Keycloak Adapter
on a standalone Jitsi
server.
Tested on Debian 11 Bullseye
with Jitsi v2.0.8960
. Use root
account while
running the commands.
Enable the token authentication for prosody
.
apt-get install jitsi-meet-tokens
Check related parameters in your /etc/prosody/conf.d/YOUR-DOMAIN.cfg.lua
. They
should be already set by apt-get
command.
VirtualHost "<YOUR-DOMAIN>"
authentication = "token";
app_id="<YOUR_APP_ID>"
app_secret="<YOUR_APP_SECRET>"
Test the JWT authentication with a valid token. You may generate the token on Jitok. The meeting link should be like the following:
https://jitsi.mydomain.tld/myroom?jwt=<PASTE_TOKEN_HERE>
Install deno
apt-get install unzip
cd /tmp
wget -T 30 -O deno.zip https://github.com/denoland/deno/releases/latest/download/deno-x86_64-unknown-linux-gnu.zip
unzip -o deno.zip
cp /tmp/deno /usr/local/bin/
deno --version
Clone the repository.
apt-get install git
git clone https://github.com/nordeck/jitsi-keycloak-adapter.git
As an alternative way, you may download the released package from Releases.
Copy the static files.
cd jitsi-keycloak-adapter
cp /usr/share/jitsi-meet/{body.html,body.html.$(date +'%H%M%S').bck}
cp templates/usr/share/jitsi-meet/body.html /usr/share/jitsi-meet/
cp templates/usr/share/jitsi-meet/static/oidc-* /usr/share/jitsi-meet/static/
Setup the adapter service.
adduser adapter --system --group --disabled-password --shell /bin/bash --home /home/adapter
mkdir -p /home/adapter/app
cp config.ts /home/adapter/app/
cp adapter.sh /home/adapter/app/
cp adapter.ts /home/adapter/app/
cp context.ts /home/adapter/app/
chown adapter: /home/adapter/app -R
Update the adapter settings according to your environment. Edit /home/adapter/app/config.ts.
You may also use environment variables instead of updating this config file.
-
KEYCLOAK_ORIGIN
Keycloak address
-
KEYCLOAK_ORIGIN_INTERNAL
Internal Keycloak address if
KEYCLOAK_ORIGIN
is not accessible for the adapter service. -
KEYCLOAK_REALM
Keycloak realm
-
KEYCLOAK_CLIENT_ID
Keycloak client ID
-
JWT_APP_ID
The token
app_id
. It must be the same with Prosodyapp_id
. -
JWT_APP_SECRET
The token
app_secret
. It must be the same with Prosodyapp_secret
. -
JWT_EXP_SECOND
The token expire time
-
HOSTNAME
The IP address for the adapter service. Don't update its default value since it is on the same server with
Nginx
.
Disable the testing
line and enable the prod
line in
/home/adapter/app/adapter.sh if keycloak
has a trusted
certificate. It should be for the production environment.
# testing: allow self-signed certificate for Keycloak
#deno run --allow-net --allow-env --unsafely-ignore-certificate-errors $BASEDIR/adapter.ts
# prod
deno run --allow-net --allow-env $BASEDIR/adapter.ts
cp templates/etc/systemd/system/oidc-adapter.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable oidc-adapter.service
systemctl start oidc-adapter.service
systemctl status oidc-adapter.service
Customize the nginx
configuration for Jitsi
domain. This file is
/etc/nginx/sites-available/YOUR_DOMAIN.conf
for a typical Jitsi setup. You may
check
/etc/nginx/sites-available/example.conf
as an example.
Add the following lines as the first location
blocks
# /oidc/redirect
location = /oidc/redirect {
proxy_pass http://127.0.0.1:9000;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
# /oidc/tokenize
location = /oidc/tokenize {
proxy_pass http://127.0.0.1:9000;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
# /oidc/auth
location = /oidc/auth {
proxy_pass http://127.0.0.1:9000;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
Change the location @root_path
block as below
# oidc: customized @root_path
location @root_path {
if ($arg_oidc) {
rewrite ^/(.*)$ / break;
}
if ($arg_jwt) {
rewrite ^/(.*)$ / break;
}
rewrite ^/(.*)$ /static/oidc-redirect.html;
}
Restart the nginx
service
systemctl restart nginx
If you want to allow guest users to join the meeting after it's created by a moderator then apply the followings.
Add the guest domain for prosody
. Create
/etc/prosody/conf.avail/guest.cfg.lua file with the following contents.
VirtualHost "guest.domain.loc"
authentication = "jitsi-anonymous"
c2s_require_encryption = false
Create a symbolic link for this config file.
ln -s ../conf.avail/guest.cfg.lua /etc/prosody/conf.d/
Set allow_empty_token
in your /etc/prosody/conf.d/YOUR-DOMAIN.cfg.lua
.
VirtualHost "<YOUR-DOMAIN>"
authentication = "token";
app_id="<YOUR_APP_ID>"
app_secret="<YOUR_APP_SECRET>"
allow_empty_token=true
Restart the prosody
service
systemctl restart prosody.service
Enable XMPP
authentication for jicofo
DOMAIN=$(hocon -f /etc/jitsi/jicofo/jicofo.conf get jicofo.xmpp.client.xmpp-domain)
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.enabled true
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.type XMPP
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.login-url $DOMAIN
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.enable-auto-login false
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.authentication-lifetime '100 milliseconds'
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.conference.enable-auto-owner false
systemctl restart jicofo.service
Set anonymousdomain
in config.js
echo "config.hosts.anonymousdomain = 'guest.domain.loc';" >> /etc/jitsi/meet/*-config.js