Skip to content

Latest commit

 

History

History
305 lines (217 loc) · 7.38 KB

setup-standalone.md

File metadata and controls

305 lines (217 loc) · 7.38 KB

Standalone setup

The setup guide to install Jitsi Keycloak Adapter on a standalone Jitsi server.

Tested on Debian 11 Bullseye with Jitsi v2.0.8960. Use root account while running the commands.

1. Token authentication

Enable the token authentication for prosody.

1.1 jitsi-meet-tokens package

apt-get install jitsi-meet-tokens

Check related parameters in your /etc/prosody/conf.d/YOUR-DOMAIN.cfg.lua. They should be already set by apt-get command.

VirtualHost "<YOUR-DOMAIN>"
    authentication = "token";
    app_id="<YOUR_APP_ID>"
    app_secret="<YOUR_APP_SECRET>"

1.2 Testing

Test the JWT authentication with a valid token. You may generate the token on Jitok. The meeting link should be like the following:

https://jitsi.mydomain.tld/myroom?jwt=<PASTE_TOKEN_HERE>

2. Deno

Install deno

apt-get install unzip

cd /tmp
wget -T 30 -O deno.zip https://github.com/denoland/deno/releases/latest/download/deno-x86_64-unknown-linux-gnu.zip
unzip -o deno.zip
cp /tmp/deno /usr/local/bin/

deno --version

3. Keycloak adapter

3.1 Cloning the repository

Clone the repository.

apt-get install git

git clone https://github.com/nordeck/jitsi-keycloak-adapter.git

As an alternative way, you may download the released package from Releases.

3.2 Static files

Copy the static files.

cd jitsi-keycloak-adapter
cp /usr/share/jitsi-meet/{body.html,body.html.$(date +'%H%M%S').bck}
cp templates/usr/share/jitsi-meet/body.html /usr/share/jitsi-meet/
cp templates/usr/share/jitsi-meet/static/oidc-* /usr/share/jitsi-meet/static/

3.3 Adapter service

Setup the adapter service.

3.3.1 Adapter user

adduser adapter --system --group --disabled-password --shell /bin/bash --home /home/adapter

3.3.2 Adapter application

mkdir -p /home/adapter/app
cp config.ts /home/adapter/app/
cp adapter.sh /home/adapter/app/
cp adapter.ts /home/adapter/app/
cp context.ts /home/adapter/app/
chown adapter: /home/adapter/app -R

3.3.3 Adapter settings

Update the adapter settings according to your environment. Edit /home/adapter/app/config.ts.

You may also use environment variables instead of updating this config file.

  • KEYCLOAK_ORIGIN

    Keycloak address

  • KEYCLOAK_ORIGIN_INTERNAL

    Internal Keycloak address if KEYCLOAK_ORIGIN is not accessible for the adapter service.

  • KEYCLOAK_REALM

    Keycloak realm

  • KEYCLOAK_CLIENT_ID

    Keycloak client ID

  • JWT_APP_ID

    The token app_id. It must be the same with Prosody app_id.

  • JWT_APP_SECRET

    The token app_secret. It must be the same with Prosody app_secret.

  • JWT_EXP_SECOND

    The token expire time

  • HOSTNAME

    The IP address for the adapter service. Don't update its default value since it is on the same server with Nginx.

3.3.4 Production notes

Disable the testing line and enable the prod line in /home/adapter/app/adapter.sh if keycloak has a trusted certificate. It should be for the production environment.

# testing: allow self-signed certificate for Keycloak
#deno run --allow-net --allow-env --unsafely-ignore-certificate-errors $BASEDIR/adapter.ts

# prod
deno run --allow-net --allow-env $BASEDIR/adapter.ts

3.3.5 Systemd unit

cp templates/etc/systemd/system/oidc-adapter.service /etc/systemd/system/

systemctl daemon-reload
systemctl enable oidc-adapter.service
systemctl start oidc-adapter.service
systemctl status oidc-adapter.service

4. Nginx

Customize the nginx configuration for Jitsi domain. This file is /etc/nginx/sites-available/YOUR_DOMAIN.conf for a typical Jitsi setup. You may check /etc/nginx/sites-available/example.conf as an example.

Add the following lines as the first location blocks

    # /oidc/redirect
    location = /oidc/redirect {
        proxy_pass http://127.0.0.1:9000;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }

    # /oidc/tokenize
    location = /oidc/tokenize {
        proxy_pass http://127.0.0.1:9000;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }

    # /oidc/auth
    location = /oidc/auth {
        proxy_pass http://127.0.0.1:9000;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $http_host;
    }

Change the location @root_path block as below

    # oidc: customized @root_path
    location @root_path {
        if ($arg_oidc) {
            rewrite ^/(.*)$ / break;
        }
        if ($arg_jwt) {
            rewrite ^/(.*)$ / break;
        }

        rewrite ^/(.*)$ /static/oidc-redirect.html;
    }

Restart the nginx service

systemctl restart nginx

5. Guest users

If you want to allow guest users to join the meeting after it's created by a moderator then apply the followings.

5.1 prosody

Add the guest domain for prosody. Create /etc/prosody/conf.avail/guest.cfg.lua file with the following contents.

VirtualHost "guest.domain.loc"
    authentication = "jitsi-anonymous"
    c2s_require_encryption = false

Create a symbolic link for this config file.

ln -s ../conf.avail/guest.cfg.lua /etc/prosody/conf.d/

Set allow_empty_token in your /etc/prosody/conf.d/YOUR-DOMAIN.cfg.lua.

VirtualHost "<YOUR-DOMAIN>"
    authentication = "token";
    app_id="<YOUR_APP_ID>"
    app_secret="<YOUR_APP_SECRET>"
    allow_empty_token=true

Restart the prosody service

systemctl restart prosody.service

5.2 jicofo

Enable XMPP authentication for jicofo

DOMAIN=$(hocon -f /etc/jitsi/jicofo/jicofo.conf get jicofo.xmpp.client.xmpp-domain)

hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.enabled true
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.type XMPP
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.login-url $DOMAIN
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.enable-auto-login false
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.authentication.authentication-lifetime '100 milliseconds'
hocon -f /etc/jitsi/jicofo/jicofo.conf set jicofo.conference.enable-auto-owner false

systemctl restart jicofo.service

5.3 jitsi-meet

Set anonymousdomain in config.js

echo "config.hosts.anonymousdomain = 'guest.domain.loc';" >> /etc/jitsi/meet/*-config.js