The setup guide to install Jitsi Keycloak Adapter v2 on a standalone Jitsi
server.
Tested on Debian 12 Bookworm with Jitsi v2.0.9823. Use root account while
running the commands.
Enable the token authentication for prosody.
apt-get install jitsi-meet-tokensCheck related parameters in your /etc/prosody/conf.d/YOUR-DOMAIN.cfg.lua. They
should be already set by apt-get command.
VirtualHost "<YOUR-DOMAIN>"
authentication = "token";
app_id="<YOUR_APP_ID>"
app_secret="<YOUR_APP_SECRET>"Test the JWT authentication with a valid token. You may generate the token on Jitok. The meeting link should be like the following:
https://jitsi.mydomain.tld/myroom?jwt=<PASTE_TOKEN_HERE>Install deno:
apt-get install unzip
cd /tmp
wget -T 30 -O deno.zip https://github.com/denoland/deno/releases/latest/download/deno-x86_64-unknown-linux-gnu.zip
unzip -o deno.zip
cp /tmp/deno /usr/local/bin/
deno --versionClone the repository:
apt-get install git
git clone https://github.com/nordeck/jitsi-keycloak-adapter-v2.git
cd jitsi-keycloak-adapter-v2As an alternative way, you may download the released package from Releases.
Setup the adapter service.
adduser adapter --system --group --disabled-password --shell /bin/bash --home /home/adaptermkdir -p /home/adapter/app
cp src/config.ts /home/adapter/app/
cp src/adapter.ts /home/adapter/app/
cp src/context.ts /home/adapter/app/
cp templates/home/adapter/app/adapter.sh /home/adapter/app/
chown adapter: /home/adapter/app -RUpdate the adapter settings according to your environment. Edit /home/adapter/app/config.ts.
You may also use environment variables instead of updating this config file.
-
KEYCLOAK_ORIGINKeycloak address
-
KEYCLOAK_ORIGIN_INTERNALInternal Keycloak address if
KEYCLOAK_ORIGINis not accessible for the adapter service. -
KEYCLOAK_REALMKeycloak realm
-
KEYCLOAK_CLIENT_IDKeycloak client ID
-
JWT_APP_IDThe token
app_id. It must be the same with Prosodyapp_id. -
JWT_APP_SECRETThe token
app_secret. It must be the same with Prosodyapp_secret. -
JWT_EXP_SECONDThe token expire time
-
HOSTNAMEThe IP address for the adapter service. Don't update its default value since it is on the same server with
Nginx.
Disable the testing line and enable the prod line in
/home/adapter/app/adapter.sh if
keycloak has a trusted certificate. It should be for the production
environment.
# testing: allow self-signed certificate for Keycloak
#deno run --allow-net --allow-env --unsafely-ignore-certificate-errors $BASEDIR/adapter.ts
# prod
deno run --allow-net --allow-env $BASEDIR/adapter.tscp templates/etc/systemd/system/oidc-adapter.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable oidc-adapter.service
systemctl start oidc-adapter.service
systemctl status oidc-adapter.serviceAdd OIDC config:
cp templates/etc/jitsi/meet/jaas/oidc.conf /etc/jitsi/meet/jaas/And restart the nginx service:
systemctl restart nginxSet tokenAuthUrl and tokenAuthUrlAutoRedirect in config.js:
DOMAIN=$(hocon -f /etc/jitsi/jicofo/jicofo.conf get jicofo.xmpp.client.xmpp-domain | tr -d '"')
echo "config.tokenAuthUrl = 'https://${DOMAIN}/oidc/auth?state={state}';" >> /etc/jitsi/meet/*-config.js
echo "config.tokenAuthUrlAutoRedirect = true;" >> /etc/jitsi/meet/*-config.jsIf you want to allow guest users to join the meeting after it's created by a moderator then apply the followings.
Enable persistent_lobby and muc_wait_for_host in your
/etc/prosody/conf.d/<YOUR-DOMAIN>.cfg.lua.
Put persistent_lobby into VirtualHost's modules_enabled:
VirtualHost "<YOUR-DOMAIN>"
...
...
modules_enabled = {
...
...
"muc_lobby_rooms";
"persistent_lobby";
...Put muc_wait_for_host into Component's modules_enabled:
Component "conference.<YOUR-DOMAIN>" "muc"
...
...
modules_enabled = {
...
...
"token_verification";
"muc_wait_for_host";
...Set allow_empty_token in your /etc/prosody/conf.d/<YOUR-DOMAIN>.cfg.lua:
VirtualHost "<YOUR-DOMAIN>"
authentication = "token";
app_id="<YOUR_APP_ID>"
app_secret="<YOUR_APP_SECRET>"
allow_empty_token=trueAdd the guest domain for prosody. Create
/etc/prosody/conf.avail/guest.cfg.lua file with the following contents:
VirtualHost "guest.domain.loc"
authentication = "jitsi-anonymous"
c2s_require_encryption = falseCreate a symbolic link for this config file:
ln -s ../conf.avail/guest.cfg.lua /etc/prosody/conf.d/Restart the prosody service:
systemctl restart prosody.serviceSet anonymousdomain in config.js:
echo "config.hosts.anonymousdomain = 'guest.domain.loc';" >> /etc/jitsi/meet/*-config.js