Jitsi with OpenID

I’m terribly confused and not sure which direction is true north. The docs for Jitsi are a total wreck. There’s far too many pieces that you can’t tell if they’re core, optional, or which combinations are winning and what are the trade-offs between them. Nothing seems to be explained properly. No clue why a project would have this much going for it and be so poor on the documentation. It’s a shame.

What I’m trying to do is integrate Jitsi with my FOSS platform. Pretty well all our services use OpenID. I’m trying to make it so people auth with GitLab then use their OpenID provider to auth with the rest of our services. First up, Jitsi… and I’m spinning around and disoriented. I can’t make sense of the directions. Seems to assume a particular winning combination of packages on the Jitsi install… no clue which ones they used.

Has a docker-compose file with a bunch of subdomains listed. Why is this? Standard install on Jitsi has a single domain listed. I used the base without a subdomain. Our Gitlab has a single subdomain in use. That makes two. I see 3 total. Where do I find the extra? Then there’s mention of JWT. Depending on the docs I’m reading, it’s either included or not, except I can’t figure out which one is the case. I tried to apt install jitsi-meet-tokens and 400MB of downloads later, apt fails. That’s rare.

gcc -O2 -fPIC -I/usr/include/lua5.2 -c src/openssl.c -o src/openssl.o -D_REENTRANT -D_THREAD_SAFE -DCOMPAT53_PREFIX=luaossl -D_GNU_SOURCE -I/usr/include -I/usr/include
src/openssl.c:83:10: fatal error: lua.h: No such file or directory
   83 | #include <lua.h>

That file definitely exists and is populated… so, strange.

Where do I go from here? This instance seems gunked up from all the things I’ve tried. Hopefully someone looks past the frustration and is kind enough to reply. Think I’m gonna nuke this and start over. Any ideas how to get this OpenID connector to work with GitLab and Jitsi?

I’m pretty frustrated with Jitsi overall. I can’t tell where all the components are installed and which config files to edit, and most importantly, how to harden this up properly for production. Would really love this to work out and don’t mind spending another day sorting out the kinks, but it’s time to reach out to a community because as-is this could have me going down dozens of rabbit holes without success.

https://github.com/MarcelCoding/jitsi-openid

# docker-compose.yaml
version: '3.8'

services:

  jitsi-openid:
    image: marcelcoding/jitsi-openid:latest
    restart: always
    environment:
      - 'JITSI_SECRET=SECURE_SECRET'             # <- shared with jitsi (JWT_APP_SECRET),
                                                 #    secret to sign jwt tokens
      - 'JITSI_URL=https://meet.example.com'     # <- external url of jitsi
      - 'JITSI_SUB=meet.example.com'             # <- shared with jitsi (JWT_APP_ID),
                                                 #    id of jitsi
      - 'ISSUER_BASE_URL=https://id.example.com' # <- base URL of your OpenID Connect provider
                                                 #    Keycloak: https://id.example.com/auth/realms/<realm>
      - 'BASE_URL=https://auth.meet.example.com' # <- base URL of this application
      - 'CLIENT_ID=meet.example.com'             # <- OpenID Connect Client ID
      - 'SECRET=SECURE_SECRET'                   # <- OpenID Connect Client secret
    ports:
      - '3000:3000'

You may create your custom authentication page using OIDC and redirect the authenticated clients to your Jitsi server with a valid JWT

I’ve abandoned this as a huge time-waster. We’ve 404’d the lander page for Jitsi using nginx and create meetings with the mattermost integration. Mattermost requires GitLab SSO auth for users. Done.