Setup Jitsi OAuth Authorization, JWT

I am trying to integrate OAuth authorization server into Jitsi Meet installed on my server.
Unfortunately, I couldn’t find a clear guide on how to do this. There are a lot of discussions about Jitsi OAuth integration, but the information is fragmented and seems messy to me.

I am using Keycloak and have tested the configurations described below:

1. Keycloak + mod_auth_oauthbearer: mod_auth_oauthbearer - Prosody Community Modules

My settings:
Keycloak:

  Client Protocol: openid-connect
  Access Type: confidential
  Root URL: https://MYJITSI

Prosody:

  /etc/prosody/conf.avail/MYDOMAIN.lua:
    VirtualHost "MYDOMAIN"
      authentication = "oauthbearer"
      oauth_client_id = "ID_MY_JITSI_REGISTERED_IN_KEYCLOAK"
      oauth_client_secret = "SECRET_MY_JITSI_REGISTERED_IN_KEYCLOAK"
      oauth_url = "https://KEYCLOAK_DOMAIN:8443/auth/realms/myrealm/protocol/openid-connect/token"
 
        modules_enabled = {
          ...
          auth_oauthbearer
        }

When I login via the Jitsi UI, I get error messages in the Prosody logs.
The problem looks the same as described here:

2. Keycloak + mod_auth_oauth: GitHub - rgrunbla/mod_auth_oauth: An authentication module for Prosody using a OAuth 2.0 backend such as Keycloak
My settings:

lua scripts:

mod_sasl_oauthbearer in which the password = saslprep(password); has been removed.

Keycloak:

  Client Protocol: openid-connect
  Access Type: confidential
  Root URL: https://MYJITSI

Prosody:

  /etc/prosody/conf.avail/MYDOMAIN.lua:
    VirtualHost "MYDOMAIN"
        authentication = "oauth"
        oauth_host = "KEYCLOAK_DOMAIN:8443"
        oauth_url_token = "https://KEYCLOAK_DOMAIN:8443/auth/realms/myrealm/protocol/openid-connect/token"
        oauth_url_userinfo = "https://KEYCLOAK_DOMAIN:8443/auth/realms/myrealm/protocol/openid-connect/userinfo"
        oauth_client_id = "ID_MY_JITSI_REGISTERED_IN_KEYCLOAK"
        oauth_client_secret = "SECRET_MY_JITSI_REGISTERED_IN_KEYCLOAK"

        modules_enabled = {
          ...
          auth_oauth
        }

Now the user can login through the Jitsi UI.
Communication between Jitsi and Keycloak works without error and the video conferencing seems to be fine.
But it looks like only SASL PLAIN mode is working by default and it is not clear to me how to enable OAUTHBEARER mode

3. JWT token authentication Prosody plugin: lib-jitsi-meet/tokens.md at master · jitsi/lib-jitsi-meet · GitHub
I followed the guide above to setup Prosody.
Keycloak is not used in this case, my booking system generates JWT tokens similar to those described here: lib-jitsi-meet/tokens.md at master · jitsi/lib-jitsi-meet · GitHub
The conference URL is look like below:

https://MY_DOMAIN/ROOM_NAME?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

It looks like JWT token authentication is working as expected: the token is validated against the room name, domain, expiration timestamp, but without user authentication.

In my opinion, it is required to provide and verify the Jitsi-related JWT attributes (room, domain, conference time, etc.) on the one hand, and on the other hand authenticate the user (OAuth).

Questions:

Keycloak + mod_auth_oauthbearer:

  • Q1.1 Has anyone managed to configure Keycloak + mod_auth_oauthbearer?
  • Q1.2 I suspect this is a quite standard scenario. Is there any guide on how to setup Jitsi and Keycloak, or any other OAuth server?

Keycloak + mod_auth_oauth:

  • Q2.1 Could anybody advise me how to enable OAUTHBEARER mode in mod_auth_oauth?

JWT token authentication Prosody plugin:

  • Q3.1 Could anybody clarify what is relation between JWT token authentication Prosody plugin and user authentication?
  • Q3.2 Is it supposed any integration of 'JWT token authentication Prosody plugin’and some OAuth system? If it is so how can I do this?

Please correct me if I misunderstand something.
Thank you in advance.

Any update on this?
Could anybody clarify OAuth in Jitsi?

An additional layer is another possible solution for implementing OAuth in Jitsi.

Add additional layer to translate between Jitsi and Keycloak.

Could anybody clarify this?

Hi,

It is not possible to create a connection between Keycloak and Jitsi Meet by default, because Keycloak creates a different JWT. You have to rely on a middleware.
For this we have developed the Jitsi Admin GitHub - H2-invent/jitsi-admin: Der Jitsi Admin ist eine Administration und Management Plattform für Jitsi Meet Server a PHP application as open source with which you can manage the organizers, guests, conferences and Jitsi servers with JWT. You can test the features on the free public one: https://jitsi-admin.de

The organizers can easily create meetings and invite guests. Through JWT, the conferences are accessible only to the participants from the participants list.

Andreas, thanks.
Now I am leaning towards a solution based on middleware.

I’ve discovered tokenAuthUrl parameter in the list of undocumented settings used in jitsi-meet

Could someone clarify what it is for?
How it can be used in the context of OAuth and JWT?

I haven’t used that, but it is a way to redirect users to a URL to authenticate and obtain… but it is not something widely used … and I’m not very familiar with that to give you more details …

Thanks anyway

Can anyone help me with steps for setting up keycloak with jitsi admin. i’m facing issue with that.

my .env file
OAUTH_KEYCLOAK_CLIENT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
OAUTH_KEYCLOAK_CLIENT_SECRET=password
OAUTH_KEYCLOAK_SERVER=fqdn:8080/auth/
OAUTH_KEYCLOAK_REALM=jitsi