Setup Jitsi OAuth Authorization, JWT

Ivan_Morozoff · January 17, 2021, 8:52pm

I am trying to integrate OAuth authorization server into Jitsi Meet installed on my server.
Unfortunately, I couldn’t find a clear guide on how to do this. There are a lot of discussions about Jitsi OAuth integration, but the information is fragmented and seems messy to me.

I am using Keycloak and have tested the configurations described below:

1. Keycloak + mod_auth_oauthbearer: mod_auth_oauthbearer - Prosody Community Modules

My settings:
Keycloak:

  Client Protocol: openid-connect
  Access Type: confidential
  Root URL: https://MYJITSI

Prosody:

  /etc/prosody/conf.avail/MYDOMAIN.lua:
    VirtualHost "MYDOMAIN"
      authentication = "oauthbearer"
      oauth_client_id = "ID_MY_JITSI_REGISTERED_IN_KEYCLOAK"
      oauth_client_secret = "SECRET_MY_JITSI_REGISTERED_IN_KEYCLOAK"
      oauth_url = "https://KEYCLOAK_DOMAIN:8443/auth/realms/myrealm/protocol/openid-connect/token"
 
        modules_enabled = {
          ...
          auth_oauthbearer
        }

When I login via the Jitsi UI, I get error messages in the Prosody logs.
The problem looks the same as described here:

2. Keycloak + mod_auth_oauth: GitHub - rgrunbla/mod_auth_oauth: An authentication module for Prosody using a OAuth 2.0 backend such as Keycloak
My settings:

lua scripts:

mod_sasl_oauthbearer in which the password = saslprep(password); has been removed.

Keycloak:

  Client Protocol: openid-connect
  Access Type: confidential
  Root URL: https://MYJITSI

Prosody:

  /etc/prosody/conf.avail/MYDOMAIN.lua:
    VirtualHost "MYDOMAIN"
        authentication = "oauth"
        oauth_host = "KEYCLOAK_DOMAIN:8443"
        oauth_url_token = "https://KEYCLOAK_DOMAIN:8443/auth/realms/myrealm/protocol/openid-connect/token"
        oauth_url_userinfo = "https://KEYCLOAK_DOMAIN:8443/auth/realms/myrealm/protocol/openid-connect/userinfo"
        oauth_client_id = "ID_MY_JITSI_REGISTERED_IN_KEYCLOAK"
        oauth_client_secret = "SECRET_MY_JITSI_REGISTERED_IN_KEYCLOAK"

        modules_enabled = {
          ...
          auth_oauth
        }

Now the user can login through the Jitsi UI.
Communication between Jitsi and Keycloak works without error and the video conferencing seems to be fine.
But it looks like only SASL PLAIN mode is working by default and it is not clear to me how to enable OAUTHBEARER mode

3. JWT token authentication Prosody plugin: lib-jitsi-meet/tokens.md at master · jitsi/lib-jitsi-meet · GitHub
I followed the guide above to setup Prosody.
Keycloak is not used in this case, my booking system generates JWT tokens similar to those described here: lib-jitsi-meet/tokens.md at master · jitsi/lib-jitsi-meet · GitHub
The conference URL is look like below:

https://MY_DOMAIN/ROOM_NAME?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

It looks like JWT token authentication is working as expected: the token is validated against the room name, domain, expiration timestamp, but without user authentication.

In my opinion, it is required to provide and verify the Jitsi-related JWT attributes (room, domain, conference time, etc.) on the one hand, and on the other hand authenticate the user (OAuth).

Questions:

Keycloak + mod_auth_oauthbearer:

Q1.1 Has anyone managed to configure Keycloak + mod_auth_oauthbearer?
Q1.2 I suspect this is a quite standard scenario. Is there any guide on how to setup Jitsi and Keycloak, or any other OAuth server?

Keycloak + mod_auth_oauth:

Q2.1 Could anybody advise me how to enable OAUTHBEARER mode in mod_auth_oauth?

JWT token authentication Prosody plugin:

Q3.1 Could anybody clarify what is relation between JWT token authentication Prosody plugin and user authentication?
Q3.2 Is it supposed any integration of 'JWT token authentication Prosody plugin’and some OAuth system? If it is so how can I do this?

Please correct me if I misunderstand something.
Thank you in advance.

Ivan_Morozoff · January 20, 2021, 5:58am

Any update on this?
Could anybody clarify OAuth in Jitsi?

Ivan_Morozoff · January 20, 2021, 6:31am

An additional layer is another possible solution for implementing OAuth in Jitsi.

Add additional layer to translate between Jitsi and Keycloak.

Could anybody clarify this?

andreas_h · January 20, 2021, 8:55am

Hi,

It is not possible to create a connection between Keycloak and Jitsi Meet by default, because Keycloak creates a different JWT. You have to rely on a middleware.
For this we have developed the Jitsi Admin GitHub - H2-invent/jitsi-admin: Der Jitsi Admin ist eine Administration und Management Plattform für Jitsi Meet Server a PHP application as open source with which you can manage the organizers, guests, conferences and Jitsi servers with JWT. You can test the features on the free public one: https://jitsi-admin.de

The organizers can easily create meetings and invite guests. Through JWT, the conferences are accessible only to the participants from the participants list.

Ivan_Morozoff · January 20, 2021, 2:27pm

Andreas, thanks.
Now I am leaning towards a solution based on middleware.

Ivan_Morozoff · January 21, 2021, 12:50pm

I’ve discovered tokenAuthUrl parameter in the list of undocumented settings used in jitsi-meet

Could someone clarify what it is for?
How it can be used in the context of OAuth and JWT?

damencho · January 21, 2021, 1:07pm

I haven’t used that, but it is a way to redirect users to a URL to authenticate and obtain… but it is not something widely used … and I’m not very familiar with that to give you more details …

Ivan_Morozoff · January 21, 2021, 2:56pm

Thanks anyway

santoshaimpace · April 7, 2021, 7:01pm

Can anyone help me with steps for setting up keycloak with jitsi admin. i’m facing issue with that.

my .env file
OAUTH_KEYCLOAK_CLIENT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
OAUTH_KEYCLOAK_CLIENT_SECRET=password
OAUTH_KEYCLOAK_SERVER=fqdn:8080/auth/
OAUTH_KEYCLOAK_REALM=jitsi

andreas_h · May 9, 2021, 7:10pm

HI @santoshaimpace

Does your KeyCloak is already setup correctly? Do you have created a new REALM (e.g. jitsi) and a new Client inside this realm?
For testing local, you can then set following condig:

OAUTH_KEYCLOAK_CLIENT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
OAUTH_KEYCLOAK_CLIENT_SECRET=password
OAUTH_KEYCLOAK_SERVER=localhost:8443/auth/
OAUTH_KEYCLOAK_REALM=jitsi

ARUNODHAYAM_S · August 23, 2021, 4:45am

How to setup JWT auth to jitsi + keycloak in Docker??

ARUNODHAYAM_S · August 23, 2021, 11:26am

How to communicate jitsi with keycloak in docker?? Pls tell any one…

ARUNODHAYAM_S · August 25, 2021, 5:39am

@Ivan_Morozoff Can you pls tell How to connect Keycloak + Jitsi in docker-compose??

gray380 · September 15, 2022, 8:28am

Hi @andreas_h is there any guide how to install jitsi-admin (Docker version) with own (already installed) keycloak, traefik and postgres?

micudaj · November 23, 2022, 6:59pm

Hi gray380,

Die you manage to install it with your own key cloak, traefik and PostgreSQL? I have the same situation.

gray380 · November 24, 2022, 9:25am

Hi,

Unfortunately no.
I settled on manual token generation.

Best regards,

Sehiy.

23 листопада 2022, 21:09:42, від “micudaj via Jitsi Community Forum - developers & users” <notifications@jitsi.discoursemail.com>:

micudaj · November 24, 2022, 7:20pm

ok, thanks for the answer. I guess that will be my solution for now as well.