Problem joining as a guest

[supczinskib]

Hi,

Is it normal behavior of the application that when I try to join a conference as a guest from the link I received, I am asked to authenticate myself (keycloak)? Can it be turned off? I have all components installed on my own server.

I have one more question. Is there any way to disable the "Logging out" prompt where the only choice is "Logout".

Prompt after logging out of Jitsi Admin

[holema]

Hello @supczinskib,

this can happen in three cases:

1. When you have forced that every participant has to be registered.
2. When the user who wants to join has an account on your jitsi-admin instance. Then we want to make sure that the link was not stolen.
3. When the enforcment, that everyone who wants to join the conference on the whole instance has to be registerd

But I will double check this. You case seems that is nr. 2

The second question seems to be keycloak 20. But here I will double check

[holema]

I just double checked. The confirmation seems to happen on your Keycloak, not on the docker installed kecloak. This Keycloak seem to be version >16. There was a change in the logout uri and now need the confirmation prompt. We know this deprecation and working on this issue. But is unfortunantaly not that easy, because keycloak changed a lot.

https://www.keycloak.org/2022/04/keycloak-1800-released

[supczinskib]

Thank you for your help. I don't use docker. I installed and configured everything myself. Keycloak is in version 19.0.1. I will try to solve both problems and share the results here.

[holema]

I`m glad to help you. I tried today to fix the issue with the loging out stuff, but I still stuggel on the logout confirmation, because sonce KC18 a id_token is neded. https://github.com/stevenmaguire/oauth2-keycloak/issues/46 I used this answer to start fixing it in the branch https://github.com/H2-invent/jitsi-admin/tree/hotfix/redirect_uri_deprecated

The first problem you wrote, with the login when you click the link, is this happen when the participant has an account on the plattform, or everytime?

[supczinskib]

It happens every time.

[holema]

Okay this should not happen. could you set this parameter in your .env.local file: laF_onlyRegisteredParticipents=0

Which version do you use?

[supczinskib]

From the beginning of the tests, the laF_onlyRegisteredParticipents parameter is set to 0

laF_version=0.72.0

[holema]

The version in the env seems to be wrong. I think you use the 0.74.0 I just checked it, and I was able to join a conference when the user was never logged in with the e-mail.

Could you send me an invitation from your instance to entwicklung@h2-invent.com, so I can test it with my email address.

[holema]

Hello @supczinskib,

I think we fixed it. could you checkout this branch: https://github.com/H2-invent/jitsi-admin/tree/hotfix/redirect_uri_deprecated and then restart the aplication. After this, you should not be asked to logout.

Please give me a feedback if it is working. Then I will merge it.

[supczinskib]

Sorry for the delay, couldn't find time sooner. I cannot give you access because the system is not accessible from the outside. I had an old version because my instance is not standard and needs patching. Now I have installed the prepared version and the behavior is different. Users invited to the conference are not asked to log in, whether they are moderators or participants info@env.pl and that's fine. Only the person who initiated the conference bartek@env.pl needs to log in. Can it be avoided?

When it comes to logging out, the situation is more complicated. On my server, all the components (jitsi-meet, jitsi-admin, keycloak, whitebophir, etherpad, etc.) are behind a proxy (apache) and are available at the same address, only the path is different. Jitsi-admin is not in the root directory of the web server, but in a directory called "adm". For this reason, I have to modify your code, because in some places you refer directly to the root directory ("/build/...", "/images/...").

Previously I had a similar problem with logging out as now (Invalid redirect uri) even when in Keycloak "Valid Redirect URIs" was set to "*".

I solved it by modifying the "LoginController.php" file"

- .'/protocol/openid-connect/logout?redirect_uri='.$createHttpsUrl->createHttpsUrl('/'); + .'/protocol/openid-connect/logout?redirect_uri='.$createHttpsUrl->createHttpsUrl('/adm');

In the new version, I have not solved this problem yet. By the way, I noticed one aesthetic error. In some situations, the drop-down menu is truncated and there is no shadow below it (MacBook Pro /M1 Pro/, macOS Ventura, browser: Safari, Chrome). See it in the second video.

https://env.pl/files/admin.mp4 https://env.pl/files/logout.mp4

[holema]

Hello @supczinskib,

thanks for the detailed feedback. I love it to get feedback in such a detail.

I try to answer all questions

1. Login for organiser: This is a security feature. Every user, who is registered already which its email adress to the system must authenticate to enter the conference. with this mechanism we are able to make sure, that when you invite to a meeting the emails are not spoofed. I know it is hard to find the combination between conference-id and email, but if an attacker grabs the link he can enter in you name. Taht´s also the reason why an organiser always have to login in. because he has always an account on the plattform.

2. I will figure out how to prevent this. this should normaly points from the project.root to the directory.

3. You use etherpad and whitebophir. You will love version 0.75.0 in the new version, which is already in the freeze branch we include these two apps. Together with the new multiframing, you can open a whitebophir and etherpad in the same browser tab.

4. I see the issue. I will generate here the route relative to the installation. then it should work.

5. The problem with the cutted dropdown only appears when there is only one element. I will fix it. Thanks for reporting.

[supczinskib]

1. Login for organiser: This is a security feature. Every user, who is registered already which its email adress to the system must authenticate to enter the conference.

Thank you for the clarification

2. I will figure out how to prevent this. this should normaly points from the project.root to the directory.

I'm looking forward

3. You use etherpad and whitebophir. You will love version 0.75.0 in the new version, which is already in the freeze branch we include these two apps. Together with the new multiframing, you can open a whitebophir and etherpad in the same browser tab.

This is a very nice solution, but it is worth remembering that nowadays most people from business and not only join conferences from mobile devices, where everything must be visible on a small screen, so it is worth remembering about ergonomics on these devices.

4. I see the issue. I will generate here the route relative to the installation. then it should work.

Ok

5. The problem with the cutted dropdown only appears when there is only one element. I will fix it. Thanks for reporting.

Yes it's true. When the browser window is narrower, the problem also does not occur. Everything works fine on the smartphone.

[holema]

We thougt about the small devices. and there it is working too. ON small Devices, the multiframe get`s automatically maximized. ;) So you can see it clear.

[supczinskib]

Is there currently a way to open Jitsi-Meet in an application window? What is the "Online" status in the upper right corner for?

https://env.pl/files/test.mp4

[holema]

Hello @supczinskib,

this effect happens when the Cors-Header Option is ticked in the server Settings. Can you double check if the tick is not set?

The status on the right you can switch an will be set automatically, so it became blue when you are in a meeting. When you are in the contactlist of someone else, then the others can see your status.

Have you already installed the new websocket? this is absolutly necessary. Because we drop the mercure SSE feature. It was to unstable. https://github.com/H2-invent/jitsi-admin/wiki/Websocket-installation--%7C-Draft

[supczinskib]

Thanks for the clarification. Indeed CORS was enabled.

Now the conference opens in a separate window. I can see the disadvantages of this solution. When I have Etherpad and Whitebophir directly integrated with Jitsi-Meet, I can access them from the native app as well.

https://env.pl/files/cors.mp4

[holema]

Hello @supczinskib, I´m happy it is working now.

You can deactivate the etherpad and WBO function. But in our POV it ist much better, because you have the video still wherever you want. You can participate the conference, see the WBO and the etherpad at the same time, not as in Jitsi just one of the three.

This is very important when you have a big screen, like decider in companys often have, then you can join two meeting at the same time and be active on the conference which is relevant for you.

Is the websocket working in your scenario? What would your suggestion to make it more comfortable?

[supczinskib]

No, I didn't run websocket. I ran version 0.75 out of curiosity, I wanted to see what it looks like :) At this point, the keycloak logout popup is irritating me.

[holema]

Hello @supczinskib,

THe jitsi admin is in the version 0.75 fully KC20 ready. Thanks a lot for your help and new ideas.

I will close the issue if there are no further questions.