'Open Jitsi' button opens nothing (No 'Access-Control-Allow-Origin' header )

[gray380]

Hi,

Jitsi-web redirects to keycloak and jitsi-keycloak page opens after successful authorization, but nothing happens when click on the 'open jitsi' button.

Could you help to find out the problem?

Regards Serhiy.

[gray380]

To be more specific, I have

jitsi-web: https://jitsi.example.com jitsi-keycloak: https://auth-jitsi.example.com

JITSI ENV:

ENABLE_AUTH=1
AUTH_TYPE=jwt
JWT_APP_ID=jitsi
JWT_APP_SECRET=supersecret
TOKEN_AUTH_URL=https://auth-jitsi.example.com

JITSI KEYCLOAK ENV:

JITSI_SECRET=supersecret
DEFAULT_ROOM=meeting
JITSI_URL=https://jitsi.example.com
JITSI_SUB=example.com

And at the end Open Jitsi button points to the https://auth-jitsi.example.com/meeting instead of https://jitsi.example.com/meeting

[gray380]

Seems that jitsi-keycloak can not get token from the keycloak;

Access to XMLHttpRequest at 'https://keycloak.test.lan/auth/realms/jitsi/protocol/openid-connect/auth?client_id=jitsi&state=841d9353-4895-4f23-80fc-61d23908c9f6&redirect_uri=http%3A%2F%2Fauth-jitsi.test.lan%2Fapi%2Fconfig%3Fauth_callback%3D1&scope=openid&response_type=code' (redirected from 'https://auth-jitsi.test.lan/api/config') from origin 'https://auth-jitsi.bank.lan' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

xhr.js:187          GET https://keycloak.test.lan/auth/realms/jitsi/protocol/openid-connect/auth?client_id=jitsi&state=841d9353-4895-4f23-80fc-61d23908c9f6&redirect_uri=http%3A%2F%2Fauth-jitsi.test.lan%2Fapi%2Fconfig%3Fauth_callback%3D1&scope=openid&response_type=code net::ERR_FAILED

[gray380]

If replace correct Web Origins URI with "*" (keycloak client's configuration) then no more 'Access-Control-Allow-Origin', but the following error has appear:

keycloak.js:790          POST https://keycloak.test.lan/auth/realms/jitsi/protocol/openid-connect/token net::ERR_FAILED 200

[gray380]

Pay attention to this rect_uri=http%3A%2F%2Fauth-jitsi.test http instead of https

[d3473r]

Hi, do you have https://auth-jitsi.bank.lan in the Web Origins of keycloak? This is the origin of the request

[gray380]

Hi, yes I do. I've tried Web Origins with https://auth-jitsi.bank.lan, with * and +.

Actions log with https://auth-jitsi.bank.lan: login to the Keycloak

Access to XMLHttpRequest at 'https://keycloakdmz.test.lan/auth/realms/jitsi/protocol/openid-connect/auth?client_id=jitsi&state=bf3d4fd0-363b-47d3-a388-80d974e95c1b&redirect_uri=http%3A%2F%2Fauth-jitsi.test.lan%2Fapi%2Fconfig%3Fauth_callback%3D1&scope=openid&response_type=code' (redirected from 'https://auth-jitsi.test.lan/api/config') from origin 'https://auth-jitsi.test.lan' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Click 'OPEN JITSI'

vue.runtime.esm.js:1897 TypeError: Cannot read properties of null (reading 'token')
    at a.openJitsi (App.vue:71:68)
    at re (vue.runtime.esm.js:1863:26)
    at a.n (vue.runtime.esm.js:2188:14)
    at re (vue.runtime.esm.js:1863:26)
    at Ln.t.$emit (vue.runtime.esm.js:3903:9)
    at a.click (VBtn.ts:163:7)
    at re (vue.runtime.esm.js:1863:26)
    at HTMLButtonElement.n (vue.runtime.esm.js:2188:14)
    at Qi.o._wrapper (vue.runtime.esm.js:6961:25)

jetsy-keycloak logout keycloak login

token: 200

Response Headers
access-control-allow-credentials: true
access-control-allow-origin: https://auth-jitsi.test.lan
access-control-expose-headers: Access-Control-Allow-Methods

auth?client_id=... CORS error

General
Request URL: https://keycloakdmz.test.lan/auth/realms/jitsi/protocol/openid-connect/auth?client_id=jitsi&state=7bd22c6b-e428-4d1a-9d2f-76a6dbe76b8e&redirect_uri=http%3A%2F%2Fauth-jitsi.test.lan%2Fapi%2Fconfig%3Fauth_callback%3D1&scope=openid&response_type=code
Referrer Policy: strict-origin-when-cross-origin

Request Headers
Referer: https://auth-jitsi.test.lan/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36 OPR/90.0.4480.54

[gray380]

BTW, if I set wrong Web Origins it stops at the token stage:

with correct settings it stops auth?client_id

I've tried the following keycloak versions: 16.1.1, 19.0.1 (in the docker env)

[gray380]

BTW

points to config

        <div id="kc-error-message">
            <p class="instruction">Invalid parameter: redirect_uri</p>
        </div>

Update: Keycloak (16 --> 19) changes auth/realms/{realm}/protocol/openid-connect/token to realms/{realm}/protocol/openid-connect/token.

[dimitrihof]

Update: Keycloak (16 --> 19) changes auth/realms/{realm}/protocol/openid-connect/token to realms/{realm}/protocol/openid-connect/token.

You can go back to the old schema by adding to your KC environment KC_HTTP_RELATIVE_PATH: "/auth"

[imedia3]

Hi, we have exactly the same problem, May we have an update of this nice app instead of breaking all other Keycloak Clients by going back to old schema?

More info jitsi-web (stable-7648-3): https://jitsi.example.com/ jitsi-keycloak:latest: https://auth.jitsi.example2.com/ keycloak: 19.0.2

JITSI ENVs:

ENABLE_AUTH=1
AUTH_TYPE=jwt
JWT_APP_ID=jitsi
JWT_APP_SECRET=longkey
TOKEN_AUTH_URL=https://auth.jitsi.example2.com/{room}

JITSI-KEYCLOAK ENVs:

JITSI_SECRET=longkey
DEFAULT_ROOM=meeting
JITSI_URL=https://jitsi.example.com
JITSI_SUB=meet.jitsi #also tried to comment it

After successful logging-in I'm getting redirected to this page https://auth.jitsi.example2.com/{room} (instead of jitsi meeting room https://jitsi.example.com/{room}, where I clicked "I'm organizator") The "Open Jitsi" button does not redirect me back to Jitsi Meet url (https://jitsi.example.com/) even If I point out the room name (any)

[imedia3]

Update: Keycloak (16 --> 19) changes auth/realms/{realm}/protocol/openid-connect/token to realms/{realm}/protocol/openid-connect/token.

You can go back to the old schema by adding to your KC environment KC_HTTP_RELATIVE_PATH: "/auth"

BTW, this setting broke KC container running at all

[d3473r]

Hi all, I'll add a parameter to switch between the old and new keycloak configuration

[d3473r]

Ehm, this configuration is coming from the keycloak adapter config auth-server-url. Do you have downloaded the new adaptor config after the keycloak update? For me its < 19: "auth-server-url": "https://auth.example.com/auth/" and > 19: "auth-server-url": "https://auth.example.com/",

[imedia3]

Hi, we have 4 other apps (2 working via SAML & 2 via OpenID) which works well with our Keycloak 19 & 20 without any changes in keycloak or app configuration (incl. adaptors) They all configured to work without "/auth" ending in all paths, i.e. all paths looks like this kc.domain/realms/realmname/protocol/.......

[d3473r]

Maybe your other apps autoconfigure via .well-known/openid-configuration which is more sophisticated But this app requires a Keycloak adapter configuration json file

[d3473r]

I've update the keycloak-js adapter to the latest version (20.0.1). Can you try again with ghcr.io/d3473r/jitsi-keycloak:develop?

[imedia3]

I'm getting this error when trying to start it:

(node:1) Warning: To load an ES module, set "type": "module" in the package.json or use the .mjs extension.
(Use `node --trace-warnings ...` to show where the warning was created)
/app/src/app.js:9
import * as dotenv from 'dotenv'
^^^^^^
SyntaxError: Cannot use import statement outside a module
    at Object.compileFunction (node:vm:360:18)
    at wrapSafe (node:internal/modules/cjs/loader:1055:15)
    at Module._compile (node:internal/modules/cjs/loader:1090:27)
    at Object.Module._extensions..js (node:internal/modules/cjs/loader:1180:10)
    at Module.load (node:internal/modules/cjs/loader:1004:32)
    at Function.Module._load (node:internal/modules/cjs/loader:839:12)
    at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)
    at node:internal/main/run_main_module:17:47

[d3473r]

Whoops, did an ES6 import, you can try again now :)

[imedia3]

Unfortunately, same behaviour with the new image

This is console output after I got redirected with successful login:

This one is after I entered room name and clicked "Open Jitsi"

This is how our adapter looks like:

[d3473r]

Ok, did you you add https://auth.meet.example.com to the Web origins in the jitsi client in keycloak?

[imedia3]

CORS problem was solved after I've recreated Jitsi client with same settings as before, but without any customization in attributes/roles, seems the problem was somewhere in token (I've tried some other ways to achieve KC auth in Jitsi before found your app). Thanks a lot for your quick help

Now I can successfully log in with any realm user account, but I have two questions,

1. Is it possible also to allow guests to join meets?
2. Why everyone receives Moderator privileges after entering any room, even if there is already Moderator online

[d3473r]

Awesome :)

Are you running the latest jitsi meet docker image?

[imedia3]

Now we are running 'stable-7648-3', but I prepare things to migrate to the latest

[d3473r]

Maybe you are hitting this resgression: https://github.com/jitsi/jitsi-meet/issues/11967, https://github.com/jitsi/docker-jitsi-meet/issues/1369. This is fixed in the latest version via: https://github.com/jitsi/docker-jitsi-meet/pull/1396

[d3473r]

@imedia3 i had to add JWT_ALLOW_EMPTY=true to the config. Otherwise a guest joining a existing room would get: A conference with the same name has already been created!