Jitsi-go-openid just returns 404 error

[motey]

Hello, thanks for this project. Exactly what i was looking for :heart:

i just tried to setup everything. Iam running pretty standard instance of https://github.com/jitsi/docker-jitsi-meet behind a traefik reverse proxy. Now i tried to integrate your project with an extra service.

[...] # jitsi docker containers
    jitsi-openid:
        image: mod242/jitsi-go-openid:latest
        restart: always
        environment:
        - JITSI_SECRET=${JWT_APP_SECRET}           # Must match the jwt_secret from your Jitsi configuration
        - JITSI_URL=https://jitsi.mydomain.com      # Base URL of your Jitsi instance
        - JITSI_SUB=jitsi               # Must match the JWT_APP_ID from your Jitsi configuration
        - ISSUER_BASE_URL=https://auth.mydomain.com/application/o/jitsi/  # Base URL of your OpenID Connect provider
        - BASE_URL=https://jitsi.mydomain.com        # Public base URL of this application (should run behind a reverse proxy)
        - CLIENT_ID=${OIDC_CLIENT_ID}            # Client ID from your OAuth provider
        - SECRET=${OIDC_SECRET}                 # Client secret from your OAuth provider
        - PREJOIN=false                # Whether the prejoin page should be displayed again after authentication
        - DEEPLINK=true                # Whether the callback should use a deep link for redirect to ensure the originating client (Desktop, iOS, Android) is used
        - NAME_KEY=name                # Key for the users name from the OAuth token (defaults to name, but can be given_name or any other key present in the token)
        #expose: 
        #- 3001
        labels:
        - "traefik.enable=true"
        - "traefik.http.services.srv-${INSTANCE_NAME}-oidc.loadbalancer.server.port=3001"
        - "traefik.http.routers.rt-${INSTANCE_NAME}-oidc.service=srv-${INSTANCE_NAME}-oidc"
        - "traefik.http.routers.rt-${INSTANCE_NAME}-oidc.entrypoints=webtls"
        - "traefik.http.routers.rt-${INSTANCE_NAME}-oidc.rule=Host(`jitsi.mydomain.com`) && PathPrefix(`/jitsi-openid/`)"
        - "traefik.http.routers.rt-${INSTANCE_NAME}-oidc.tls=true"
        - "traefik.http.routers.rt-${INSTANCE_NAME}-oidc.tls.certResolver=letsencrypt-resolver"
        networks:
        - meet.jitsi # -> Your Jitsi Network (if run co-located and exposed via Jitsi-Web)
        - front # my treafik front network

When i now create a new room (named "MyNewRoom" in this example) and try to login i get a redirect as expected. The auth token url seems to be generated as described in the docs. The logs of the "jitsi-go-openid"-container also registers the call:

[GIN] 2024/08/04 - 18:40:09 | 404 |         629ns |     171.28.0.15 | GET      "/jitsi-openid/authenticate?state=%7B%22room%22%3A%22MyNewRoom%22%2C%22roomSafe%22%3A%22mynewroom%22%2C%22config.prejoinConfig.enabled%22%3Afalse%2C%22config.startWithVideoMuted%22%3Atrue%7D&room=MyNewRoom"

But as we can see it seems to generate a 404 error somewhere. In the browser i also just get a 404 error as answer. Now my question is, where does it errors out.

It is the "jitsi-go-openid"-container trying to contact my OIDC Provider? Can i set logging more verbose with an env var?

If you have any hint for me i would be very thankful :heart:

[mod242]

Hi, glad you like the project.

I think your Problem might be the base-url: BASE_URL=https://jitsi.mydomain.com should be most likely BASE_URL=https://jitsi.mydomain.com/jitsi-openid

[motey]

ok, sorry, mybad. I wrongly assumed my traefik router rule will ensure that the application will be hosted under https://jitsi.mydomain.com/jitsi-openid. But it did just assure that every request on https://jitsi.mydomain.com/jitsi-openid will be routed to the "jitsi-go-openid"-container. For future miserables with the same issue: To fix this you have multiple options:

1. either host a webserver in front of the "jitsi-go-openid"-container. https://github.com/TandoorRecipes/recipes/issues/266 or a like the author of this repo recommended https://github.com/mod242/jitsi-go-openid?tab=readme-ov-file#integration-with-jitsi-meet-on-docker
2. Strip the subpath /jitsi-openidfrom the request with treafik (https://community.traefik.io/t/portainer-sub-path-with-traefik-v2/17624/3)
3. Host the "jitsi-go-openid"-container under an own (oidc.jitsi.mydomain.com) subdomain and ditch the whole /jitsi-openid subpath.

@mod242 : Besides that issue i had to do some digging to figure out the format of the env var values (should i include https://? should i include the subpath? ) Some examples values, instead of xxxxx would have helped a lot. If it helps i can create a PR with some doc enhancements which i think would have helped me. And again, thanks for this project and the quick reply :heart:

[mod242]

Hi @motey,

thank you so much for your feedback and I would love to see an PR to improve the documentation. I know that the docs are not perfect, so every enhancement is very welcome.