Jitsi Go OpenID provides an authentication adapter for giving Jitsi the ability to use single sign-on via OpenID Connect.
Tested to work with:
This code is heavily inspired by https://github.com/bluffy/jitsi-oidc
This image is available in the Docker Hub and can be easily deployed by using docker compose.
JITSI_SECRET - Must match the jwt_secret from your Jitsi configuration
JITSI_URL - Base URL of your Jitsi instance
JITSI_SUB - Must match the JWT_APP_ID from your Jitsi configuration
ISSUER_BASE_URL - Base URL of your OpenID Connect provider
BASE_URL - Public base URL of this application (should run behind a reverse proxy)
CLIENT_ID- Client ID from your OAuth provider
SECRET - Client secret from your OAuth provider
PREJOIN- Whether the prejoin page should be displayed again after authentication
NAME_KEY - Key for the user's name from the OAuth token (defaults to 'name', but can be 'given_name' or any other key present in the token)
DEEPLINK - Whether the callback should use a deep link for redirect to ensure the originating client (Desktop, iOS, Android) is used
Example (.env or environment Variables)
JITSI_SECRET=89we7tsgf37iqewurtgwziuegskj
JITSI_URL=https://jitsi.mydomain.com
JITSI_SUB=jitsi
ISSUER_BASE_URL=https://authentik.mydomain.com/application/o/jitsi/
BASE_URL=https://jitsi.mydomain.com
CLIENT_ID=xxxxxxxxxxxx
SECRET=xxxxxxxxxxxxxxxxxxxxxxx
PREJOIN=false
DEEPLINK=true
NAME_KEY=nameThis project has been tested with Jitsi Meet on Docker. To integrate this project, the provided Docker container should be started alongside Jitsi. If you are using a custom Docker network for Jitsi, the container should run within this network. To make the endpoint of this project available, it is recommended to use the Nginx container provided by Jitsi. According to the Jitsi Docker guidelines, you can create a "custom-meet.conf" (The path in "Jitsi Meet on Docker" is "/config/custom-meet.conf" file to publish this service. Example:
location /jitsi-openid/ {
proxy_pass http://jitsi-openid:3001/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_buffering off;
proxy_set_header Host $host;
}This will expose the necessary service under the URL of the Jitsi conference server at /jitsi-openid (e.g., https://conference.url.com/jitsi-openid).
As an alternative to the "custom-meet.conf", if you are running behind a treafik you can route request to /jitsi-openid to the "jitsi-go-openid"-container via treafik.
Keep in mind that the path must be stripped away before sending it to the "jitsi-go-openid"-container. Example:
service:
[...]
jitsi-openid:
image: mod242/jitsi-go-openid:latest
labels:
- "traefik.enable=true"
- "traefik.http.services.srv-jitsi-oidc.loadbalancer.server.port=3001"
- "traefik.http.middlewares.mw-strip-oidc-prefix.stripprefix.prefixes=/jitsi-openid"
- "traefik.http.routers.rt-jitsi-oidc.middlewares=mw-strip-oidc-prefix"
- "traefik.http.routers.rt-jitsi-oidc.service=srv-jitsi-oidc"
- "traefik.http.routers.rt-jitsi-oidc.entrypoints=webtls"
- "traefik.http.routers.rt-jitsi-oidc.rule=(Host(`jitsi.mydomain.com`) && PathPrefix(`/jitsi-openid`))"
- "traefik.http.routers.rt-jitsi-oidc.tls=true"
- "traefik.http.routers.rt-jitsi-oidc.tls.certResolver=your-letsencrypt-resolver"
environment:
- JITSI_SECRET=abcdf
[...]Lastly, the .env file for Jitsi Docker needs to be adjusted:
ENABLE_AUTH must be enabled.JWT_APP_ID should be set to the URL of the server (e.g., conference.yoururl.com) and match the configuration of this service.JWT_APP_SECRET must be set and match the configuration of this service.JWT_ACCEPTED_ISSUERS should be set to jitsi.JWT_ACCEPTED_AUDIENCES should be set to jitsi.AUTH_TYPE should be set to jwt.TOKEN_AUTH_URL must be set in the following format to this service:
https://conference.yoururl.com/jitsi-openid/authenticate?state={state}&room={room}An OAuth2/OpenID Provider (like Authentik) must be set up.
The App ID and Client Secret assigned during this setup must be configured for this service.
Lastly the Callback URL should be set to the Base URL + /callback of this service (e.g., https://conference.yoururl.com/jitsi-openid/callback).