{"id":17838229,"url":"https://github.com/marcelcoding/jitsi-openid","last_synced_at":"2025-03-19T22:30:51.503Z","repository":{"id":37034734,"uuid":"342543052","full_name":"MarcelCoding/jitsi-openid","owner":"MarcelCoding","description":"Jitsi OpenID is an authentication adapter that allows Jitsi to authorize users with OpenID Connect.","archived":false,"fork":false,"pushed_at":"2025-02-27T20:18:25.000Z","size":424,"stargazers_count":37,"open_issues_count":17,"forks_count":5,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-02-28T21:24:29.014Z","etag":null,"topics":["auth","axum","docker","jitsi","jwt","oauth2","oidc","openid-connect","rust"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MarcelCoding.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-02-26T10:36:05.000Z","updated_at":"2025-01-27T13:25:42.000Z","dependencies_parsed_at":"2022-06-26T14:22:00.916Z","dependency_job_id":"fbc92df3-2a42-4053-bd31-93ff9c670624","html_url":"https://github.com/MarcelCoding/jitsi-openid","commit_stats":null,"previous_names":[],"tags_count":26,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarcelCoding%2Fjitsi-openid","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarcelCoding%2Fjitsi-openid/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarcelCoding%2Fjitsi-openid/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MarcelCoding%2Fjitsi-openid/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MarcelCoding","download_url":"https://codeload.github.com/MarcelCoding/jitsi-openid/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244025202,"owners_count":20385532,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auth","axum","docker","jitsi","jwt","oauth2","oidc","openid-connect","rust"],"created_at":"2024-10-27T20:54:51.646Z","updated_at":"2025-03-19T22:30:51.497Z","avatar_url":"https://github.com/MarcelCoding.png","language":"Rust","readme":"# Jitsi OpenID\n\nJitsi OpenID is an authentication adapter to provide [jitsi](https://jitsi.org/) the ability to use single sign on\nvia [OpenID Connect](https://openid.net/connect/).\n\n## Deployment\n\n**This guide is based of the [docker setup from jitsi](https://github.com/jitsi/docker-jitsi-meet/).**\n\nThis image is available in the\n[GitHub Container Registry](https://github.com/users/MarcelCoding/packages/container/package/jitsi-openid):\n\n```\nghcr.io/marcelcoding/jitsi-openid:latest\n```\n\n### Docker \"run\" Command\n\n```bash\ndocker run \\\n  -p 3000:3000 \\\n  -e JITSI_SECRET=SECURE_SECRET \\\n  -e JITSI_URL=https://meet.example.com \\\n  -e JITSI_SUB=meet.example.com \\\n  -e ISSUER_URL=https://id.example.com \\\n  -e BASE_URL=https://auth.meet.example.com \\\n  -e CLIENT_ID=meet.example.com \\\n  -e CLIENT_SECRET=SECURE_SECRET \\\n  --rm \\\n  ghcr.io/marcelcoding/jitsi-openid:latest\n```\n\n### Docker Compose\n\n```yaml\n# docker-compose.yaml\n\n# ...\n\nservices:\n  # ...\n\n  jitsi-openid:\n    image: ghcr.io/marcelcoding/jitsi-openid:latest\n    restart: always\n    environment:\n      - \"JITSI_SECRET=SECURE_SECRET\" # \u003c- shared with jitsi (JWT_APP_SECRET -\u003e see .env from jitsi),\n      #    secret to sign jwt tokens\n      - \"JITSI_URL=https://meet.example.com\" # \u003c- external url of jitsi\n      - \"JITSI_SUB=meet.example.com\" # \u003c- shared with jitsi (JWT_APP_ID -\u003e see .env from jitsi),\n      #    id of jitsi\n      - \"ISSUER_URL=https://id.example.com\" # \u003c- base URL of your OpenID Connect provider\n      #    Keycloak: https://id.example.com/auth/realms/\u003crealm\u003e\n      - \"BASE_URL=https://auth.meet.example.com\" # \u003c- base URL of this application\n      - \"CLIENT_ID=meet.example.com\" # \u003c- OpenID Connect Client ID\n      - \"CLIENT_SECRET=SECURE_SECRET\" # \u003c- OpenID Connect Client secret\n        # - 'ACR_VALUES=password email'              # \u003c- OpenID Context Authentication Context Requirements,\n        #    space separated list of allowed actions (OPTIONAL), see\n        #    https://github.com/MarcelCoding/jitsi-openid/issues/122\n        # - 'SCOPES=openid email jitsi'              # \u003c- OpenID Scopes, space separated list of scopes (OPTIONAL),\n        #    default: openid email\n        # - 'VERIFY_ACCESS_TOKEN_HASH=false          # \u003c- explicitly disable access token hash verification (OPTIONAL),\n        #    default: true                                See https://github.com/MarcelCoding/jitsi-openid/issues/372#issuecomment-2730510228\n        # - 'SKIP_PREJOIN_SCREEN=false'              # \u003c- skips the jitsi prejoin screen after login (default: true)\n        # - 'GROUP=example'                          # \u003c- Value for the 'group' field in the token\n      #    default: ''\n    ports:\n      - \"3000:3000\"\n# ...\n```\n\nTo generate the `JITSI_SECRET` you can use one of the following command:\n\n```bash\ncat /dev/urandom | tr -dc a-zA-Z0-9 | head -c128; echo\n```\n\n### NixOS\n\n```nix\n{\n  inputs = {\n    nixpkgs.url = \"github:nixos/nixpkgs/nixos-23.11\";\n    jitsi-openid = {\n      url = \"github:MarcelCoding/jitsi-openid\";\n      inputs.nixpkgs.follows = \"nixpkgs\";\n    };\n  };\n\n  outputs = { self, nixpkgs, jitsi-openid, ... }: {\n    nixosConfigurations = {\n      hostname = nixpkgs.lib.nixosSystem {\n        modules = [\n          jitsi-openid.nixosModules.default\n          { nixpkgs.overlays = [ jitsi-openid.overlays.default ]; }\n        ];\n      };\n    };\n  };\n}\n```\n\n```nix\n# for an explanation see docker compose setup\nservices.jitsi-openid = {\n  enable = true;\n  settings = {\n    package = pkgs.jitsi-openid;\n    enable = true;\n    listen = {\n      addr = \"::1\";\n      port = 6031;\n    };\n    jitsiSecretFile = \"/run/secrets/jitsi-secret-file\";\n    jitsiUrl = \"https://meet.domain.tld\";\n    jitsiSub = \"meet.domain.tld\";\n    issuerUrl = \"https://auth.domain.tld\";\n    baseUrl = \"https://auth.meet.domain.tld\";\n    clientId = \"auth.meet.domain.tld\";\n    clientSecretFile = \"/run/secrets/client-secret-file\";\n    openFirewall = false;\n  };\n};\n```\n\n### Jitsi Configuration\n\nIf you have problems understating this have a look here: https://github.com/MarcelCoding/jitsi-openid/issues/80\n\n```bash\n# for more information see:\n# https://github.com/jitsi/docker-jitsi-meet/blob/master/env.example\n\n# weather to allow users to join a room without requiring to authenticate\n#ENABLE_GUESTS=1\n\n# fixed\nENABLE_AUTH=1\nAUTH_TYPE=jwt\n\n# should be the same as JITSI_ID of jitsi-openid environment variables\nJWT_APP_ID=meet.example.com\n# should be the same as JITSI_SECRET of jitsi-openid environment variables\nJWT_APP_SECRET=SECRET\n\n# fixed values\nJWT_ACCEPTED_ISSUERS=jitsi\nJWT_ACCEPTED_AUDIENCES=jitsi\n\n# auth.meet.example.com should be the domain name of jitsi-openid,\n# `/room/{room}` is the endpoint that's jitsi redirecting the user to\n# `{room}` is is a placeholder, where jitsi inserts the room name\n# jitsi-openid should redirect the user after a successfully authentication\n# !! it is recommend to use ALWAYS https e.g. using a reverse proxy !!\nTOKEN_AUTH_URL=https://auth.meet.example.com/room/{room}\n```\n\n### Jitsi Configuration NixOS\n\nThe following NixOS config shows how to use JWT Auth with the jitsi NixOS module.\nThe necessary steps where extracted form [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet):\n\n```nix\n{\n  pkgs,\n  config,\n  ...\n}:\n\nlet\n  hostName = \"meet.example.com\";\n  ssoHostName = \"auth-meet.example.com\";\n  ssoPort = 3000;\n  ssoAddress = \"127.0.0.1\";\n  cfg = config.services.jitsi-meet;\nin\n{\n  networking.firewall.allowedUDPPorts = [ 10000 ]; # required for more then 2 participants\n\n  # this assumes jitsi openid is already running on the server on port 3000\n  # you could run it with e.g. virtualisation.oci-containers.containers\n  services.nginx.virtualHosts.${ssoHostName} = {\n    forceSSL = true;\n    enableACME = true;\n    locations = {\n      \"/\" = {\n        proxyPass = \"http://${ssoAddress}:${toString ssoPort}\";\n      };\n    };\n  };\n\n  nixpkgs.config.permittedInsecurePackages = [\n    \"jitsi-meet-1.0.8043\"\n  ];\n\n  services.jitsi-meet = {\n    enable = true;\n\n    inherit hostName;\n    nginx.enable = true;\n    secureDomain = {\n      enable = true;\n      authentication = \"token\";\n    };\n\n    config.tokenAuthUrl = \"https://${ssoHostName}/room/{room}\";\n  };\n\n  services.prosody = {\n    extraModules = [\n      \"token_verification\"\n    ];\n\n    extraConfig = ''\n      asap_accepted_issuers = \"jitsi\"\n      asap_accepted_audiences = \"jitsi\"\n    '';\n\n    virtualHosts.${cfg.hostName} = {\n      # a secure secret should be used for production\n      extraConfig = ''\n        app_secret = \"insecure_secret\"\n        app_id = \"jitsi\"\n      '';\n    };\n  };\n\n  systemd.services.prosody.environment = {\n    # the token_verification module has some more lua dependencies\n    LUA_PATH = \"${pkgs.lua52Packages.basexx}/share/lua/5.2/?.lua;${pkgs.lua52Packages.cjson}/share/lua/5.2/?.lua;${pkgs.lua52Packages.luaossl}/share/lua/5.2/?.lua;${pkgs.lua52Packages.inspect}/share/lua/5.2/?.lua\";\n    LUA_CPATH = \"${pkgs.lua52Packages.cjson}/lib/lua/5.2/?.so;${pkgs.lua52Packages.luaossl}/lib/lua/5.2/?.so\";\n  };\n}\n```\n\n### Jitsi JWTs\n\nThe JWTs are populated using the data returned by your IDP.\nThis includes the user id, email and name.\n\nThe `sub` extracted from the `prefered_username` field, if that isn't preset the `sub` field is used.\n\nThe `name` is extracted from the `name` field, if that isn't preset a concatenation of `given_name`, `middle_name`\nand `family_name` is used. If all tree of them are also not present the `prefered_username` is used.\n\nThe `affiliation` is straight up passed, without any modifications or alternatives. It can be used to restrict the\npermissions a user has in a specific room in jitsi.\nSee https://github.com/jitsi-contrib/prosody-plugins/tree/main/token_affiliation for more information.\n\nThe picture (avatar) URL is delegated from the IDP to Jitsi.\n\nTranslations aren't respected: https://github.com/MarcelCoding/jitsi-openid/issues/117#issuecomment-1172406703\n\n## License\n\n[LICENSE](LICENSE)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmarcelcoding%2Fjitsi-openid","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmarcelcoding%2Fjitsi-openid","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmarcelcoding%2Fjitsi-openid/lists"}