Configure Jitsi to Use Keycloak for User Authentication
Prerequisites: Ensure Keycloak is deployed and configured as described in Keycloak Server Deployment and Keycloak Configuration, and that Jitsi is installed and running.
This guide explains how to integrate Jitsi with Keycloak using OpenID Connect. Once configured, LDAP users can authenticate through Keycloak and join Jitsi meetings using Single Sign-On (SSO).
1. Create a Keycloak Client for Jitsi
-
Log in to the Keycloak admin console and select the
example-ssorealm. -
In the left-hand menu, select Clients.
-
Click Create client and configure the following values:
- Client ID:
jitsi - Client Protocol:
openid-connect - Client Authentication:
On - Standard Flow Enabled:
On - Direct Access Grants Enabled:
Off - Service Accounts Enabled:
Off
- Client ID:
-
Save the client.

-
In the client settings, configure the following valid redirect URI for Jitsi:
https://meet.example.com/oidc/callback -
Open the Credentials tab and copy the Client Secret.

2. Create a Jitsi Client Scope
-
In Keycloak, select Client scopes from the left-hand menu.
-
Click Create client scope and enter:
- Name:
jitsi-dedicated - Protocol:
openid-connect
- Name:
-
Save the scope.
-
Select the new scope and open the Mappers tab.
-
Add these mappers:
-
Name:
email- Mapper Type:
User Property - Property:
email - Token Claim Name:
email - Claim JSON Type:
String
- Mapper Type:
-
Name:
preferred_username- Mapper Type:
User Property - Property:
username - Token Claim Name:
preferred_username - Claim JSON Type:
String
- Mapper Type:
-
Name:
name- Mapper Type:
User Property - Property:
firstName - Token Claim Name:
given_name - Claim JSON Type:
String
- Mapper Type:
-
Name:
family_name- Mapper Type:
User Property - Property:
lastName - Token Claim Name:
family_name - Claim JSON Type:
String
- Mapper Type:
-
Name:
groups- Mapper Type:
Group Membership - Token Claim Name:
groups - Claim JSON Type:
String
- Mapper Type:
-

- Edit the
jitsiclient and addjitsi-dedicatedto the Client scopes section.
3. Configure Jitsi to Use Keycloak
-
Log in to the Jitsi host and navigate to the Jitsi configuration directory:
cd /opt/jitsi-docker-jitsi-meet-* -
Add a new service to
docker-compose.ymlunder theservices:section:
jitsi-keycloak:
image: ghcr.io/jitsi-contrib/jitsi-oidc-adapter
restart: ${RESTART_POLICY:-unless-stopped}
environment:
- OIDC_ISSUER_URL=https://keycloak.example.com:8443/auth/realms/example-sso
- OIDC_CLIENT_ID=jitsi
- OIDC_CLIENT_SECRET=
- JWT_APP_ID=jitsi
- JWT_APP_SECRET=
- ALLOW_UNSECURE_CERT=false
- AUTO_RETURN_TO_APP=true
ports:
- 9000:9000/TCP
networks:
meet.jitsi:
Replace <KEYCLOAK_CLIENT_SECRET> with the secret copied from Keycloak, and set <JWT_APP_SECRET> to a strong value.
-
Update the Jitsi
.envfile with the following values:ENABLE_AUTH=1ENABLE_GUESTS=1XMPP_MODULES=persistent_lobbyXMPP_MUC_MODULES=muc_wait_for_hostJICOFO_ENABLE_AUTH=falseAUTH_TYPE=jwtTOKEN_AUTH_URL=https://meet.example.com/oidc/auth?state={state}JWT_APP_ID=jitsiJWT_APP_SECRET=<JWT_APP_SECRET>Ensure the
JWT_APP_SECRETvalue matches the secret configured for thejitsi-keycloakadapter. -
Add the OIDC proxy configuration to NGINX. Create a file at
~/.jitsi-meet-cfg/web/nginx-custom/oidc.confwith the following content:location ^~ /oidc/ {proxy_pass http://jitsi-keycloak:9000;proxy_http_version 1.1;proxy_set_header X-Forwarded-For $remote_addr;proxy_set_header Host $http_host;proxy_set_header X-Forwarded-Proto $scheme;} -
Restart Jitsi containers:
docker compose -f docker-compose.yml -f jibri.yml downdocker compose -f docker-compose.yml -f jibri.yml up -d -
Confirm that the
jitsi-keycloakservice starts successfully and that the adapter can reach Keycloak at the issuer URL.
More details are available in the jitsi-oidc-adapter repository: https://github.com/jitsi-contrib/jitsi-oidc-adapter
4. Verify Login
- Open the Jitsi instance at
https://meet.example.com/. - Click Start a meeting and then Join meeting.
- If the OIDC adapter is configured correctly, you will be redirected to Keycloak to authenticate.
- Log in with an LDAP user account from Keycloak, for example
mailuser. - After successful authentication, you should be returned to Jitsi and the meeting should start.
5. Troubleshooting
- If login fails, verify the Keycloak client redirect URI matches the Jitsi callback URL exactly.
- Confirm that the
jitsi-keycloakadapter is running and can access Keycloak over HTTPS. - Make sure
AUTH_TYPE=jwtis set in.envandJICOFO_ENABLE_AUTH=falseis configured. - Ensure the
OIDC_CLIENT_SECRETandJWT_APP_SECRETvalues match between Keycloak and Jitsi. - Check container logs for
jitsi-keycloak, Jitsi web, and Jicofo for authentication errors.