Skip to main content

Configure Jitsi to Use Keycloak for User Authentication

Prerequisites: Ensure Keycloak is deployed and configured as described in Keycloak Server Deployment and Keycloak Configuration, and that Jitsi is installed and running.

This guide explains how to integrate Jitsi with Keycloak using OpenID Connect. Once configured, LDAP users can authenticate through Keycloak and join Jitsi meetings using Single Sign-On (SSO).

1. Create a Keycloak Client for Jitsi

  1. Log in to the Keycloak admin console and select the example-sso realm.

  2. In the left-hand menu, select Clients.

  3. Click Create client and configure the following values:

    • Client ID: jitsi
    • Client Protocol: openid-connect
    • Client Authentication: On
    • Standard Flow Enabled: On
    • Direct Access Grants Enabled: Off
    • Service Accounts Enabled: Off
  4. Save the client.

Add Jitsi Client

  1. In the client settings, configure the following valid redirect URI for Jitsi:

    https://meet.example.com/oidc/callback
  2. Open the Credentials tab and copy the Client Secret.

Copy Credentials

2. Create a Jitsi Client Scope

  1. In Keycloak, select Client scopes from the left-hand menu.

  2. Click Create client scope and enter:

    • Name: jitsi-dedicated
    • Protocol: openid-connect
  3. Save the scope.

  4. Select the new scope and open the Mappers tab.

  5. Add these mappers:

    • Name: email

      • Mapper Type: User Property
      • Property: email
      • Token Claim Name: email
      • Claim JSON Type: String
    • Name: preferred_username

      • Mapper Type: User Property
      • Property: username
      • Token Claim Name: preferred_username
      • Claim JSON Type: String
    • Name: name

      • Mapper Type: User Property
      • Property: firstName
      • Token Claim Name: given_name
      • Claim JSON Type: String
    • Name: family_name

      • Mapper Type: User Property
      • Property: lastName
      • Token Claim Name: family_name
      • Claim JSON Type: String
    • Name: groups

      • Mapper Type: Group Membership
      • Token Claim Name: groups
      • Claim JSON Type: String

Add Jitsi Client Scope

  1. Edit the jitsi client and add jitsi-dedicated to the Client scopes section.

3. Configure Jitsi to Use Keycloak

  1. Log in to the Jitsi host and navigate to the Jitsi configuration directory:

    cd /opt/jitsi-docker-jitsi-meet-*
  2. Add a new service to docker-compose.yml under the services: section:

jitsi-keycloak:
image: ghcr.io/jitsi-contrib/jitsi-oidc-adapter
restart: ${RESTART_POLICY:-unless-stopped}
environment:
- OIDC_ISSUER_URL=https://keycloak.example.com:8443/auth/realms/example-sso
- OIDC_CLIENT_ID=jitsi
- OIDC_CLIENT_SECRET=
- JWT_APP_ID=jitsi
- JWT_APP_SECRET=
- ALLOW_UNSECURE_CERT=false
- AUTO_RETURN_TO_APP=true
ports:
- 9000:9000/TCP
networks:
meet.jitsi:

Replace <KEYCLOAK_CLIENT_SECRET> with the secret copied from Keycloak, and set <JWT_APP_SECRET> to a strong value.

  1. Update the Jitsi .env file with the following values:

    ENABLE_AUTH=1
    ENABLE_GUESTS=1
    XMPP_MODULES=persistent_lobby
    XMPP_MUC_MODULES=muc_wait_for_host
    JICOFO_ENABLE_AUTH=false
    AUTH_TYPE=jwt
    TOKEN_AUTH_URL=https://meet.example.com/oidc/auth?state={state}
    JWT_APP_ID=jitsi
    JWT_APP_SECRET=<JWT_APP_SECRET>

    Ensure the JWT_APP_SECRET value matches the secret configured for the jitsi-keycloak adapter.

  2. Add the OIDC proxy configuration to NGINX. Create a file at ~/.jitsi-meet-cfg/web/nginx-custom/oidc.conf with the following content:

    location ^~ /oidc/ {
    proxy_pass http://jitsi-keycloak:9000;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto $scheme;
    }
  3. Restart Jitsi containers:

    docker compose -f docker-compose.yml -f jibri.yml down
    docker compose -f docker-compose.yml -f jibri.yml up -d
  4. Confirm that the jitsi-keycloak service starts successfully and that the adapter can reach Keycloak at the issuer URL.

More details are available in the jitsi-oidc-adapter repository: https://github.com/jitsi-contrib/jitsi-oidc-adapter

4. Verify Login

  1. Open the Jitsi instance at https://meet.example.com/.
  2. Click Start a meeting and then Join meeting.
  3. If the OIDC adapter is configured correctly, you will be redirected to Keycloak to authenticate.
  4. Log in with an LDAP user account from Keycloak, for example mailuser.
  5. After successful authentication, you should be returned to Jitsi and the meeting should start.

5. Troubleshooting

  • If login fails, verify the Keycloak client redirect URI matches the Jitsi callback URL exactly.
  • Confirm that the jitsi-keycloak adapter is running and can access Keycloak over HTTPS.
  • Make sure AUTH_TYPE=jwt is set in .env and JICOFO_ENABLE_AUTH=false is configured.
  • Ensure the OIDC_CLIENT_SECRET and JWT_APP_SECRET values match between Keycloak and Jitsi.
  • Check container logs for jitsi-keycloak, Jitsi web, and Jicofo for authentication errors.