jitsi-keycloak
jitsi-keycloak copied to clipboard
d3473r
'Open Jitsi' button opens nothing (No 'Access-Control-Allow-Origin' header )
Hi,
Jitsi-web redirects to keycloak and jitsi-keycloak page opens after successful authorization, but nothing happens when click on the 'open jitsi' button.
Could you help to find out the problem?
Regards Serhiy.
To be more specific, I have
jitsi-web: https://jitsi.example.com jitsi-keycloak: https://auth-jitsi.example.com
JITSI ENV:
ENABLE_AUTH=1
AUTH_TYPE=jwt
JWT_APP_ID=jitsi
JWT_APP_SECRET=supersecret
TOKEN_AUTH_URL=https://auth-jitsi.example.com
JITSI KEYCLOAK ENV:
JITSI_SECRET=supersecret
DEFAULT_ROOM=meeting
JITSI_URL=https://jitsi.example.com
JITSI_SUB=example.com
And at the end Open Jitsi button points to the https://auth-jitsi.example.com/meeting instead of https://jitsi.example.com/meeting
Seems that jitsi-keycloak can not get token from the keycloak;
Access to XMLHttpRequest at 'https://keycloak.test.lan/auth/realms/jitsi/protocol/openid-connect/auth?client_id=jitsi&state=841d9353-4895-4f23-80fc-61d23908c9f6&redirect_uri=http%3A%2F%2Fauth-jitsi.test.lan%2Fapi%2Fconfig%3Fauth_callback%3D1&scope=openid&response_type=code' (redirected from 'https://auth-jitsi.test.lan/api/config') from origin 'https://auth-jitsi.bank.lan' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
xhr.js:187 GET https://keycloak.test.lan/auth/realms/jitsi/protocol/openid-connect/auth?client_id=jitsi&state=841d9353-4895-4f23-80fc-61d23908c9f6&redirect_uri=http%3A%2F%2Fauth-jitsi.test.lan%2Fapi%2Fconfig%3Fauth_callback%3D1&scope=openid&response_type=code net::ERR_FAILED
If replace correct Web Origins URI with "*" (keycloak client's configuration) then no more 'Access-Control-Allow-Origin', but the following error has appear:
keycloak.js:790 POST https://keycloak.test.lan/auth/realms/jitsi/protocol/openid-connect/token net::ERR_FAILED 200
Pay attention to this rect_uri=http%3A%2F%2Fauth-jitsi.test
http instead of https
Hi, do you have https://auth-jitsi.bank.lan in the Web Origins of keycloak?
This is the origin of the request
Hi, yes I do.
I've tried Web Origins with https://auth-jitsi.bank.lan, with * and +.
Actions log with https://auth-jitsi.bank.lan:
login to the Keycloak
Access to XMLHttpRequest at 'https://keycloakdmz.test.lan/auth/realms/jitsi/protocol/openid-connect/auth?client_id=jitsi&state=bf3d4fd0-363b-47d3-a388-80d974e95c1b&redirect_uri=http%3A%2F%2Fauth-jitsi.test.lan%2Fapi%2Fconfig%3Fauth_callback%3D1&scope=openid&response_type=code' (redirected from 'https://auth-jitsi.test.lan/api/config') from origin 'https://auth-jitsi.test.lan' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Click 'OPEN JITSI'
vue.runtime.esm.js:1897 TypeError: Cannot read properties of null (reading 'token')
at a.openJitsi (App.vue:71:68)
at re (vue.runtime.esm.js:1863:26)
at a.n (vue.runtime.esm.js:2188:14)
at re (vue.runtime.esm.js:1863:26)
at Ln.t.$emit (vue.runtime.esm.js:3903:9)
at a.click (VBtn.ts:163:7)
at re (vue.runtime.esm.js:1863:26)
at HTMLButtonElement.n (vue.runtime.esm.js:2188:14)
at Qi.o._wrapper (vue.runtime.esm.js:6961:25)
jetsy-keycloak logout keycloak login
token: 200
Response Headers
access-control-allow-credentials: true
access-control-allow-origin: https://auth-jitsi.test.lan
access-control-expose-headers: Access-Control-Allow-Methods
auth?client_id=... CORS error
General
Request URL: https://keycloakdmz.test.lan/auth/realms/jitsi/protocol/openid-connect/auth?client_id=jitsi&state=7bd22c6b-e428-4d1a-9d2f-76a6dbe76b8e&redirect_uri=http%3A%2F%2Fauth-jitsi.test.lan%2Fapi%2Fconfig%3Fauth_callback%3D1&scope=openid&response_type=code
Referrer Policy: strict-origin-when-cross-origin
Request Headers
Referer: https://auth-jitsi.test.lan/
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36 OPR/90.0.4480.54
BTW, if I set wrong Web Origins it stops at the token stage:
with correct settings it stops auth?client_id
I've tried the following keycloak versions: 16.1.1, 19.0.1 (in the docker env)
BTW
points to config
<div id="kc-error-message">
<p class="instruction">Invalid parameter: redirect_uri</p>
</div>
Update:
Keycloak (16 --> 19) changes auth/realms/{realm}/protocol/openid-connect/token to realms/{realm}/protocol/openid-connect/token.
Update: Keycloak (16 --> 19) changes
auth/realms/{realm}/protocol/openid-connect/tokentorealms/{realm}/protocol/openid-connect/token.
You can go back to the old schema by adding to your KC environment KC_HTTP_RELATIVE_PATH: "/auth"
Hi, we have exactly the same problem, May we have an update of this nice app instead of breaking all other Keycloak Clients by going back to old schema?
More info
jitsi-web (stable-7648-3): https://jitsi.example.com/
jitsi-keycloak:latest: https://auth.jitsi.example2.com/
keycloak: 19.0.2
JITSI ENVs:
ENABLE_AUTH=1
AUTH_TYPE=jwt
JWT_APP_ID=jitsi
JWT_APP_SECRET=longkey
TOKEN_AUTH_URL=https://auth.jitsi.example2.com/{room}
JITSI-KEYCLOAK ENVs:
JITSI_SECRET=longkey
DEFAULT_ROOM=meeting
JITSI_URL=https://jitsi.example.com
JITSI_SUB=meet.jitsi #also tried to comment it
After successful logging-in I'm getting redirected to this page https://auth.jitsi.example2.com/{room} (instead of jitsi meeting room https://jitsi.example.com/{room}, where I clicked "I'm organizator") The "Open Jitsi" button does not redirect me back to Jitsi Meet url (https://jitsi.example.com/) even If I point out the room name (any)
Update: Keycloak (16 --> 19) changes
auth/realms/{realm}/protocol/openid-connect/tokentorealms/{realm}/protocol/openid-connect/token.You can go back to the old schema by adding to your KC environment
KC_HTTP_RELATIVE_PATH: "/auth"
BTW, this setting broke KC container running at all
~~Hi all, I'll add a parameter to switch between the old and new keycloak configuration~~
Ehm, this configuration is coming from the keycloak adapter config auth-server-url.
Do you have downloaded the new adaptor config after the keycloak update?
For me its < 19: "auth-server-url": "https://auth.example.com/auth/"
and > 19: "auth-server-url": "https://auth.example.com/",
Hi, we have 4 other apps (2 working via SAML & 2 via OpenID) which works well with our Keycloak 19 & 20 without any changes in keycloak or app configuration (incl. adaptors)
They all configured to work without "/auth" ending in all paths, i.e. all paths looks like this kc.domain/realms/realmname/protocol/.......
Maybe your other apps autoconfigure via .well-known/openid-configuration which is more sophisticated
But this app requires a Keycloak adapter configuration json file
I've update the keycloak-js adapter to the latest version (20.0.1).
Can you try again with ghcr.io/d3473r/jitsi-keycloak:develop?
I'm getting this error when trying to start it:
(node:1) Warning: To load an ES module, set "type": "module" in the package.json or use the .mjs extension.
(Use `node --trace-warnings ...` to show where the warning was created)
/app/src/app.js:9
import * as dotenv from 'dotenv'
^^^^^^
SyntaxError: Cannot use import statement outside a module
at Object.compileFunction (node:vm:360:18)
at wrapSafe (node:internal/modules/cjs/loader:1055:15)
at Module._compile (node:internal/modules/cjs/loader:1090:27)
at Object.Module._extensions..js (node:internal/modules/cjs/loader:1180:10)
at Module.load (node:internal/modules/cjs/loader:1004:32)
at Function.Module._load (node:internal/modules/cjs/loader:839:12)
at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:81:12)
at node:internal/main/run_main_module:17:47
Unfortunately, same behaviour with the new image
This is console output after I got redirected with successful login:
This one is after I entered room name and clicked "Open Jitsi"
This is how our adapter looks like:
Ok, did you you add https://auth.meet.example.com to the Web origins in the jitsi client in keycloak?
CORS problem was solved after I've recreated Jitsi client with same settings as before, but without any customization in attributes/roles, seems the problem was somewhere in token (I've tried some other ways to achieve KC auth in Jitsi before found your app). Thanks a lot for your quick help
Now I can successfully log in with any realm user account, but I have two questions,
- Is it possible also to allow guests to join meets?
- Why everyone receives Moderator privileges after entering any room, even if there is already Moderator online
Now we are running 'stable-7648-3', but I prepare things to migrate to the latest
Maybe you are hitting this resgression: https://github.com/jitsi/jitsi-meet/issues/11967, https://github.com/jitsi/docker-jitsi-meet/issues/1369. This is fixed in the latest version via: https://github.com/jitsi/docker-jitsi-meet/pull/1396
@imedia3 i had to add JWT_ALLOW_EMPTY=true to the config. Otherwise a guest joining a existing room would get: A conference with the same name has already been created!