Use Cloudron Logins for host protected settings

nebulon

The latest SFU package has OpenID optionally enabled. If you want to use this, you have install a fresh instance which is setup to authenticate with the Cloudron user management.

This will essentially be setup as @MiroTalk has outlined above in 2 by default.

avatar1024

Thanks for this. Just to make it clear to people, in order to obtain the behaviour in 2, you still need to modify the config.js file and enable authentication (protected: true). Otherwise, while guest cannot enter the app base domain without a login, they can still create rooms freely by creating a url: mirotalkappprefix.mydomain.com/join/roomname

@MiroTalk is that behaviour intended?

@nebulon perhaps the "protected: true" should be enable by default in the package with OICD as I imagine this is the behaviour most users expect if they want authentication?

MiroTalk

@avatar1024 said in Use Cloudron Logins for host protected settings:

Otherwise, while guest cannot enter the app base domain without a login, they can still create rooms freely by creating a url: mirotalkappprefix.mydomain.com/join/roomname

@MiroTalk is that behaviour intended?

Not a behaviour intended! I'm considering a refinement where guests are only allowed to join specified rooms that have already been created by authenticated users. This approach might offer better control and security. Will be released in the next version.

avatar1024

@MiroTalk said in Use Cloudron Logins for host protected settings:

Not a behaviour intended! I'm considering a refinement where guests are only allowed to join specified rooms that have already been created by authenticated users. This approach might offer better control and security. Will be released in the next version.

I thought that might be the case. Though as I mentioned the behaviour is achieved though by setting "protected: true" in the config.js combined with OICD. It just feels like if OICD is enabled then it shouldn't be possible for guests to create rooms so the setting shouldn't be necessary.

cvachery

I don't get the what the configuration should be to use the OIDC?

From what I understood putting in the env file

HOST_PROTECTED=true
authRequired=true

Should be enough to use my Cloudron accounts and allow guests to only join created rooms but my accounts aren't recognized I didn't find anything about OIDC/OpenID in the doc

cvachery

Ok I found the block to add in the env file :

OIDC_ENABLED=false # true or false
OIDC_ISSUER_BASE_URL='https://server.example.com'
OIDC_BASE_URL='http://localhost:3000' # https://p2p.mirotalk.com
OIDC_CLIENT_ID='ClientID'
OIDC_CLIENT_SECRET='ClientSecret'
OIDC_AUTH_REUIRED=false # set to true if authentication is required for all routes
SESSION_SECRET='mirotalk-p2p-oidc-secret'

But I don't know how to set those variables. I created a new client in cloudron OpenID Connect Provider but not sure of what the callback URL should be

girish

@cvachery oidc integration is built into the sfu app already. You don't need to configure this manually. If you reinstall, it should work out of the box.

cvachery

@girish Hmm it's only for the SFU was trying for the p2p app
Thanks a lot, so for the SFU I should just put protected: true in the config.js and it should work out of the box?

nebulon

@cvachery correct, that should work.

cvachery

It doesn't work but I think there is an issue in the config file generation as the template is not used

nebulon

@cvachery what makes you think the template is not used? If there is some misconfiguration, maybe you can also just try to reinstall the app as it has no persistent data anyways.

cvachery

I keep having the same error when trying to create a room

Oops, Room not allowed
This room is not allowed for this user

My config.js file looks like this:

// All options at https://github.com/miroslavpejic85/mirotalksfu/blob/main/app/src/config.template.js

module.exports = {
    host: {
        /*
            Host Protection (default: false)
            To enhance host security, enable host protection - user auth and provide valid
            usernames and passwords in the users array.
        */
        protected: true,
        user_auth: false,
        users: [
            /*
            {
                username: 'username',
                password: 'password',
            },
            {
                username: 'username2',
                password: 'password2',
            },
            ...
            */
        ]
    },
    presenters: {
        /*
            By default, the presenter is identified as the first participant to join the room, distinguished by their username and UUID.
            Additional layers can be added to specify valid presenters and co-presenters by setting designated usernames.
        */
        list: [],
        join_first: true, // Set to true for traditional behavior, false to prioritize presenters
    }
};

And looking at the app repo here the config file should look quite different to be able to handle OIDC connection

nebulon

In that case maybe just try to reinstall the app so it gets provisioned with a fresh config.js if the migration during update didn't work out for some reason.

cvachery

The reinstall doesn't change the content of this file.
And I don't see how it could be looking at the docker file but maybe I'm missing something

nebulon

To be clear the file you were linking from the package repo is a wrapper for config.js which will read values from /app/data/config.js and merges it with Cloudron specific ones. Maybe this is where the confusion comes from?

cvachery

Yes I got that it's a wrapper but this wrapper is never used neither in the dockerfile or start.sh so I don't get when this merge is done

nebulon

That file overwrites the upstream config.js in https://git.cloudron.io/cloudron/mirotalksfu-app/-/blob/main/Dockerfile?ref_type=heads#L13 and then loads the one in /app/data/config.js and then patches up the process internal config object. Only very specific config options are copied over though. For auth it is only those three essentially https://git.cloudron.io/cloudron/mirotalksfu-app/-/blob/main/config.js?ref_type=heads#L20

But maybe to take a step back, whatever is specified regarding oidc in the /app/data/config.js will get overwritten during runtime. So that is probably not the root cause of the issue you are facing.

cvachery

You are right I misread the Dockerfile, thanks for pointing this out!

Maybe it would it be easier to have an example of a config.js file in the documentation.
I guess I'm not the only one failing to configure it
Do I need to create an OpenID Connect Provider in my Cloudron user directory?

jdaviescoates

@cvachery I'm confused by this thread.

You shouldn't need to configue anything.

Just select the relevant User management settings when installing and Cloudron sets it all up, no?

cvachery

I did the same but ticked Allow all users from this Cloudron
Thing is @jdaviescoates by default anyone can create/join a room. But I want to restrict room creation to logged in users and anyone can join with the link.
And when activating those parameters is when problems arise.