Bug: MiroTalk SFU & OIDC & Alias Domain
-
zoom.example.org is the app location
teams.example.org is the alias locationJoining rooms is possible at both locations.
Loggin via oidc, which is the default call to action if you open the url, only works at the app location. This error is triggered at the alias location:BadRequestError: state mismatch, expected eyJyZXR1cm5UbyI6Ii9wcm9maWxlIn0, got: eyJyZXR1cm5UbyI6Ii8ifQ at ResponseContext.callback (/app/code/node_modules/express-openid-connect/lib/context.js:366:15)The oidc flow redirects from teams to zoom.
-
zoom.example.org is the app location
teams.example.org is the alias locationJoining rooms is possible at both locations.
Loggin via oidc, which is the default call to action if you open the url, only works at the app location. This error is triggered at the alias location:BadRequestError: state mismatch, expected eyJyZXR1cm5UbyI6Ii9wcm9maWxlIn0, got: eyJyZXR1cm5UbyI6Ii8ifQ at ResponseContext.callback (/app/code/node_modules/express-openid-connect/lib/context.js:366:15)The oidc flow redirects from teams to zoom.
-
Currently as far as I can see in the mirotalk SFU code, the callback URL for oidc is not switched based on the incoming requests host name.
Maybe @mirotalk-57bab571 can share some insights if this would be possible to fix upstream. Otherwise we have to disable alias domain support within the Cloudron package to not confuse users.
-
@nebulon correct me if i understand well?
In the next release, I will integrate OpenID Connect (OIDC)
dynamically. This will allow the authentication flow to work seamlessly with multiple alias domains. ThebaseURLwill be set dynamically based on the incoming request's host, ensuring that the app supports various domains and subdomains.To ensure proper functionality, It's needed to update the OIDC provider’s callback URL settings to include all valid URLs, including aliases. This way, no matter which domain the user accesses, the OIDC authentication flow will work without issues.
Steps to Update Callback URLs:
- Go to your OIDC provider's dashboard (e.g., Auth0).
- Navigate to
Applications>Your Application. - Under Settings, locate Allowed Callback URLs.
- Add all valid callback URLs, for example:
http://app.example.com/auth/callback, http://alias1.example.com/auth/callback, http://localhost:3010/auth/callback - If your aliases follow a consistent pattern, consider using wildcards like
http://*.example.com/auth/callbackto simplify the process.
By following these steps, we'll ensure that the authentication flow works smoothly across multiple domains and aliases.
-
@mirotalk-57bab571 this is great! I've tested it and it required to trust the proxy. The pull request for the SFU flavor is https://github.com/miroslavpejic85/mirotalksfu/pull/191
-
@mirotalk-57bab571 this is great! I've tested it and it required to trust the proxy. The pull request for the SFU flavor is https://github.com/miroslavpejic85/mirotalksfu/pull/191
Done: Enabled OIDC support for alias domains with dynamic baseURL in both MiroTalk P2P v1.4.75 and MiroTalk SFU v1.7.22.