Questions about the central user directory in Cloudron
-
Hi,
Very interested in using Cloudron for one of my projects.
I am a solopreneur and i want to sell infoproducts, mainly online courses.I want to create an online course as a static website hosted in the Surfer App.
And I could set up a community with Discourse.I have read that Cloudron has a central user directory built in.
I guess a user/client could access Discourse AND the online course hosted on Surfer with the same userid/password through this central directory.
I can imagine I could use N8N and the cloudron API to create a new user account each time a visitor would buy my online course.
Then the user could access both Discourse and Surfer with this account.But in the Cloudron knowledge base, I read this:
When installing an app, you can choose if the app is to be configured to use the Cloudron user directory.
Disabling the integration can be beneficial when the app is meant to be used primarily by external users (for example, a community chat or a public forum).I have a few questions:
- Do you advise against using the central user directory for external users ? Why ?
- Would it be possible to create a personalized login page and use it to login to Discourse and Surfer ?
- Would it be possible to create a link to logout from Discourse and Surfer by just clicking on it ? Maybe with the "Destroy user session" method in the OIDC part of the API.
Cheers
-
Thanks for considering Cloudron.
Do you advise against using the central user directory for external users ? Why ?
I think it's fine to add external users into Cloudron but there are some things to be aware of. External users will have access to Cloudron dashboard. Things like password reset, email change etc all require dashboard access. The dashboard domain is hardcoded as my.domain.com and cannot be changed. In Cloudron dashboard, if you have other apps installed (say you have some EspoCRM), then you have to be careful that external users don't get access to this. By default, users have access to all apps (use Groups to restrict usage).
Depending on your situation: you can also manage the directory in Keycloak app. Then install Discourse etc to have Keycloak auth (I have not tried this but am guessing is possible).
Would it be possible to create a personalized login page and use it to login to Discourse and Surfer ?
Right, see the limitations above. The Cloudron dashboard has specific personalization/branding/whitelabeling features. You can of course build your own login page and use Cloudron APIs to authenticate. This requires some dev work.
Would it be possible to create a link to logout from Discourse and Surfer by just clicking on it ? Maybe with the "Destroy user session" method in the OIDC part of the API.
AFAIK, no. The session is managed in the OIDC provider. In most cases, the app doesn't even call back to the OIDC provider. I think there are two logout flows iirc and most apps don't implement this backend callback mechanism.
-
J joseph marked this topic as a question
-
J joseph has marked this topic as solved
-
Thanks for considering Cloudron.
Do you advise against using the central user directory for external users ? Why ?
I think it's fine to add external users into Cloudron but there are some things to be aware of. External users will have access to Cloudron dashboard. Things like password reset, email change etc all require dashboard access. The dashboard domain is hardcoded as my.domain.com and cannot be changed. In Cloudron dashboard, if you have other apps installed (say you have some EspoCRM), then you have to be careful that external users don't get access to this. By default, users have access to all apps (use Groups to restrict usage).
Depending on your situation: you can also manage the directory in Keycloak app. Then install Discourse etc to have Keycloak auth (I have not tried this but am guessing is possible).
Would it be possible to create a personalized login page and use it to login to Discourse and Surfer ?
Right, see the limitations above. The Cloudron dashboard has specific personalization/branding/whitelabeling features. You can of course build your own login page and use Cloudron APIs to authenticate. This requires some dev work.
Would it be possible to create a link to logout from Discourse and Surfer by just clicking on it ? Maybe with the "Destroy user session" method in the OIDC part of the API.
AFAIK, no. The session is managed in the OIDC provider. In most cases, the app doesn't even call back to the OIDC provider. I think there are two logout flows iirc and most apps don't implement this backend callback mechanism.
Thank you for your detailed answer.
When you say :
Depending on your situation: you can also manage the directory in Keycloak app. Then install Discourse etc to have Keycloak auth (I have not tried this but am guessing is possible).
I'm not sure to understand exactly what it means.
Do you mean using Keycloak as a complete replacement of Cloudron directory or as a sort of frontend for it (for login/logout, password reset, etc.) ?
I really like the fact that Cloudron directory can be used as a SSO for all the Cloudron Apps (like Discourse, Surfer, N8N in my case).
Is it possible to do the same with Keycloak alone for apps installed from the Cloudron App Store ? Do I need to setup some custom configs for these apps ? Where do I tell Discourse or Surfer to use Keycloak for auth instead of Cloudron directory ? -
Thank you for your detailed answer.
When you say :
Depending on your situation: you can also manage the directory in Keycloak app. Then install Discourse etc to have Keycloak auth (I have not tried this but am guessing is possible).
I'm not sure to understand exactly what it means.
Do you mean using Keycloak as a complete replacement of Cloudron directory or as a sort of frontend for it (for login/logout, password reset, etc.) ?
I really like the fact that Cloudron directory can be used as a SSO for all the Cloudron Apps (like Discourse, Surfer, N8N in my case).
Is it possible to do the same with Keycloak alone for apps installed from the Cloudron App Store ? Do I need to setup some custom configs for these apps ? Where do I tell Discourse or Surfer to use Keycloak for auth instead of Cloudron directory ?@geraud I guess there are two scenarios. Let's say you have 10 users. I think the question is what you want for these 10 users.
-
If you use Cloudron User Directory, Cloudron can be the single entry point / dashboard for the users to access apps. They login to a dashboard, see apps. The password is managed by Cloudron and thus they have to do password reset etc via Cloudron. This setup is usually the case for most of the private/personal cloud setups.
-
In another situation, Cloudron can be seen just as a way to install and manage apps by you as a sysadmin. In this case, it's not really a central directory for your users and is just a sysadmin tool for you/the sysadmin. You can use keycloak as the user directory. Some advantages (or not) are: users won't have any idea about Cloudron or how the apps are hosted. You can set up your own custom login and dashboard pages for your users.
Does that make sense
? -