MiroTalk P2P cannot join rooms if OIDC user is same as .env user

robi

Since I somehow ended up in this configuration, the workaround was to edit the username in the .env file so it's not the same.

@mirotalk-57bab571 can it be made to work with local host auth first before checking OIDC where credentials won't match?

james

Hello @robi
Could you please describe the issue a bit more in detail?
A step-by-step guide for reproduction will significantly improve the time of resolving your issue.

avatar1024

Yeah description is a little confusing but I think what @robi means is that they allowed a user (that is not a Cloudron OIDC user) in the .env file, but that this username has the same username as a OIDC user on Cloudron. As a result the user allowed manually in the .env file cannot login because the app is expecting the OIDC credentials. But yes, @robi please clarify.

robi

It's more for Miroslav who will know what to do with this, since it's his code, hence the mention.

@avatar1024 is close, as the dup user can log in, just cannot join user specified rooms. Only autogenerated ones.

In any case, the auth flow and permissions need some TLC.

Nothing for the Cloudron team to do.

robi

@mirotalk-57bab571 following up

robi

Is there a reason this isn't being looked at?

nebulon

Maybe your request about the order of auth or a fallthrough if first auth is failing, would be better reported upstream then as a feature request.

MiroTalk

@robi said in MiroTalk P2P cannot join rooms if OIDC user is same as .env user:

Since I somehow ended up in this configuration, the workaround was to edit the username in the .env file so it's not the same.

Hi Robi, could you please provide the exact steps and configuration you used to reproduce the issue? Thank you!

robi

@MiroTalk Sure..

My install is from before OIDC was available, hence my Cloudron user 'robi' was added to the .env file.

Some time after OIDC integration logging in was a success but not joining custom rooms.

Hence the need to change or remove the user 'robi' from the .env file.

To reproduce, set a user in .env to the same as a user in OIDC.

MiroTalk

So if i understand well the issue you encountered was related to an older version of MiroTalk P2P?

---

In the latest release, I’m unable to reproduce the problem, everything seems works as expected with OIDC enabled.

Please update your MiroTalk P2P instance to the latest version, and let me know if the issue persists.

Thank you!

---

MiroTalk

@robi said in MiroTalk P2P cannot join rooms if OIDC user is same as .env user:

My install is from before OIDC was available, hence my Cloudron user 'robi' was added to the .env file.

It's not entirely clear what you mean by ".env user." Just to clarify, MiroTalk P2P supports two ways to protect your instance from unauthorized access:

1. Using OIDC (OpenID Connect):

OIDC_ENABLED=true
OIDC_ALLOW_ROOMS_CREATION_FOR_AUTH_USERS=true

• This allows all users authenticated via your OIDC provider to access the instance.
• If OIDC_ALLOW_ROOMS_CREATION_FOR_AUTH_USERS is set to true, they can also create their own rooms.

2. Without OIDC (Local Auth):

HOST_PROTECTED=true
HOST_USER_AUTH=false
HOST_USERS='[{"username": "admin", "password": "admin"},{"username": "guest", "password": "guest"}]'

• In this mode, users defined in HOST_USERS are allowed to log in and join rooms.
• This is a simple JSON-based user/password list stored in your .env file.

So when you refer to a ".env user," I assume you mean a user defined in the HOST_USERS list.

For additional context please refer to this post as well:
https://forum.cloudron.io/post/108348

avatar1024

@mirotalk-57bab571 What @robi is talking about is a conflict when you have a OIDC user with the same username as a user in the .env file. In this case the user in the .env file (same username as the OIDC user but different password) cannot join the room.

jdaviescoates

@avatar1024 @robi isn't the solution (if you're now using OIDC) to simply delete the left over pre-OIDC HOST_USERS from the .env file?

nebulon

Also maybe just reinstall the app to start fresh then. There isn't much actual data stored in the app anyways.

robi

The app auto updates. It's always at the latest.

Here are the settings from my .env file

API_KEY_SECRET=<redacted>
HOST_PROTECTED=true
HOST_USER_AUTH=false
HOST_USERS=<includes 'robi'>

This was the only way to protect usage by logging-in in the past, before OIDC.

The MiroTalk code be updated to not break the user flow when HOST logins succeed but fail to join any custom rooms (or previously used URL supplied rooms) other than autogenerated suggestions.

Ie. it could be more aware of HOST auth and do the right thing vs getting tangled with OIDC auth permissions or whatever else is happening (my guess, since it doesn't seem to know what to do, and it worked as configured before).

Once I edited the .env file user to 'rob', things started working as expected again.

MiroTalk

@robi said in MiroTalk P2P cannot join rooms if OIDC user is same as .env user:

API_KEY_SECRET=<redacted>
HOST_PROTECTED=true
HOST_USER_AUTH=false
HOST_USERS=<includes 'robi'>

Hi Rob,

Please try using the following settings in your env file:

API_KEY_SECRET=your-api-key-secret
OIDC_ENABLED=false
HOST_PROTECTED=true
HOST_USER_AUTH=false
HOST_USERS='[{"username": "robi", "password": "your-password"}]'

Make sure to add OIDC_ENABLED=false to explicitly disable OIDC, and update HOST_USERS to use the correct JSON format as shown above. Then restart the your MiroTalk P2P instance.