miroslavpejic85/mirotalkc2c

Administration and users

Closed this issue · 3 comments

aminnairi commented

I would like to be able to prevent anyone to create a room without my consent.

But I would also like to allow people that I allow to participate in a visioconference.

It would be great to be able to have an administrator account, and to have a random string generator for creating random rooms' name so that it can then be accessed only by those who have the link.

This would prevent unwanted access and unecessary spam of the server on-premises like AWS EC2 and prevent having a bill that would go too far.

miroslavpejic85 commented

Hi @aminnairi,

You have the option to protect your instance using OIDC (OpenID Connect). Simply enable and configure it in the .env file as shown below:

# OIDC - OpenID Connect
# 1. Sign up for an account at https://auth0.com.
# 2. Navigate to https://manage.auth0.com/ to create a new application tailored to your specific requirements.
# For those seeking an open-source solution, check out: https://github.com/panva/node-oidc-provider

OIDC_ENABLED=true
OIDC_ISSUER_BASE_URL='https://server.example.com'
OIDC_BASE_URL='http://localhost:8080' # https://c2c.mirotalk.com
OIDC_CLIENT_ID='ClientID'
OIDC_CLIENT_SECRET='ClientSecret'
OIDC_AUTH_REQUIRED=false # set to true if authentication is required for all routes
SESSION_SECRET='mirotalk-c2c-oidc-secret'
Screenshot 2024-06-03 at 13 13 24

What is OIDC?

OpenID Connect (OIDC) is an authentication layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of end-users based on the authentication performed by an authorization server. OIDC provides a single sign-on (SSO) solution, enabling users to authenticate once and gain access to multiple applications.

Pros of OIDC:

  1. Simplified Authentication: OIDC abstracts complex authentication processes, making it easier to implement user authentication in your application.
  2. Enhanced Security: It leverages OAuth 2.0 security protocols, ensuring secure token handling and reduced risk of credential theft.
  3. Single Sign-On (SSO): Users can authenticate once and access multiple applications, enhancing user experience and convenience.
  4. Interoperability: OIDC is a widely adopted standard supported by numerous identity providers, ensuring compatibility across different platforms.
  5. Scalability: Suitable for large-scale applications requiring robust and scalable authentication mechanisms.
  6. Reduced Development Time: With OIDC, you can leverage existing identity providers and reduce the time and effort needed to build and maintain your own authentication system.

Additionally, MiroTalk C2C can be used in combination with MiroTalk WEB component to manage users and room scheduling effectively.

  • 👍1
aminnairi commented

Thank you for this exhaustive answer, I'm glad you described what OIDC was because I have little knowledge about it but I understand better. And your answer is very clear and beginner-friendly 🙏

I'm now curious about it, is it possible to host its own OIDC issuer server by any chance? I'd like to know more by tinkering with it on premises and it would be cool to not rely on another external issuer (although I have no trouble using Auth0 if I must).

miroslavpejic85 commented

Hi!

You're welcome! I'm glad my explanation helped you understand OIDC better. It's a fascinating topic, and it's great that you're interested in learning more about it.

Hosting Your Own OIDC Server

Yes, you can definitely host your own OIDC issuer server! This way, you won't need to rely on an external service like Auth0 (though Auth0 is great too). Hosting your own server gives you more control and flexibility. One of them can be keycloak

Keycloak

  • Description: Keycloak is an open-source identity and access management solution that supports OIDC, OAuth 2.0, and SAML.
  • Features: It offers features like single sign-on (SSO), user federation, identity brokering, and social login.
  • Installation: Keycloak can be deployed on-premises or in the cloud. It can run on a variety of environments, including Docker, Kubernetes, and standalone servers.

Setting Up Your Own OIDC Server

Here’s a high-level overview of the steps to set up your own OIDC server using one of these tools (e.g., Keycloak):

  1. Install Keycloak:

    • Download the Keycloak server from the official website.
    • Follow the installation instructions for your environment (standalone, Docker, Kubernetes, etc.).

  2. Configure Keycloak:

    • Start the Keycloak server and log in to the admin console.
    • Create a new realm (a realm represents a tenant in Keycloak).
    • Add clients (applications) that will use Keycloak for authentication.
    • Configure users and roles.

  3. Integrate with Applications:

    • Configure your applications to use Keycloak as the OIDC provider.
    • Use the OIDC endpoints provided by Keycloak for authentication and token management.

  4. Security and Maintenance:

    • Regularly update your Keycloak installation to the latest version.
    • Monitor the server for performance and security issues.
    • Back up your Keycloak configuration and user data.

Resources and Documentation

If you have any questions or doubts, feel free to join our MiroTalk community on Discord. We'd love to help you out! You can join us here.

Have a good day!
Miroslav

  • ❤️1