bhetherman/obs-game-stream-plugin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
obs-game-stream-plugin/docs/authentik-setup.md
T
bhetherman 0dff4eeee3 Update all docs to reflect current working configuration 
- README: update architecture diagram for RTMP+FFmpeg pipeline, add FFmpeg
  install step, fix path descriptions
- obs-setup: switch from WHIP to RTMP output, add FFmpeg prerequisite, fix
  script log messages (MediaMTX starts on load not streaming start), add
  Python setup note, update troubleshooting for game-opus path and audio
- npm-setup: remove Custom Locations GUI instructions (must be empty - all
  locations defined in Advanced tab only), update verify steps to game-opus
  paths, add troubleshooting for WHEP 400/401 causes
- authentik-setup: add section 6 covering both manual account creation and
  self-service enrollment via invite link; clarify User Write stage group
  field is what triggers auto-add (not the invitation form)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-06 03:46:13 -04:00

122 lines
4.4 KiB
Markdown
Raw Permalink Blame History

# Authentik setup
Creates a Forward Auth Proxy Provider that NPM will consult before allowing
any request to `https://stream.hetherman.cloud`.
Prerequisites: you already run Authentik at `https://auth.hetherman.cloud` and
have admin access.
## 1. Create a group
1. Authentik admin -> **Directory -> Groups -> Create**
2. Name: `stream-viewers`
3. Save.
## 2. Create a Proxy Provider
1. **Applications -> Providers -> Create**
2. Select **Proxy Provider** and click Next.
3. Fill in:
- **Name**: `game-stream-forward-auth`
- **Authorization flow**: `default-provider-authorization-implicit-consent`
(skips the "Authorize application" prompt so friends get a one-click login)
- **Type**: **Forward auth (single application)**
- **External host**: `https://stream.hetherman.cloud`
- **Token validity**: default (24 hours) is fine
4. Save.
## 3. Create an Application
1. **Applications -> Applications -> Create**
2. Fill in:
- **Name**: `Game Stream`
- **Slug**: `game-stream`
- **Provider**: `game-stream-forward-auth` (the provider from step 2)
- **Launch URL**: `https://stream.hetherman.cloud`
3. Save.
## 4. Bind the group policy
Restrict who can authenticate to this application:
1. Open the `Game Stream` application you just created.
2. Go to the **Policy / Group / User Bindings** tab -> **Create binding**
3. **Group**: `stream-viewers`
4. Leave the rest as default; Save.
After this step, only members of `stream-viewers` (and Authentik superusers)
can authenticate to the game stream.
## 5. Ensure the outpost serves this application
Authentik runs an "outpost" that exposes `/outpost.goauthentik.io/auth/nginx`
for the nginx `auth_request` forward-auth pattern.
1. **Applications -> Outposts**
2. Edit the default `authentik Embedded Outpost` (or create one if there is
not one already).
3. Under **Applications**, make sure `Game Stream` is checked.
4. Save. The outpost reloads automatically.
Verify the outpost endpoint is reachable:
```
curl -I https://auth.hetherman.cloud/outpost.goauthentik.io/ping
```
A 200 or 204 means the outpost is up.
## 6. Adding friends
You have two options:
### Option A: Create accounts manually (recommended for small groups)
1. **Directory -> Users -> Create**
- Set username, name, email
- Set a temporary password
- Enable "User must change password on next login"
2. **Directory -> Groups -> stream-viewers -> Users tab -> Add** the new user.
3. Send your friend the URL (`https://stream.hetherman.cloud`) and their
temporary credentials. They set their own password on first login.
### Option B: Self-service enrollment via invite link
This requires a working enrollment flow with an Invitation stage. The key
requirement is that the **User Write stage** in the enrollment flow must have
`stream-viewers` set in the **Groups** field - this is what auto-adds new
users to the group. The invitation form itself has no group field.
1. **Flows & Stages -> Stages** - find or create a User Write stage and set
**Groups** to `stream-viewers`.
2. **Flows & Stages -> Flows** - create an enrollment flow with these stages
in order: Invitation stage -> prompt (email/password) -> User Write -> Login.
3. **Flows & Stages -> Invitations -> Create**:
- **Flow**: your enrollment flow
- **Single use**: on (one invite per person)
- Set an expiry date
4. Copy the invite link (shown after saving) and send it to your friend. They
click it, fill in username/password, and are redirected to the stream.
> **Important:** if friends completed enrollment but were not added to
> `stream-viewers` (because the User Write stage was not configured), add them
> manually: **Directory -> Groups -> stream-viewers -> Users tab -> Add**.
## 7. Verify end-to-end
After finishing `docs/npm-setup.md`:
1. Open `https://stream.hetherman.cloud` in a private/incognito browser.
2. You should be redirected to Authentik to log in.
3. Log in as a member of `stream-viewers`. You should be redirected back to
the stream page.
4. Log out, clear cookies, try logging in as a non-member. You should be
denied with a "You do not have access" message.
## Revoking access
Remove the friend's user from the `stream-viewers` group. Their Authentik
session remains valid until it expires, but the next `auth_request` forward
auth check (evaluated on every HTTP request NPM sees) will fail the group
policy and they will be locked out within seconds.
Reference in New Issue View Git Blame Copy Permalink