My usecase involves giving temporary access to the ziti network to someone. (probably with a smartphone)
Currently, I only know how to do this by creating an identity, then a certificate and giving it to that person who has to install the tunneler and enroll.
I’m looking for the simplest way to give temporary access to someone external to the network.
For example if I have a video stream service that I would like to give access to someone temporarily. How can I do that ?
Is there’s a way to create an account that someone could log in to and have access to the ziti network and that service (trough the browser), or connecting the ziti network to an identity database where an account can be created and then have access ? Or is the tunneler the only way to access the network ?
Hi @Meh, seems like a simple question but it's got a lot of nuance built in there!
I’m looking for the simplest way to give temporary access to someone external to the network.
With OpenZiti itself, you'll likely use tunnelers the way you describe. You always need some bit of OpenZiti tech to use a service protected by OpenZiti. With OpenZit itself, that will definitely involve using a tunneler. So like you said, you'd make an identity, have them install the tunneler of their choice (and turn it on) then send them a jwt to enroll/use.
However, there are at least three other options available, each with different levels of complexity/implementation.
Application Embedded Application -- I'll get this out of the way first, since I expect it's not what you're looking for but as a reminder, people can build an OpenZiti SDK into any application. If you write/control the app, you can embed an OpenZiti into the application you can do whatever you want!
BrowZer - BrowZer is nearly out of incubation and has been being used internally and by some early adopters, but BrowZer is really neat. It's a client-less installation. The experience from a consumer perspective is they'll go to a website, have to login to some OIDC provider, and then they're able to access the resources you provide. The install experience right now will likely be a bit rough since we don't have the docs complete (they are coming very soon) but it'll be a good experience for those short-term cases (and other long-term cases too, but we're talking short-term here)
zrok - zrok allows you to share resources publically, but in an obfuscated way. You lose some zero trust related things that OpenZiti provides, but you gain client-less installation and drop-dead-simple access. It's another tool in the toolbelt and sometimes it's the right one for the job. It makes sharing things incredibly easy.
Depending on how deep you wish to go, BrowZer or zrok might be what you're looking for. They add additional complexity insofar as you'll need to install them either on top of a new OpenZiti network (zrok) or into an existing one (BrowZer). I dunno if that helps at all, I feel like it just makes more research work for ya.