Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[QUESTION] OIDC User and Group Admin differentiation #1675

Open
4 tasks done
dasunsrule32 opened this issue Aug 17, 2024 · 3 comments
Open
4 tasks done

[QUESTION] OIDC User and Group Admin differentiation #1675

dasunsrule32 opened this issue Aug 17, 2024 · 3 comments
Assignees
@Lissy93
Labels
🤷‍♂️ Question [ISSUE] Further information is requested

Comments

@dasunsrule32
Copy link
Contributor

Question

Is there a way to differentiate admins and users when using OIDC? Is it possible to assign a configuration of type: admin to an OIDC user or group? Not sure if that is implemented or not. Thank you.

@twsouthwick

Category

Authentication

Please tick the boxes
@dasunsrule32 dasunsrule32 added the 🤷‍♂️ Question [ISSUE] Further information is requested label Aug 17, 2024
@dasunsrule32 dasunsrule32 mentioned this issue Aug 17, 2024
Closed
4 tasks
@dasunsrule32
Copy link
Contributor Author

Is there a way to get DEBUG logs to dump to the container logs? I'm trying to dump exactly what is being consumed by Dashy when an OIDC account logs in. Maybe I can try assigning a type to what Dashy sees the email, username, etc as a type: admin. Might work..

@liss-bot liss-bot added the 👤 Awaiting Maintainer Response [ISSUE] Response from repo author is pending label Aug 17, 2024
@CrazyWolf13
Copy link
Collaborator

CrazyWolf13 commented Aug 17, 2024
edited
Loading

For me it always worked to intercept the URL from auth-server right before logging in into dashy, then you can decode this with I think https://jwt.io/ and you will see which data gets provided to dashy

Edit: this is not working for me for dashy, possibly due to the public client in the oidc specs, sorry.

@dasunsrule32
Copy link
Contributor Author

dasunsrule32 commented Aug 17, 2024
edited
Loading

I looked at the code and the default scope is: openid profile email roles groups. So the data is definitely there as long as it isn't overwritten by a custom scope in the conf.yml.

https://github.com/Lissy93/dashy/blob/master/src/utils/OidcAuth.js#L23

With the way I configured it in the docs, the following is a sample of data being sent to Dashy from authentik:

{
    "iss": "https://auth.domain.com/application/o/dashy/",
    "sub": "*********************",
    "aud": "************************",
    "exp": **********,
    "iat": *************,
    "auth_time": *****************,
    "acr": "goauthentik.io/providers/oauth2/default",
    "amr": [
        "user",
        "mfa"
    ],
    "email": "[email protected]",
    "email_verified": true,
    "name": "Test User",
    "given_name": "Test User",
    "preferred_username": "test",
    "nickname": "test",
    "groups": [
        "authentik Admins",
        "Cloudflare Users",
        "pgAdmin Admins",
        "KASM Admins",
        "TrueNAS SCALE Admins",
        "Mealie Admins",
        "Mealie Users",
        "Dashy Admins"
    ]
}

@liss-bot liss-bot removed the 👤 Awaiting Maintainer Response [ISSUE] Response from repo author is pending label Aug 18, 2024
@CrazyWolf13 CrazyWolf13 removed their assignment Sep 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Lissy93 Lissy93

Labels
🤷‍♂️ Question [ISSUE] Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dasunsrule32 @Lissy93 @liss-bot @CrazyWolf13