Ylianst
Unable to add user to group when using SSO (OIDC)
Describe the bug Unable to add user to group when using OIDC
To Reproduce Steps to reproduce the behavior:
- Go to 'My Account'
- Click on any group
- Click on 'Add Users'
- Enter User Identifier of user ( ~oidc:123456789 )
- Select 'Full Administrator'
- Click on 'Ok'
- Nothing happens.
Expected behavior User gets added to list of 'User Authorisations'
Server Software (please complete the following information):
- OS: Synology Diskstation
- Virtualization: Docker
- Network: LAN
- Version: 1.1.31
Your config.json file
{
"$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
"settings": {
"_WANonly": true,
"_LANonly": true,
"cert": "meshcentral.domain",
"sessionKey": "redacted",
"port": 8443,
"aliasPort": 443,
"redirPort": 6680,
"redirAliasPort": 80,
"AgentPong": 300,
"trustedProxy": "192.168.0.6",
"TLSOffload": false,
"SelfUpdate": false,
"AllowFraming": "false",
"WebRTC": "false",
"AutoBackup": {
"backupPath": "/opt/meshcentral/meshcentral-backups",
"backupInvervalHours": 24,
"keepLastDaysBackup": "10",
"zippassword": "MyAwesomePasswordPleaseChangeMe"
},
"plugins": { "enabled": true }
},
"domains": {
"": {
"title": "Text1",
"title2": "Text2",
"minify": true,
"certUrl": "https://meshcentral.domain:443",
"showPasswordLogin": false,
"authStrategies": {
"oidc": {
"issuer": {
"issuer": "https://auth.domain/application/o/meshcentral/",
"authorization_endpoint": "https://auth.domain/application/o/authorize/",
"token_endpoint": "https://auth.domain/application/o/token/",
"endsession_endpoint": "https://auth.domain/application/o/meshcentral/end-session/",
"jwks_uri": "https://auth.domain/application/o/meshcentral/jwks/",
"userinfo_endpoint": "https://auth.domain/application/o/userinfo/"
},
"client": {
"client_id": "redacted",
"client_secret": "redacted messed up when redacting, actual config is fine :)",
"redirect_uri": "https://meshcentral.domain/auth-oidc-callback",
"post_logout_redirect_uri": "https://auth.domain/login"
},
"groups": {
"required": ["Meshcentral admins", "Meshcentral"],
"siteadmin": ["Meshcentral admins"],
"revokeAdmin": true,
"scope": "groups",
"claim": "groups"
},
"newAccounts": true
}
}
}
}
}
@AlexCherrypi please can you just verify how long (character count) your user identifier value is?
my authentik oidc calculates out at 70 characters long, but the limit in meshcentral is set at 64!
~oidc:a7f75d7c30f81e712f02f0de453bbc79b40865a2efdf1b303cfdef4515c33203 my example
@si458 Great point. I would love to check. ~~Do you know a good way to do so?~~
It seems like my user identifier value is exactly 64 characters long (without including the ~oidc:, with it, it would be 70 characters long)
So my admin user identifier value would be:
~oidc:7948fda2c675bbe7574c3d27c019dd3d2241ba82bb28fa71527427467f38a87c
Does the ~oidc:get counted, or not?
@si458 It seems like the user identifier is the "sub" in the OAuth ID Token. An example of mine would be:
{
"iss": "https://auth.domain/application/o/meshcentral/",
"sub": "7948fda2c675bbe7574c3d27c019dd3d2241ba82bb28fa71527427467f38a87c",
"aud": "hrIwOfJ9Agv4mDaeAdkkpMLNORpRF4xVvdOOiVdK",
"exp": 1728702763,
"iat": 1728702463,
"auth_time": 1728701799,
"acr": "goauthentik.io/providers/oauth2/default",
"email": "redacted",
"email_verified": true,
"name": "Admin",
"given_name": "Admin",
"preferred_username": "admin",
"nickname": "admin",
"groups": [
"authentik admins",
"PiHole admins",
"Nextcloud admins",
"Wireguard admins",
"Nginx admins",
"no MFA required for login / Passwordless allowed",
"Meshcentral admins"
]
}
I configured my authentication provider to use the User's hashed ID as a sub. Authentik: Providers > "Provider Name" > Edit > Advanced protocol settings > Subject mode > Based on the User's hashed ID
@AlexCherrypi ah so ur using the same provider as me Authentik!? I will have a look see what we can do or if the is away around
@si458 just to future-proof everything: The sub can be up to 255 ASCII characters long according to the spec.
@AlexCherrypi oh thank you for the link! that makes it much easier! ill just change the limit to say 128 ! but only IF someone uses oidc tho
edit: my testing with google/azure dont exceed the 64 limit, its just authentik thats exceeding it because its sub IS 64 characters and we need to also include the ~oidc: for reasons
@si458 why not 255 + say 10 chars for the ID provider (e.g. '~oidc:') ?
@si458 Do you know someone who knows the codebase well enough to check (and fix) all the places where the user identifier is used, so the limit can be changed safely?
@AlexCherrypi I can sort it, I've just not had chance yet, been very busy in my personal life at the moment, I'll put it on my to-do list for this week!
@si458 No worries, take yourself all the time you need. I just don't want this issue to get stale, you know?
@si458 How is life going? Still a lot going on?
(Obligatory comment, so this doesn't get stale)
I might start looking into patching this myself. I currently have impressive amounts of free time 😄
@AlexCherrypi oh sorry this totally slipped my mind and my do-list list! (i assign things to me so i no what to do) i was just going to change the limit to 128 characters for the moment and then in the future look into 255 characters ill sort it out for you!
done, increased to 128 for the moment! https://github.com/Ylianst/MeshCentral/commit/30b390bdbf251359958eec0b269099abdbff37d8 if we need too, we will increase it to more in the future 👍