authentik icon indicating copy to clipboard operation
authentik copied to clipboard
verified publisher icon goauthentik

RAC Property Mappings Username and Password should not return empty strings

Open marekschneider opened this issue 9 months ago • 4 comments

Describe the bug When creating a Property Mapping of the Type "RAC Provider Property Mapping", it always returns a username and password:

{
    "password": "",
    "username": "",
    "ignore-cert": "true",
    "enable-wallpaper": "false",
    "enable-full-window-drag": "true"
}

This works when username and password is set, but if not set in the Property Mapping it overrides the Connection Settings in the RAC Provider and Endpoints.

As an example: If I have multiple Endpoints with the same password, I would create a property mapping with a password leaving the username blank. I then would set the username in each endpoint (Advanced settings -> Settings):

username: [email protected]

Defining username and password in the endpoint configuration's advanced settings with no property mappings works as expected:

username: [email protected]
password: mypassword

To Reproduce Steps to reproduce the behavior:

  1. Create a Property Mapping of Type RAC
  2. Leave Username and/or Password empty
  3. Test the RAC Property Mapping and it returns the following:
{
    "password": "somepassword",
    "username": ""
}
  1. Assign the Property Mapping to an Endpoint
  2. Edit the Endpoint and set the following in Advanced Settings -> Settings:
username: [email protected]

Expected behavior

  • The Endpoint advanced configuration should override the inherited username/password from the property mapping(s)
  • RAC Property Mappings should not return empty strings for username and password

The inheritance should look like:

  • RAC Provider Property Mappings < RAC Provider Connection Settings < Endpoint Property Mappings < Endpoint Connection Settings
  • This would result in the Endpoint Connection Settings having the highest priority.

Screenshots

Logs

Version and Deployment (please complete the following information):

  • authentik version: 2025.2.1
  • Deployment: docker-compose

Additional context Add any other context about the problem here.

marekschneider avatar Mar 04 '25 12:03 marekschneider

I am seeing the same thing. My observation is that no expressions are not making it into the object. They either blank out the property if it's there or do not get added at all.

With this using Guacamole as it's backend, my thoughts are that it should take any parameter used by the guacamole in general. For example if I want to use "any" as my security method, it should be able to take security: any as this is a property supported by guacamole.

gdeeble avatar Mar 08 '25 18:03 gdeeble

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

authentik-automation[bot] avatar May 08 '25 02:05 authentik-automation[bot]

@BeryJu - Do you know if this is by design and should be an enhancement or if this is indeed a bug of the platform?

gdeeble avatar May 11 '25 12:05 gdeeble

Hi,

I can confirm that I'm experiencing the same issue here. Following the exact procedure described in the issue, I also have the issue.

Please tell us how to resolve this issue, as when not using it, It's not possible to adapt the username used for the remote connection based on the connected user, we must instead input manually the user that we want to use.

Cheers,

M0ustach3 avatar Jun 04 '25 15:06 M0ustach3

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

authentik-automation[bot] avatar Aug 04 '25 02:08 authentik-automation[bot]

I think this might be resolved with the following: https://docs.goauthentik.io/docs/add-secure-apps/providers/rac/rac_credentials_prompt

It doesn't allow for automated credential input but it does allow the user to enter their credentials so they can login without using a specific account. Thoughts?

gdeeble avatar Aug 04 '25 17:08 gdeeble

Just a heads-up, there's currently a bug where applying RAC connection settings via property mappings isn't working. We hope to have this resolved in our upcoming 2025.8 release. Setting RAC connection settings via the other documented methods is working as expected.

dewi-tik avatar Aug 04 '25 17:08 dewi-tik

Got it. I didn't know if that impacted this or if it was different. I can't wait for the patch to go in and play around.

gdeeble avatar Aug 04 '25 23:08 gdeeble

From what I can tell, this should be resolved with 2025.8.0. When I tested the to see if the issue where the property mapping auto closing was fixed, I tested this and my RAC provider with an expression worked to give the custom expression, though I did not test pushing existing attributes like the username or password in.

gdeeble avatar Aug 21 '25 11:08 gdeeble

Can confirm that this is fixed in 2025.8 onward. Resolved by #15819

dewi-tik avatar Sep 18 '25 16:09 dewi-tik