authentik icon indicating copy to clipboard operation
authentik copied to clipboard
verified publisher icon goauthentik

Seafile - user is generated with random email

Open daedric7 opened this issue 1 year ago • 3 comments

Describe the bug While SSO is working as intended, the user generated in seafile as the correct name, but a [email protected] email field. This makes all email notifications fail.

To Reproduce Steps to reproduce the behavior:

  1. Configure seafile to use authentik.
  2. Create provider and app
  3. SSO on Seafile
  4. See error

Expected behavior The user email field should be the contact email on Seafile

Screenshots image

Version and Deployment (please complete the following information):

  • authentik version: 2023.10.5
  • Deployment: docker-compose

Additional context I really don't know how can i provide further info, which logs may be relevant etc.

Seafile config:

ENABLE_OAUTH = True

# If create new user when he/she logs in Seafile for the first time, defalut `True`.
OAUTH_CREATE_UNKNOWN_USER = True

# If active new user when he/she logs in Seafile for the first time, defalut `True`.
OAUTH_ACTIVATE_USER_AFTER_CREATION = True

# Usually OAuth works through SSL layer. If your server is not parametrized to allow HTTPS, some method will raise an "oauthlib.oauth2.rfc6749.errors.InsecureTransportError". Set this to `True` to avoid this error.
OAUTH_ENABLE_INSECURE_TRANSPORT = True

# Client id/secret generated by authorization server when you register your client application.
OAUTH_CLIENT_ID = "xxxx"
OAUTH_CLIENT_SECRET = "yyyy"

# Callback url when user authentication succeeded. Note, the redirect url you input when you register your client application MUST be exactly the same as this value.
OAUTH_REDIRECT_URL = 'https://seafile.aguiarvieira.pt/oauth/callback/'

# The following should NOT be changed if you are using Github as OAuth provider.
OAUTH_PROVIDER_DOMAIN = 'auth.aguiarvieira.pt'
OAUTH_AUTHORIZATION_URL = 'https://auth.aguiarvieira.pt/application/o/authorize/'
OAUTH_TOKEN_URL = 'https://auth.aguiarvieira.pt/application/o/token/'
OAUTH_USER_INFO_URL = 'https://auth.aguiarvieira.pt/application/o/userinfo/'
OAUTH_SCOPE = ["openid", "profile", "email"]
OAUTH_ATTRIBUTE_MAP = {
    "id": (False, "not used"),
    "name": (False, "name"),
    "email": (True, "email"),
}

daedric7 avatar Jan 20 '24 19:01 daedric7

I'm seeing the same thing. I figure this is something to ask about on the seafile repos so I'll be going there next, I'm putting my OIDC config for seafile itself below. Everything works perfectly except for the email generation.

ENABLE_OAUTH = True

# If create new user when he/she logs in Seafile for the first time, defalut `True`.
OAUTH_CREATE_UNKNOWN_USER = True

# If active new user when he/she logs in Seafile for the first time, defalut `True`.
OAUTH_ACTIVATE_USER_AFTER_CREATION = True

# Usually OAuth works through SSL layer. If your server is not parametrized to allow HTTPS, some method will raise an "oauthlib.oauth2.rfc6749.errors.InsecureTransportError". Set this to `True` to avoid this error.
OAUTH_ENABLE_INSECURE_TRANSPORT = True

# Client id/secret generated by authorization server when you register your client application.
OAUTH_CLIENT_ID = "UKiCXVwLzYKPOC8rBKuYqVvEkGzOfZDkFBclrID9"
OAUTH_CLIENT_SECRET = "wFFMIpx6ddahvLuX1vMabjoKAz2VOhsqqaCK6hS7VsSeqBsfMWCBU3MYLzOOhTjt8VAyS3jLcxVSGVAKGMkjhkngpjmMAscvz6fkH9OvdOdUIkPdBf18YTsmON1Pbkxf" 

# Callback url when user authentication succeeded. Note, the redirect url you input when you register your client application MUST be exactly the same as this value.
OAUTH_REDIRECT_URL = 'https://domain.tld/oauth/callback/'

# The following should NOT be changed if you are using Github as OAuth provider.
OAUTH_PROVIDER_DOMAIN = 'sso.domain.tld'
OAUTH_AUTHORIZATION_URL = 'https://sso.domain.tld/application/o/authorize/'
OAUTH_TOKEN_URL = 'https://sso.domain.tld/application/o/token/'
OAUTH_USER_INFO_URL = 'https://sso.domain.tld/application/o/userinfo/'
OAUTH_SCOPE = ["openid","profile","email",]
OAUTH_ATTRIBUTE_MAP = {
    "email": (True, "email"),  # Please keep the 'email' option unchanged to be compatible with the login of users of version 11.0 and earlier.
    "name": (False, "name"),
    "id": (False, "not used"),
  #  "uid": (True, "uid"),   # Since 11.0 version, Seafile use 'uid' as the external unique identifier of the user.
                            # Different OAuth systems have different attributes, which may be: 'uid' or 'username', etc.
                            # If there is no 'uid' attribute, do not configure this option and keep the 'email' option unchanged,
                            # to be compatible with the login of users of version 11.0 and earlier.
}

dsdole avatar Feb 09 '24 01:02 dsdole

This is a quirk of Seafile, and not related to authentik specifically. Seafile used to use the 'email' field as an immutable user ID, which meant changing email address was impossible. They added contact_email field for email addresses and left email as both an email address and the user ID until version 11, when they changed the user ID to follow the "random email" format you see in your screenshot for all new user accounts.

Here's a working map:

OAUTH_ATTRIBUTE_MAP = {
    "id": (False, "not used"),
    "nickname": (False, "name"),
    "email": (True, "contact_email"),
    "sub": (True, "uid"),   # Since 11.0 version, Seafile use 'uid' as the external unique identifier of the user.
                            # Different OAuth systems have different attributes, which may be: 'uid' or 'username', etc.
                            # If there is no 'uid' attribute, do not configure this option and keep the 'email' option unchanged,
                            # to be compatible with the login of users of version 11.0 and earlier.

Note that Seafile versions before 11 let you match authentik users with existing Seafile users by mapping email. That no longer seems to work in version 11. If you have any existing users in Seafile, you'll need to fiddle with the database to map them to the right uid from authentik: https://manual.seafile.com/deploy/auth_switch/

penguintamer avatar Feb 09 '24 07:02 penguintamer

Thanks a bunch, that worked perfectly! . I changed my attribute map to fit the one from penguintainer and since I only had 2 users I just manually transferred seafile library ownership then deleted the existing seafile accounts and had the users log back in. https://github.com/goauthentik/authentik/issues/8243#issuecomment-1935465888

dsdole avatar Feb 09 '24 20:02 dsdole

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

authentik-automation[bot] avatar Apr 10 '24 01:04 authentik-automation[bot]