huly-selfhost icon indicating copy to clipboard operation
huly-selfhost copied to clipboard
verified publisher icon hcengineering

Auto-provisioning of OIDC users

Open medanthelinium opened this issue 5 months ago • 5 comments

Hi all,

is there a possibility to automatically register users in Huly once they're logged in via OIDC?

Currently, when you try to log in via OIDC without having a Huly account first, you're returned to the login screen with no error message shown in the frontend.

Looking at the account container log, it says:

{"email":"[email protected]","level":"info","message":"Failed to auth: no associated account found","timestamp":"2025-08-12T11:50:11.963Z","type":"openid","user":{"email":"[email protected]","email_verified":true,"family_name":"User","given_name":"Test","name":"Test User","preferred_username":"[email protected]","sub":"redacted"}}

Additionally, is it possible to remove the built-in sign-in entirely, and only allow single sign-on with OIDC?

medanthelinium avatar Aug 12 '25 11:08 medanthelinium

Maybe we should also have configurable ClaimBAC on workspace so we can control who can auto-join which workspace. I don't really feel comfortable with any OIDC Realm user having access to all workspace de-facto.

wafelmolt avatar Aug 12 '25 14:08 wafelmolt

Currently, when you try to log in via OIDC without having a Huly account first, you're returned to the login screen with no error message shown in the frontend.

Can't confirm this. For me (on v0.7.242), I can login with a new OIDC user. Im just not assigned to any workspace.

Additionally, is it possible to remove the built-in sign-in entirely, and only allow single sign-on with OIDC?

You can add HIDE_LOCAL_LOGIN=true to the front service. It will look like this:

Image

(I also used OPENID_DISPLAY_NAME=Mave Auth in the account container, that's why the name is changed)

n1cc00 avatar Sep 15 '25 14:09 n1cc00

Im not able to sign in to a new user I just get redirected back to the login page but I dont get any error in the account container I just get

hulyaccount | {"level":"info","message":"try auth via","provider":"openid","timestamp":"2025-09-16T19:32:30.676Z"}

and thats it

PeenDev avatar Sep 16 '25 19:09 PeenDev

my issue was different but I eventually ran into the same one you did, to solve it I just had to remove the DISABLE_SIGNUP flag from the account service and that error should go away and the user should be created (though there should be an option to disable sign up while allowing oidc provisioning I hope its added at some point!).

PeenDev avatar Sep 16 '25 20:09 PeenDev

my issue was different but I eventually ran into the same one you did, to solve it I just had to remove the DISABLE_SIGNUP flag from the account service and that error should go away and the user should be created (though there should be an option to disable sign up while allowing oidc provisioning I hope its added at some point!).

Your only option right now is to only let users login via OpenID (with HIDE_LOCAL_LOGIN=true in the front container). Then, all users (and only those) with an account in your IdP can register

n1cc00 avatar Sep 16 '25 21:09 n1cc00