chat-ui icon indicating copy to clipboard operation
chat-ui copied to clipboard
verified publisher icon huggingface

Unable to use Azure AD for OpenID signin

Open zacps opened this issue 2 years ago • 8 comments

Azure AD does not return the picture claim for the profile scope which results in a Zod validation error and authentication failing with HTTP 500:

chat-ui-chat-ui-1  | 21:07:21 28|index | ZodError: [
chat-ui-chat-ui-1  | 21:07:21 28|index |   {
chat-ui-chat-ui-1  | 21:07:21 28|index |     "code": "invalid_type",
chat-ui-chat-ui-1  | 21:07:21 28|index |     "expected": "string",
chat-ui-chat-ui-1  | 21:07:21 28|index |     "received": "undefined",
chat-ui-chat-ui-1  | 21:07:21 28|index |     "path": [
chat-ui-chat-ui-1  | 21:07:21 28|index |       "picture"
chat-ui-chat-ui-1  | 21:07:21 28|index |     ],
chat-ui-chat-ui-1  | 21:07:21 28|index |     "message": "Required"
chat-ui-chat-ui-1  | 21:07:21 28|index |   }
chat-ui-chat-ui-1  | 21:07:21 28|index | ]
chat-ui-chat-ui-1  | 21:07:21 28|index |     at get error [as error] (file:///app/node_modules/zod/lib/index.mjs:538:31)
chat-ui-chat-ui-1  | 21:07:21 28|index |     at ZodEffects.parse (file:///app/node_modules/zod/lib/index.mjs:638:22)
chat-ui-chat-ui-1  | 21:07:21 28|index |     at updateUser (file:///app/build/server/chunks/7-74fde01e.js:34:6)
chat-ui-chat-ui-1  | 21:07:21 28|index |     at load (file:///app/build/server/chunks/7-74fde01e.js:126:9)
chat-ui-chat-ui-1  | 21:07:21 28|index |     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
chat-ui-chat-ui-1  | 21:07:21 28|index |     at async load_server_data (file:///app/build/server/index.js:1932:18)
chat-ui-chat-ui-1  | 21:07:21 28|index |     at async file:///app/build/server/index.js:3303:18 {
chat-ui-chat-ui-1  | 21:07:21 28|index |   issues: [
chat-ui-chat-ui-1  | 21:07:21 28|index |     {
chat-ui-chat-ui-1  | 21:07:21 28|index |       code: 'invalid_type',
chat-ui-chat-ui-1  | 21:07:21 28|index |       expected: 'string',
chat-ui-chat-ui-1  | 21:07:21 28|index |       received: 'undefined',
chat-ui-chat-ui-1  | 21:07:21 28|index |       path: [Array],
chat-ui-chat-ui-1  | 21:07:21 28|index |       message: 'Required'
chat-ui-chat-ui-1  | 21:07:21 28|index |     }
chat-ui-chat-ui-1  | 21:07:21 28|index |   ],
chat-ui-chat-ui-1  | 21:07:21 28|index |   addIssue: [Function (anonymous)],
chat-ui-chat-ui-1  | 21:07:21 28|index |   addIssues: [Function (anonymous)],
chat-ui-chat-ui-1  | 21:07:21 28|index |   errors: [
chat-ui-chat-ui-1  | 21:07:21 28|index |     {
chat-ui-chat-ui-1  | 21:07:21 28|index |       code: 'invalid_type',
chat-ui-chat-ui-1  | 21:07:21 28|index |       expected: 'string',
chat-ui-chat-ui-1  | 21:07:21 28|index |       received: 'undefined',
chat-ui-chat-ui-1  | 21:07:21 28|index |       path: [Array],
chat-ui-chat-ui-1  | 21:07:21 28|index |       message: 'Required'
chat-ui-chat-ui-1  | 21:07:21 28|index |     }
chat-ui-chat-ui-1  | 21:07:21 28|index |   ]
chat-ui-chat-ui-1  | 21:07:21 28|index | }

zacps avatar Dec 12 '23 21:12 zacps

Hi @zacps ,

The workaround I have used for this is to comment a line of code in Chat UI preventing it from grabbing the 'picture' from the profile scope -- please see my 'git diff' below for details.

--- a/src/routes/login/callback/updateUser.ts
+++ b/src/routes/login/callback/updateUser.ts
@@ -22,7 +22,7 @@ export async function updateUser(params: {
                .object({
                        preferred_username: z.string().optional(),
                        name: z.string(),
-                       picture: z.string(),
+                       //picture: z.string(),
                        sub: z.string(),
                        email: z.string().email().optional(),
                })

ospatch avatar Dec 16 '23 19:12 ospatch

Authelia and Authentik produce the same problem.

@ospatch's solution helps there, too.

secondtruth avatar Dec 16 '23 19:12 secondtruth

Huh... same problem with Google auth as well.

gururise avatar Dec 23 '23 02:12 gururise

I've managed to set up Azure for managed audience (internal for a company). May I see your OPENID_CONFIG (obviously with secrets redacted)? I suspect the mistake is in the endpoint

flexchar avatar Jan 10 '24 16:01 flexchar

@flexchar - not sure if you're asking the OP, but I'm happy to share what mine looks like:

OPENID_CONFIG={ "PROVIDER_URL": "https://<realm_path>", "CLIENT_ID": "<client_name>", "CLIENT_SECRET": "<client_secret>", "SCOPES": "openid email profile" }

ospatch avatar Jan 10 '24 18:01 ospatch

You have issues, Patrick? And can you share full provider URL?

Sent from Proton Mail for iOS

On Wed, Jan 10, 2024 at 19:42, Patrick Ostler @.***(mailto:On Wed, Jan 10, 2024 at 19:42, Patrick Ostler < wrote:

@.***(https://github.com/flexchar) - not sure if you're asking the OP, but I'm happy to share what mine looks like:

OPENID_CONFIG={ "PROVIDER_URL": "https://<realm_path>", "CLIENT_ID": "<client_name>", "CLIENT_SECRET": "<client_secret>", "SCOPES": "openid email profile" }

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>

flexchar avatar Jan 11 '24 07:01 flexchar

@flexchar I had the same issue as zacps but fixed with the changes I shared. My solution currently works today. Cannot share the full provider URL as it's a self-hosted Auth solution.

ospatch avatar Jan 11 '24 20:01 ospatch

Ahh, okay. That's nice! I was under impression there was still and error, and since I got it working, I wanted to help out!

flexchar avatar Jan 12 '24 12:01 flexchar