snapp Microsoft 365 SSO

Hi,

is it possible to connect it to Azure/Entra SSO ?

Apr 09 '25 10:04 boscorelly

{
  "authorization_endpoint": "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize",
  "token_endpoint": "https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "private_key_jwt"
  ],
  "jwks_uri": "https://login.microsoftonline.com/{tenant}/discovery/v2.0/keys",
  "userinfo_endpoint": "https://graph.microsoft.com/oidc/userinfo",
  "subject_types_supported": [
      "pairwise"
  ],
  ...
}

you should be able to configure it as something like this

AUTH_PROVIDERS=AZURE
AUTH_AZURE_CLIENT_ID=your-azure-client-id
AUTH_AZURE_CLIENT_SECRET=your-azure-client-secret
AUTH_AZURE_CLIENT_SCOPE=openid profile email
AUTH_AZURE_ISSUER=https://login.microsoftonline.com/YOUR_TENANT_ID/v2.0

let me know if you managed

Apr 09 '25 10:04 urania-dev

i set this : AUTH_PROVIDERS: AZURE AUTH_AZURE_CLIENT_ID: "xxxx2d7b-b4c4-xxxx-a3c0-xxxx3a05c68" AUTH_AZURE_CLIENT_SECRET: "secret" AUTH_AZURE_CLIENT_SCOPE: "openid" AUTH_AZURE_ISSUER: "https://login.microsoftonline.com/xxxx2d7b-b4c4-xxxx-a3c0-xxxx3a05c68/v2.0"

i disabled user registration when login in, it says that registration is disabled. i have to enable registration and receive a link by mail. It's not a logical behavior.

Apr 18 '25 08:04 boscorelly

root role disappeared after enabling sso too. i can't set the root role anymore.

Apr 18 '25 09:04 boscorelly

did you used the same mail for admin and social login?

Apr 18 '25 12:04 urania-dev

i used another account without permissions to log in. the admin account is not connected by sso.

before implementing sso, i was able to set a user as root

and of course, removing it doesn't change anything...

Apr 18 '25 12:04 boscorelly

but sso should not remove the existing root, by default, that should never happen. can you share a censored screenshot of your db to help me understand? :)

Apr 18 '25 13:04 urania-dev

hi,

what datas do you want in the DB ?

Apr 28 '25 07:04 boscorelly

User list with role

Apr 28 '25 08:04 urania-dev

Apr 28 '25 09:04 boscorelly

ah please, wait the problem is that you cannot assign another root at the app?

that's intented, it is something that you can do as a database owner manually changing the role to admin or root in the db, but the app will never let it to avoid problem with users resetting roots and similar.

it's a dangerous operation, so only the first user could be set as root by the app, other than that the app can assign adminship but not change the root

Apr 28 '25 10:04 urania-dev

i was able to add another root before removing the second root i added previously...

but ok, if it's a wanted configuration, there is no problem :D

Apr 28 '25 13:04 boscorelly

anyway, i have another request : be able to login with SSO, even the first time, when the user doesn't exist, without having to enable user registration

Apr 28 '25 13:04 boscorelly

The app spins up with the admin user creation to be fair, i should test how to combine the two identities

Apr 28 '25 13:04 urania-dev

i can manage it for my side, but for a wider organization, it can be complicated : enable registration, let user follow the complete registration process (which is also a non sens when login with SSO), then disable registration.

Apr 28 '25 14:04 boscorelly

Oidc is a legacy of a pull request, the implicit signup during login phase is not useless, it allows to restrict access but still offer social sign on.

Wouldn't make sense use the White list for emails to allow only certain target of user to signup and leave them open?

Apr 29 '25 08:04 urania-dev

hi,

i used the domain whitelist, but i was able to register with another domain...

May 04 '25 13:05 boscorelly

i'll check into this

May 04 '25 13:05 urania-dev

this should be fixed in 0.9-rc-019

Jun 01 '25 17:06 urania-dev