Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't delete oauth users or set them to admin #259

Open
joestump opened this issue Apr 29, 2024 · 7 comments
Open

Can't delete oauth users or set them to admin #259

joestump opened this issue Apr 29, 2024 · 7 comments

Comments

@joestump
Copy link

Ironically, I can delete myself as the admin. 馃槃

When I log in as the main admin (as defined in config.yml), I am unable to upgrade privileges to users who've logged in via Authentik. The toggle is missing from the edit screen.

image

I suspect it's just a component being gated? I looked at the code and there's a whole form with data being loaded, but I only see that when the user was created via DB.
@joestump
Copy link
Author

joestump commented Apr 29, 2024
edited

If you point me in the right direction, I'll take a look at submitting a PR.

@bonddim
Copy link
Contributor

bonddim commented Apr 29, 2024

Suppose, there is no toggle because user is synced from external provider, in your case Authentik.
Try to use is_admin property in oauth/oidc config.
But there is also bug - once user is created, permissions aren't updated on next login sync.

@joestump
Copy link
Author

joestump commented Apr 29, 2024
edited

@bonddim I gave that a shot, but it's not working (I'm deleting the user in between sign ins; should be fresh is_admin on each login).

auth:
  callback_url_prefix: https://<my-url>/api/v0
  oidc:
    - id: authentik
      provider_name: authentik
      display_name: Login with Authentik
      base_url: https://<my-authentik-url>/application/o/wireguard-portal/
      client_id: my-client-id
      client_secret: my-super-secret-client-secret
      extra_scopes:
        - profile
        - email
        - is_admin
      field_map:
        email: email
        user_identifier: email
      registration_enabled: true

I then have a Property Mapping with the scope is_admin in my Authentik:

return str(ak_is_group_member(request.user, name="Administrators")).lower()

Here's the test output:

image

Not quite sure where I went wrong. For now I'll manually update in the DB.

@joestump
Copy link
Author

Gave it a shot with oauth and it leads to a 404 when I click the login button: https://<my-wgportal-url>/api/v0/api/v0/authentik-oauth/init. When I correct the double URI issue, it still 404s.

@bonddim
Copy link
Contributor

bonddim commented Apr 30, 2024

@joestump ,
try to add is_admin: "true" into field_map

@joestump
Copy link
Author

@bonddim if I'm following the code correctly, that would result in true being used for the field mapping? getOauthFieldMapping would set true as the key for looking up in ParseUserInfo? Authentik doesn't appear to set admin_flag by default and my extra scopes hack didn't work either.

@bonddim
Copy link
Contributor

bonddim commented Apr 30, 2024
edited

@joestump,
Correct, wg-portal expects value parsable to boolean to set admin permissions.

By providing is_admin: in field_map you set to which property in token scope to look for admin role.
If your authentick adds extra scope is_admin: true, it should work with

....
field_map:
  is_admin: is_admin
  ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joestump @bonddim