Closed nodomain closed 7 months ago
Hum Are role part of Identity or Authorization. Made the supposition it was the later will check if there is a consensus.
The mentioned fix from #25 did not fix my issue yet.
This is the access token coming from EntraID.
[2024-02-12 22:03:19.462][vaultwarden::sso][DEBUG] Token access_token: {
"acct": 0,
"acr": "1",
"acrs": [
"urn:user:registersecurityinfo",
"c20",
"c21",
"c22"
],
"aio": "[Anonymized]",
"amr": [
"pwd",
"mfa"
],
"app_displayname": "[Anonymized] DEV",
"appid": "[Anonymized]",
"appidacr": "1",
"aud": "[Anonymized]",
"deviceid": "[Anonymized]",
"exp": 1707780665,
"family_name": "[Anonymized]",
"given_name": "[Anonymized]",
"iat": 1707775099,
"idtyp": "user",
"ipaddr": "[Anonymized]",
"iss": "[Anonymized]",
"name": "[Anonymized]",
"nbf": 1707775099,
"oid": "[Anonymized]",
"onprem_sid": "[Anonymized]",
"platf": "5",
"puid": "[Anonymized]",
"rh": "[Anonymized]",
"scp": "email openid profile",
"signin_state": [
"dvc_mngd",
"dvc_cmp",
"kmsi"
],
"sub": "[Anonymized]",
"tenant_region_scope": "EU",
"tid": "[Anonymized]",
"unique_name": "[Anonymized]",
"upn": "[Anonymized]",
"uti": "[Anonymized]",
"ver": "1.0",
"wids": [
"[Anonymized]",
"[Anonymized]"
],
"xms_st": {
"sub": "[Anonymized]"
},
"xms_tcdt": 1391171320,
"xms_tdbr": "EU"
}
Hey,
Made the change of reading the roles and groups in the id token only in today version 1.30.2-4
(still building).
When deploying this tag, coming from 1.30.2-3
[2024-02-15 21:18:35.435][panic][ERROR] thread 'main' panicked at 'Error running migrations: QueryError(DieselMigrationName { name: "2024-02-14-170000_add_state_to_sso_nonce", version: MigrationVersion("20240214170000") }, DatabaseError(Unknown, "Unknown table 'vaultwarden.sso_nonce'"))': src/db/mod.rs:473
... and the service is not getting stable due to this.
Fixed the mysql
/mariadb
migration in 1.30.2-5
should be ready ~1h.
I can confirm it works now with these settings:
"logged with admin cookie"
SSO_ROLES_ENABLED=true
## Missing/Invalid roles default to user
SSO_ROLES_DEFAULT_TO_USER=true
## Access token path to read roles
SSO_ROLES_TOKEN_PATH=/roles
Thank you very much. Keep up the great work!
Subject of the issue
If I configure roles for my AAD Entra app, the roles are mapped only in the ID token but not in the access token. Hence the debug log says that there are no roles found.
Deployment environment
Install method: ECS
Clients used: Web, iOS
Reverse proxy and version: AWS ALB
MySQL/MariaDB or PostgreSQL version: RDS Aurora
Other relevant details:
Steps to reproduce
Log in and check the logs.
Expected behaviour
The roles are read from the ID token.
Actual behaviour
The roles are tried to be read from the access token.
Troubleshooting data