search

dominik-th / matomo-plugin-LoginOIDC

external authentication services for matomo
https://plugins.matomo.org/LoginOIDC/
GNU General Public License v3.0
40 stars 29 forks source link

Clarify how to create users on first sign-on in docs #28

Open audunsolemdal opened 3 years ago

audunsolemdal commented 3 years ago

My understanding is that this should be possible with Azure AD from here:

https://github.com/dominik-th/matomo-plugin-LoginOIDC/pull/8

But I'm a bit confused as to how configure this. I managed to link AAD auth for existing matomo users with the following settings

Authorize URL: https://login.microsoftonline.com/{tenant_id}/oauth2/authorize
Token URL: https://login.microsoftonline.com/{tenant_id}/oauth2/token
Userinfo URL: https://login.microsoftonline.com/{tenant_id}/openid/userinfo
Userinfo ID: sub
OAuth Scopes: openid

Do I also need to set OAuth scopes to "openid email"?

My redirect config is the following:

Redirect URI override: https://mymatmominstance.com/oidc/callback

Ingress manifest (kubernetes ingress)

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /index.php?module=LoginOIDC&action=callback&provider=oidc
  labels:
    app.kubernetes.io/instance: matomo
    app.kubernetes.io/name: matomo
  name: matomo2
  namespace: prod
spec:
  rules:
  - host: mymatmominstance.com
    http:
      paths:
      - backend:
          serviceName: matomo
          servicePort: http
        path: /oidc/callback

I also have another ingress for regular / path matching up

If I remove the redirect URI, the AAD login redirects me to

/index.php?module=LoginOIDC&action=callback&provider=oidc&code=.... And I get Unexpected response from OAuth service.

if the redirect URI is set I get redirected to /oidc/callback?code= Response is: Not Found The requested URL was not found on this server.

audunsolemdal commented 3 years ago

Spent a morning playing around with this. image

Seems to work now, but existing docs definitely do not work for this use-case

Auth url: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize

token URL: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token

userinfo URL: https://graph.microsoft.com/oidc/userinfo

Oauth scoopes: openid email
Userinfo ID: sub

Is there a simple way to grant sign-in & regular user permission on default?

dominik-th commented 3 years ago

Granting default permissions for new users is tracked in #17, right now it is not possible.

Thanks for the update on Azure, do I understand correctly that the Redirect URI Override workaround is no longer necessary?

audunsolemdal commented 3 years ago

Actually I think it is still necessary. My app registration reply url was long ago set for https://mymatomo.com/* Which is no longer possible to create on new objects. Lucky me I guess.