Can't delete oauth users or set them to admin

[joestump]

Ironically, I can delete myself as the admin. 😄

When I log in as the main admin (as defined in config.yml), I am unable to upgrade privileges to users who've logged in via Authentik. The toggle is missing from the edit screen.

I suspect it's just a component being gated? I looked at the code and there's a whole form with data being loaded, but I only see that when the user was created via DB.

[joestump]

If you point me in the right direction, I'll take a look at submitting a PR.

[bonddim]

Suppose, there is no toggle because user is synced from external provider, in your case Authentik. Try to use is_admin property in oauth/oidc config. But there is also bug - once user is created, permissions aren't updated on next login sync.

[joestump]

@bonddim I gave that a shot, but it's not working (I'm deleting the user in between sign ins; should be fresh is_admin on each login).

auth:
  callback_url_prefix: https://<my-url>/api/v0
  oidc:
    - id: authentik
      provider_name: authentik
      display_name: Login with Authentik
      base_url: https://<my-authentik-url>/application/o/wireguard-portal/
      client_id: my-client-id
      client_secret: my-super-secret-client-secret
      extra_scopes:
        - profile
        - email
        - is_admin
      field_map:
        email: email
        user_identifier: email
      registration_enabled: true

I then have a Property Mapping with the scope is_admin in my Authentik:

return str(ak_is_group_member(request.user, name="Administrators")).lower()

Here's the test output:

Not quite sure where I went wrong. For now I'll manually update in the DB.

[joestump]

Gave it a shot with oauth and it leads to a 404 when I click the login button: https://<my-wgportal-url>/api/v0/api/v0/authentik-oauth/init. When I correct the double URI issue, it still 404s.

[bonddim]

@joestump , try to add is_admin: "true" into field_map

[joestump]

@bonddim if I'm following the code correctly, that would result in true being used for the field mapping? getOauthFieldMapping would set true as the key for looking up in ParseUserInfo? Authentik doesn't appear to set admin_flag by default and my extra scopes hack didn't work either.

[bonddim]

@joestump, Correct, wg-portal expects value parsable to boolean to set admin permissions.

By providing is_admin: in field_map you set to which property in token scope to look for admin role. If your authentick adds extra scope is_admin: true, it should work with

....
field_map:
  is_admin: is_admin
  ...

[h44z]

@joestump did you manage to get it working?