Open joestump opened 2 months ago
If you point me in the right direction, I'll take a look at submitting a PR.
Suppose, there is no toggle because user is synced from external provider, in your case Authentik.
Try to use is_admin
property in oauth/oidc config.
But there is also bug - once user is created, permissions aren't updated on next login sync.
@bonddim I gave that a shot, but it's not working (I'm deleting the user in between sign ins; should be fresh is_admin
on each login).
auth:
callback_url_prefix: https://<my-url>/api/v0
oidc:
- id: authentik
provider_name: authentik
display_name: Login with Authentik
base_url: https://<my-authentik-url>/application/o/wireguard-portal/
client_id: my-client-id
client_secret: my-super-secret-client-secret
extra_scopes:
- profile
- email
- is_admin
field_map:
email: email
user_identifier: email
registration_enabled: true
I then have a Property Mapping with the scope is_admin
in my Authentik:
return str(ak_is_group_member(request.user, name="Administrators")).lower()
Here's the test output:
Not quite sure where I went wrong. For now I'll manually update in the DB.
Gave it a shot with oauth
and it leads to a 404 when I click the login button: https://<my-wgportal-url>/api/v0/api/v0/authentik-oauth/init
. When I correct the double URI issue, it still 404s.
@joestump ,
try to add is_admin: "true"
into field_map
@bonddim if I'm following the code correctly, that would result in true
being used for the field mapping? getOauthFieldMapping
would set true
as the key for looking up in ParseUserInfo
? Authentik doesn't appear to set admin_flag
by default and my extra scopes hack didn't work either.
@joestump, Correct, wg-portal expects value parsable to boolean to set admin permissions.
By providing is_admin:
in field_map
you set to which property in token scope to look for admin role.
If your authentick adds extra scope is_admin: true
, it should work with
....
field_map:
is_admin: is_admin
...
@joestump did you manage to get it working?
Ironically, I can delete myself as the admin. 😄
When I log in as the main admin (as defined in
config.yml
), I am unable to upgrade privileges to users who've logged in via Authentik. The toggle is missing from the edit screen.I suspect it's just a component being gated? I looked at the code and there's a whole form with data being loaded, but I only see that when the user was created via DB.