search

henrygd / beszel

Lightweight server monitoring hub with historical data, docker stats, and alerts.
MIT License
2.86k stars 89 forks source link

Failed create rule constraint: Only admins can create new accounts with OAuth2 #291

Closed Buco7854 closed 3 days ago

Buco7854 commented 4 days ago

Hello, I setup OIDC with Authentik. When I try to login with OIDC for the first time (did not try with already existing user) I get the following log.

{
  "id": "rfkjzux469uhxje",
  "created": "2024-11-19 10:09:16.665Z",
  "updated": "2024-11-19 10:09:16.665Z",
  "data": {
    "auth": "guest",
    "details": "Failed create rule constraint: Only admins can create new accounts with OAuth2",
    "error": "Failed to authenticate.",
    "execTime": 709.867505,
    "method": "POST",
    "referer": "https://beszel.example.com/settings/general",
    "remoteIp": "192.168.1.61",
    "status": 400,
    "type": "request",
    "url": "/api/collections/users/auth-with-oauth2",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0",
    "userIp": "77.236.98.186"
  },
  "message": "POST /api/collections/users/auth-with-oauth2",
  "level": 8
}
henrygd commented 4 days ago

By default it does not allow automatic registration. The users have to be created ahead of time either by REST API or manually adding them through PocketBase.

I will add an env var in the future to allow automatic registration via OAuth2.

If you need to do this now, toggle off this switch on /_/#/settings

image

Then edit the users collection:

image

In "API Rules" change the "Create rule" to @request.context = "oauth2"

image

Then go back to /_/#/settings and toggle the switch back on.

image

Buco7854 commented 4 days ago

Thanks a lot. Will there be a way to auto provision roles based on oidc claims?

henrygd commented 3 days ago

I'll look into it. For now every new registration should get the user role. If you need to set someone to admin or readonly, you can do so in the PocketBase users table.

Note that PocketBase admin accounts are separate from Beszel user accounts, so if you want someone to be able to log into PocketBase, you need to create an admin account for them at /_/#/settings/admins.

Buco7854 commented 3 days ago

I'll look into it. For now every new registration should get the user role. If you need to set someone to admin or readonly, you can do so in the PocketBase users table.

Note that PocketBase admin accounts are separate from Beszel user accounts, so if you want someone to be able to log into PocketBase, you need to create an admin account for them at /_/#/settings/admins.

Yes I did that, thanks, just wanted to know if it was planned. Pocketbase does not support oidc enrollment for admin sadly but it's fine.

Thanks for your time 😁.