search

nilsteampassnet / TeamPass

Collaborative Passwords Manager
https://www.teampass.net
1.68k stars 550 forks source link

OAuth Configuration #4440

Open hitenmandalia opened 3 weeks ago

hitenmandalia commented 3 weeks ago

Hi All,

Getting to the end of my tether here, so really hoping someone can help or point out what i am doing wrong?

Trying to get oauth working with teampass, and have been trying for ages but just cannot get it to work. Tried following instructions down to the letter as writted here (https://documentation.teampass.net/#/features/authentication?id=oauth2-with-microsoft-entra-azure) but see the same issue.

Please can someone help? The user has permissions to access the app in Azure.

Pasting my Azure / Teampass setup screenshots below:

image

image

image

image

This is all i see, every time i try to login with an Azure account:

image

I am using the latest code base.

One thing, im a little lost on from the instructions is the last permission as circled here. Can anyone share how to get that last permission, as I cannot see anywhere where i can add it:

image

jhumphries commented 2 weeks ago

Been trying to figure this out as well, which appears to be the same problem as issues #4317 and #4315 as well.

The core of the problem from what I can see is here:

https://github.com/nilsteampassnet/TeamPass/blob/0a5efecfb68448d5816d198c0b924391c17b411d/sources/identify.php#L2112

$data['oauth2_user_to_be_created'] = $oauth2_enabled === true && DB::count() === 0 && $oauth2LoginOngoing === true ? true : false;

which is simply not set for some reason. the three variables in the test ($oauth2_enabled, DB::count(), $oauth2LoginOngoing) all return as true, 0, true for me when exposed in logging, which means that I would expect $data['oauth2_user_to_be_created'] to exist and be set to true, or at the very least be set to false (default case), but later at

https://github.com/nilsteampassnet/TeamPass/blob/0a5efecfb68448d5816d198c0b924391c17b411d/sources/identify.php#L2454

when trying to actually create the user it is neither, simply unset, and the entire createOauth2User function simply skips itself no matter what. Interestingly, the two lines above seem to set without a problem ($data['ldap_user_to_be_created'] & $data['oauth2_login_ongoing']) so we know we are getting into that function, and that pre-requisite variables exist, so don't know why this one specifically simply bombs out - or why it goes null/unset instead of false.

Ok - writing this was enough to sort out the issue. the input variable of oauth2_enabled is failing it's implicit typecast, and that's bombing out the later tests. The fix is this:

$data['oauth2_user_to_be_created'] = (bool)$oauth2_enabled === true && DB::count() === 0 && $oauth2LoginOngoing === true ? true : false;

Adding the forced "(bool)" cast to the variable before the test on line 2112

jhumphries commented 2 weeks ago

And actually let me be precise - that fix allows the existing in-place logic to be correctly activated, since that branch wasn't ever followed previously, I can't speak to if any of the actual creation works yet - I can say i just tested the user is created, but i'm still checking if they are well-formed or otherwise work in the system.

This does, at least, resolve the "User is not allowed to Authenticate" block

hitenmandalia commented 2 weeks ago

@jhumphries you, my good sir, are an absolute legend!!!!!!! adding the (bool) to line 2112 now allows me to log in and have the user created in the DB. Did you manage to find out if the user is created correctly and works well?

hitenmandalia commented 2 weeks ago

so i am now able to log in with an AzureAD account and the account is created in the DB using @jhumphries fix. However, the account never seems to complete construction. I logged in about 30 mins ago and the "Account in Construction" dialogue is still there. Still testing further.

nilsteampassnet commented 2 weeks ago

Please use latest commit on master branch. The (bool) cast is already implemented.

hitenmandalia commented 2 weeks ago

@nilsteampassnet I have been using the latest commit from master. and it still didnt work. Its not until I used the fix @jhumphries gave, was i able to log in. However, the account in construction is still showing, even after leaving it overnight.

jhumphries commented 2 weeks ago

@nilsteampassnet the bool cast on master is implemented on line 2454, the failure this fixes is earlier in execution on line 2112.

The account when created works, but two problems I had to work around:

  1. My users were not created with any roles or groups, so I had to assign those after initial login. Might be solved by better group mapping but I haven’t gotten there yet.
  2. The “account in construction” message. This one seems to be a false message since account appear fine and even have keys that can be downloaded, but the workaround is to run a “generate new otp key” for the user from the admin account. Then make sure all the from jobs have executed. Not every user has run into that, and I don’t know the root cause, but the workaround seems to consistently resolve the message.
hitenmandalia commented 2 weeks ago

@jhumphries Indeed you are correct again. Generating new OTP keys does the trick.