search

opserver / Opserver

Stack Exchange's Monitoring System
https://opserver.github.io/Opserver/
MIT License
4.52k stars 826 forks source link

Issue With OIDC Authentication #412

Open grumpykiwi opened 2 years ago

grumpykiwi commented 2 years ago

After quite a lot of fiddling to get things working. OIDC authentication is at least getting back to the home page. But now it shows a message saying it is not configured with a link to the about page where I see a big old error.

The summary error is:

The provided identity of type 'System.Security.Claims.ClaimsIdentity' is marked IsAuthenticated = true but does not have a value for Name. By default, the antiforgery system requires that all authenticated identities have a unique Name. If it is not possible to provide a unique Name for this identity, consider extending IAntiforgeryAdditionalDataProvider by overriding the DefaultAntiforgeryAdditionalDataProvider or a custom type that can provide some form of unique identifier for the current user.

I am using an app registration from Azure AD to authenticate. Is there a specific setting I need to adjust in AAD to make this work ?

Here is the relevant config

  "Security": {
    "provider": "OIDC",
    "apiKey": "",
    "viewEverythingGroups": "Domain Admins",
    "adminEverythingGroups": "Domain Admins",
    "scopes": [
      "email"
    ],
    "clientId": "<client Id>",
    "clientSecret": "<client secret>",
    "authorizationUrl": "https://login.microsoftonline.com/<tenant Id>/oauth2/v2.0/authorize",
    "accessTokenUrl": "https://login.microsoftonline.com/<tenant Id>/oauth2/v2.0/token",
    "userInfoUrl": "https://graph.microsoft.com/oidc/userinfo"
  },

Any ideas on what I might have mis-configured?

To be honest it was a bit of a chore getting this far. The documentation on this is a bit sparse.

Thanks

Mark

itssimple commented 1 day ago

I've come a bit further, so what you need to do, is enable some optional claims in your OIDC application in Entra, and in my case, I added email, and set my config like this

{
  "provider": "OIDC",
  "viewEverythingGroups": "Domain Users",
  "adminEverythingGroups": "Opserver Admins",
  "scopes": [ "openid", "email" ],
  "clientId": "<clientId>",
  "clientSecret": "<clientSecret>",
  "authorizationUrl": "https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize",
  "accessTokenUrl": "https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token",
  "userInfoUrl": "https://graph.microsoft.com/oidc/userinfo",
  "nameClaim": "email",
  "groupsClaim": "groups"
}

Didn't get the groupsClaim to work yet, but I'm currently debugging the code as I'm troubleshooting it.

Edit:

Ah, groups doesn't work since they switched to the Microsoft Graph OIDC endpoint, which won't return groups no matter what you do.

So you might need to either patch the code, and add support for running against https://graph.microsoft.com/v1.0/me/transitiveMemberOf/microsoft.graph.group