search

traccar / traccar

Traccar GPS Tracking System
https://www.traccar.org
Apache License 2.0
4.95k stars 2.51k forks source link

openid.allowGroup is of no effect for oidc login #5310

Closed SoleroTG closed 2 months ago

SoleroTG commented 2 months ago

Describe the bug When using oidc for logging in the value of openid.allowGroup is ignored and login is granted regardless whether the user is member of the group or not.

To Reproduce

  1. Configure oidc set up with any group for openid.allowGroup
  2. Try to login with a user not being a member of the set up group

Expected behavior Login should be denied if the user is not a member of the group set up in openid.allowGroup.

Screenshots Not applicable.

Desktop (please complete the following information):

Smartphone (please complete the following information):

Additional context Tested with traccar version: 6.1 running as docker container

Edit:

traccar.xml:

    <entry key='openid.force'>false</entry>
    <entry key='openid.clientId'>traccar</entry>
    <entry key='openid.clientSecret'>secret</entry>
    <entry key='openid.issuerUrl'>https://auth.example.com</entry>
    <!--<entry key='openid.authUrl'>https://auth.example.com/api/oidc/authorize</entry>-->
    <!--<entry key='openid.tokenUrl'>https://auth.example.com/api/oidc/token</entry>-->
    <!--<entry key='openid.userInfoUrl'>https://auth.example.com/api/oidc/userinfo</entry>-->
    <entry key='openid.allowGroup'>traccaruser</entry>
    <entry key='openid.adminGroup'>admin</entry>

IdP: Authelia v4.38.8 (current)

configuration.yml:

<snip>
     - client_id: 'traccar'
        client_name: 'Traccar'
        client_secret: 'secret'
        public: false
        redirect_uris:
          - https://traccar.example.com/api/session/openid/callback
        consent_mode: implicit
        scopes:
          - openid
          - profile
          - groups
          - email
        userinfo_signed_response_alg: 'none'
</snip>

users_database.yml:

<snip>
users:
  solero:
    displayname: "Solero"
    password: "$argon2id$v=19$m=262144,t=5,p=4$hash"
    email: solero@example.com
    groups:
      - admin
      - traccaruser      # <-- if this group membership is removed the login for this user should be denied
      - otherappuser
</snip>
tananaev commented 2 months ago

You have not provided any information to be able to investigate it. No details about provider, configuration or anything else.

SoleroTG commented 2 months ago

Thanks for the fast reply.

I added the configuration for traccar and authelia. Is this sufficient or should I provide more detail?

Cheers, Solero

SoleroTG commented 2 months ago

I did some more testing and found out that the login is denied, if I remove myself from the admin group. Is it correct and intended that a user can still log in if he is not in the allowGroup but the adminGroup?

If that is the case then this issue can be closed and I would suggest, that it is mentioned in the documentation.

tananaev commented 2 months ago

Admins obviously have access, even if they're not part of allowGroup.