Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't delete oauth users or set them to admin #259

Open
joestump opened this issue Apr 29, 2024 · 9 comments
Open

Can't delete oauth users or set them to admin #259

joestump opened this issue Apr 29, 2024 · 9 comments
Labels
v2 wg-portal version 2

Comments

@joestump
Copy link

Ironically, I can delete myself as the admin. 😄

When I log in as the main admin (as defined in config.yml), I am unable to upgrade privileges to users who've logged in via Authentik. The toggle is missing from the edit screen.

image

I suspect it's just a component being gated? I looked at the code and there's a whole form with data being loaded, but I only see that when the user was created via DB.

@joestump
Copy link
Author

joestump commented Apr 29, 2024

If you point me in the right direction, I'll take a look at submitting a PR.

@bonddim
Copy link
Collaborator

bonddim commented Apr 29, 2024

Suppose, there is no toggle because user is synced from external provider, in your case Authentik.
Try to use is_admin property in oauth/oidc config.
But there is also bug - once user is created, permissions aren't updated on next login sync.

@joestump
Copy link
Author

joestump commented Apr 29, 2024

@bonddim I gave that a shot, but it's not working (I'm deleting the user in between sign ins; should be fresh is_admin on each login).

auth:
  callback_url_prefix: https://<my-url>/api/v0
  oidc:
    - id: authentik
      provider_name: authentik
      display_name: Login with Authentik
      base_url: https://<my-authentik-url>/application/o/wireguard-portal/
      client_id: my-client-id
      client_secret: my-super-secret-client-secret
      extra_scopes:
        - profile
        - email
        - is_admin
      field_map:
        email: email
        user_identifier: email
      registration_enabled: true

I then have a Property Mapping with the scope is_admin in my Authentik:

return str(ak_is_group_member(request.user, name="Administrators")).lower()

Here's the test output:

image

Not quite sure where I went wrong. For now I'll manually update in the DB.

@joestump
Copy link
Author

Gave it a shot with oauth and it leads to a 404 when I click the login button: https://<my-wgportal-url>/api/v0/api/v0/authentik-oauth/init. When I correct the double URI issue, it still 404s.

@bonddim
Copy link
Collaborator

bonddim commented Apr 30, 2024

@joestump ,
try to add is_admin: "true" into field_map

@joestump
Copy link
Author

@bonddim if I'm following the code correctly, that would result in true being used for the field mapping? getOauthFieldMapping would set true as the key for looking up in ParseUserInfo? Authentik doesn't appear to set admin_flag by default and my extra scopes hack didn't work either.

@bonddim
Copy link
Collaborator

bonddim commented Apr 30, 2024

@joestump,
Correct, wg-portal expects value parsable to boolean to set admin permissions.

By providing is_admin: in field_map you set to which property in token scope to look for admin role.
If your authentick adds extra scope is_admin: true, it should work with

....
field_map:
  is_admin: is_admin
  ...

@h44z h44z added the v2 wg-portal version 2 label Jul 4, 2024
@h44z
Copy link
Owner

h44z commented Jul 4, 2024

@joestump did you manage to get it working?

@Oriely
Copy link

Oriely commented Oct 9, 2024

Chiming in here since OP is awol, i have the same setup as the user and i am still not able to get this working.
When loging in the user is not admin.

I have set the field_map for is_admin.
When manually setting the field map to true it still does not give user admin access in the webgui.

advanced:
  log_level: trace

core:
  admin_user: admin@admin.com
  admin_password: admin
  create_default_peer: true
  create_default_peer_on_creation: false
  self_provisioning_allowed: true
web:
  external_url: https://wgportal.local.domain.test
  request_logging: true

auth:
  callback_url_prefix: https://wgportal.local.domain.test/api/v0
  oidc:
    - id: authentik
      provider_name: authentik
      display_name: Login with Authentik
      base_url: https://sso.local.domain.test/application/o/wg-portal/
      client_id: 
      client_secret: 
      extra_scopes:
        - profile
        - email
        - openid
        - is_admin
      field_map:
        email: email
        user_identifier: email
        is_admin: is_admin
      registration_enabled: true

image

image

image

time="2024-10-09T09:40:51Z" level=trace msg="handling new user login for admin@domain.test"

time="2024-10-09T09:40:51Z" level=info msg="created 0 default peers for user admin@domain.test"

time="2024-10-09T09:40:51Z" level=info msg="192.168.77.50 - doorway [09/Oct/2024:09:40:51 +0000] \"GET /app/\" 200 1313 \"\" \"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0\" (1ms)" clientIP=192.168.77.50 dataLength=1313 hostname=doorway latency=1 method=GET path=/app/ referer= statusCode=200 userAgent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0"

A bit ulrelated but when creating peers with a user that is not admin with self_provisioning_allowed: true i immediately get logged out of wgportal with error below from the browser console.

Starting WireGuard Portal frontend... [index-SCWiGQnt.js:196:59727](https://wgportal.local.domain.test/app/assets/index-SCWiGQnt.js)
Oauth login callback: success [index-SCWiGQnt.js:196:55480](https://wgportal.local.domain.test/app/assets/index-SCWiGQnt.js)
Oauth login completed for UID: admin@domain.test [index-SCWiGQnt.js:196:55574](https://wgportal.local.domain.test/app/assets/index-SCWiGQnt.js)
Continuing to: / [index-SCWiGQnt.js:196:55622](https://wgportal.local.domain.test/app/assets/index-SCWiGQnt.js)
WireGuard Portal session is valid [index-SCWiGQnt.js:196:59910](https://wgportal.local.domain.test/app/assets/index-SCWiGQnt.js)
WireGuard Portal ready! [index-SCWiGQnt.js:196:60041](https://wgportal.local.domain.test/app/assets/index-SCWiGQnt.js)
automatic logout initiated... [index-SCWiGQnt.js:9:31370](https://wgportal.local.domain.test/app/assets/index-SCWiGQnt.js)
Failed to load prepared peer:  not enough permissions [index-SCWiGQnt.js:9:91982](https://wgportal.local.domain.test/app/assets/index-SCWiGQnt.js)
STATE: 
Proxy { <target>: {…}, <handler>: {…} }

when using oauth i also get the same issue OP has where the redirect url is wrong
https://wgportal.local.domain.test/api/v0/api/v0/authentik-oauth/init?redirect=true&return=https%3A%2F%2Fwgportal.local.domain.test%2F%23%2Flogin

Accessing /api works but /api/v0 gives 404 not found https://wgportal.local.domain.test/api/v0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
v2 wg-portal version 2
Projects
None yet
Development

No branches or pull requests

4 participants