H
Homarr11mo ago
HAVOC

Entra/Azure SSO

Has anyone got homarr setup using Azure SSO yet? Im currently getting the error that the groups scope doesnt exist but I'm not sure where to define that
No description
13 Replies
Manicraft1001
Manicraft100111mo ago
Hi, Azure probably doesn't support this scope. @Meierschlumpf I think you're already aware of this, right? How easy can we make this configurable?
Meierschlumpf
Meierschlumpf11mo ago
I mean we could just add another env variable. The issue with that seems to lie in the groups that I haven't found out if they are supported by azure:
const isAdmin = profile.groups.includes(env.AUTH_OIDC_ADMIN_GROUP);
const isOwner = profile.groups.includes(env.AUTH_OIDC_OWNER_GROUP);
const isAdmin = profile.groups.includes(env.AUTH_OIDC_ADMIN_GROUP);
const isOwner = profile.groups.includes(env.AUTH_OIDC_OWNER_GROUP);
Manicraft1001
Manicraft100111mo ago
Does Azure show what groups it has out of the box? My SSO knowledge is somewhat limited, sorry
Meierschlumpf
Meierschlumpf11mo ago
Not sure either, I thought that it needs to be enabled, maybe thats all and we don't need a new scope variable Okay just tried it out and it seems like it would include groups for tenant accounts, but not for my personal account. I'm gonna make a pull request and image so you can try it out In a few minutes there should be an image with the tag add-env-for-oidc-scopes ready for you to try, you can then configure the environment varaible AUTH_OIDC_SCOPE_OVERWRITE to overwrite the scope to openid email profile. If you have groups enabled in the token it should work also with the roles. Otherwise it will show a warning in the console when your azure ad does not support those @HAVOC
HAVOC
HAVOCOP11mo ago
Ooo thank you!! I’ll try it once I get home :) And I’ll let you know how I get on Interesting that you were able to get tenant accounts to show the groups scope since I was unable too Maybe I missed a setting
Meierschlumpf
Meierschlumpf11mo ago
I wasn't able to do it eigther within the azure portal, just remembered that we were able to do it at work I got it working:
AUTH_PROVIDER="oidc"
AUTH_OIDC_URI="https://login.microsoftonline.com/your-tenant-id/v2.0"
AUTH_OIDC_CLIENT_SECRET="your-secret"
AUTH_OIDC_CLIENT_ID="your-client-id"
AUTH_OIDC_CLIENT_NAME="Homarr"
AUTH_OIDC_SCOPE_OVERWRITE="openid profile email"
AUTH_PROVIDER="oidc"
AUTH_OIDC_URI="https://login.microsoftonline.com/your-tenant-id/v2.0"
AUTH_OIDC_CLIENT_SECRET="your-secret"
AUTH_OIDC_CLIENT_ID="your-client-id"
AUTH_OIDC_CLIENT_NAME="Homarr"
AUTH_OIDC_SCOPE_OVERWRITE="openid profile email"
I've added an app registration with the following options: Name: Homarr Supported account types: Accounts in this organizational directory only (Default Directory only - Single tenant) Redirect URI: Web / https://homarr.example.com/api/auth/callback/oidc After registering I created a client secret over client credentials and copied the value to the env variables Then I went to the API Permissions and added the delegated graph permissions email, openid and profile After that I created a group with Microsoft Entra ID and assigned myself as member. Finally I went to Token configuration and added a groups claim for security groups. After that I was able to get a groups array when authenticating. Now you can just copy the group id from azure and define them as AUTH_OIDC_ADMIN_GROUP and AUTH_OIDC_OWNER_GROUP @HAVOC
HAVOC
HAVOCOP11mo ago
Oh awesome!! I’m not home for another 6 ish hours but I will test when I can
Meierschlumpf
Meierschlumpf11mo ago
Nice 😄
HAVOC
HAVOCOP11mo ago
looks like its working! only issue im having now is since i have it behind a proxy homarr is making the redirect uri http://localhost:7575, ive set the base url in the enviroment varibles to match my proxied url but it doesnt seem to have fixed it ill keep playing around and see if i can get that working just tested with a temp container on my pc, can confirm its working! managed to fix this by putting NEXTAUTH_URL="https://my.domain.here" in the env varibles So everything is working now including the admin groups thank you for your help!!
Meierschlumpf
Meierschlumpf11mo ago
About the redirect we're gonna fix that as well (hopefully)
HAVOC
HAVOCOP11mo ago
@Meierschlumpf is it possible to get the users name to show instead of there email? Or is that not possible with the current setup
Meierschlumpf
Meierschlumpf11mo ago
I will check that Not ideal for the current setup, especially because the username differs for different providers
HAVOC
HAVOCOP11mo ago
Thought as much, thank you for looking :)
Want results from more Discord servers?
Add your server