H
Homarr7d ago
AYEEDITYA

SSO/OIDC with Zitadel

Hey yall, I racked my brain for a very long time on why zitadel was not passing roles to homarr which meant I could not create an admin user, well I have found the reason and solution, so this is more for people with my own setup which is homarr 1.0+ along with Zitadel for SSO. The simple reason why Homarr does not like Zitadel is seemingly homarr only supports flat roles whereas Zitadel traverses a complex role json structure. Here is how I got it working: Adding Zitadel SSO to homarr Zitadel setup: - Create application - Web + Basic Auth - Redirect URIs: - https://home.domain.com/api/auth/callback/oidc - Token Settings: - Bearer Token -> User Roles inside ID Token -> User Info inside ID Token - Create a zitadel action: - name: onlyRoles 
function onlyRoles(ctx, api) {
  if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) {
    return;
  }

  let grants = [];
  ctx.v1.user.grants.grants.forEach(claim => {
    claim.roles.forEach(role => {
        grants.push(role)  
    })
  })

  api.v1.claims.setClaim('my:zitadel:grants', grants)
}
function onlyRoles(ctx, api) {
  if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) {
    return;
  }

  let grants = [];
  ctx.v1.user.grants.grants.forEach(claim => {
    claim.roles.forEach(role => {
        grants.push(role)  
    })
  })

  api.v1.claims.setClaim('my:zitadel:grants', grants)
}
- Flows -> Complement Token -> Pre UserInfo Creation + Pre Access Token Creation - Add admin role to zitadel and assign user to it, in my case role and key were both called "admin" Add OIDC client and secret to homarr (docker compose environment variables): 
     AUTH_PROVIDERS: oidc #credentials
      AUTH_OIDC_ISSUER: https://auth.domain.com
      AUTH_OIDC_CLIENT_SECRET: some-nasty-secret
      AUTH_OIDC_CLIENT_ID: client-id-hehe
      AUTH_OIDC_CLIENT_NAME: Zitadel
      AUTH_OIDC_SCOPE_OVERWRITE: "openid email profile"
      AUTH_OIDC_GROUPS_ATTRIBUTE: "my:zitadel:grants"
     AUTH_PROVIDERS: oidc #credentials
      AUTH_OIDC_ISSUER: https://auth.domain.com
      AUTH_OIDC_CLIENT_SECRET: some-nasty-secret
      AUTH_OIDC_CLIENT_ID: client-id-hehe
      AUTH_OIDC_CLIENT_NAME: Zitadel
      AUTH_OIDC_SCOPE_OVERWRITE: "openid email profile"
      AUTH_OIDC_GROUPS_ATTRIBUTE: "my:zitadel:grants"
Startup homarr Enter admin group name in homarrs web ui: "admin" login with Zitadel and you are an admin, woooo
Solution:
Great, thanks for this writeout. We got another user that had a similar problem with keycloak and there exists a github issue to solve this in the future with allowing object paths: https://github.com/homarr-labs/homarr/issues/2657...
GitHub
feat(auth): support object path for groups and username claims · I...
Describe the bug I have a homarr group called "admins" with admin privileges. In Keycloak, in Client scopes -> roles -> mappers -> roles, the "client roles" mapper has ...
Jump to solution
3 Replies
Cakey Bot
Cakey Bot7d ago
Thank you for submitting a support request. Depending on the volume of requests, our team should get in contact with you shortly.
⚠️ Please include the following details in your post or we may reject your request without further comment: - Log (See https://homarr.dev/docs/community/faq#how-do-i-open-the-console--log) - Operating system (Unraid, TrueNAS, Ubuntu, ...) - Exact Homarr version (eg. 0.15.0, not latest) - Configuration (eg. docker-compose, screenshot or similar. Use ``your-text`` to format) - Other relevant information (eg. your devices, your browser, ...)
Frequently Asked Questions | Homarr documentation
Can I install Homarr on a Raspberry Pi?
AYEEDITYA
AYEEDITYAOP7d ago
I will add, I am using local accounts on zitadel, not sure how roles will be traversed if you are using another OIDC service to log into Zitadel itself just BTW
Solution
Meierschlumpf
Meierschlumpf7d ago
Great, thanks for this writeout. We got another user that had a similar problem with keycloak and there exists a github issue to solve this in the future with allowing object paths: https://github.com/homarr-labs/homarr/issues/2657
GitHub
feat(auth): support object path for groups and username claims · I...
Describe the bug I have a homarr group called "admins" with admin privileges. In Keycloak, in Client scopes -> roles -> mappers -> roles, the "client roles" mapper has ...

Did you find this page helpful?