Login through External Authorization Server

Support
#1

Hi all,

I am building an external authorization server using OpenIdDict and Active Directory. I am now able to login Squidex through that external authorization Server. However, the users are not able to view the app correctly.

The scenario is that I have a Custom Editor role with permission to view an article content only. I have an editor with email is my-editior@squidex.io. He is able to log in Squidex through my authorization server. In Squidex, there is now new created user under his email (my-editor@squidex.io). However, he is not able to view the article content until I (an admin) add him as a contributors under the Custom Editor Role. Otherwise, he just see the squidex in overview. I also checked the token generated by the external server and I can confirm that the claims and role are correct.

My question is that whether we have an approach to add automatically the logged in user (through external authorization server) as a contributors under his role and he will get the right permissions to use the squidex.

Many thanks

#2

This is by design. BUT the easiest option would be the following:

Contributors are just a list of permissions. If you give him the right permission manually, he should have access. But he will not show up as a contributor. When a user logs in the first time, all squidex claims will be copied over: https://github.com/Squidex/squidex/blob/master/backend/src/Squidex.Shared/Identity/SquidexClaimTypes.cs

You can just create the correct claims in your identity server.

1 Like
#3

thanks Seb.

Is there anyway we can map the role with its permissions so we dont need to manually add the permissions in the identity server.

I found that in the appsettings.json in Squidex, there are two properties which is oidcRoleClaimType and oidcRoleMapping. So if I config that settings to

"oidcRoleClaimType": "role",
        "oidcRoleMapping": {
            "CustomEditor": [
                "squidex.apps.myapp.assets",
                "squidex.apps.myapp.contents"
            ],
            "CustomDeveloper": [
                "squidex.myapp.corecms.*"
            ]
        }

Then in my identity server, we just need to add the correct role such as CustomDeveloper or CustomEditor for example.

Cheers

#4

It is fully working now when I added permission manually in my identity server.

Thank you for your prompt support. It is really helpful

#5

Perfect. I have forgotten the think with the role mapping.

1 Like
#6

Hi Seb,

Unfortunately, it is not working as we expected. In particularly, if we add the permissions manually with squidex.apps.{app}.* it is working. But if we add granular permission such as squidex.apps.{app}.contents.pages|posts|articles. then we cannot login and new user is not created.

Also, I honestly dont know how to add multiple permission per user through our Identity Server. At this moment, what I did is

 identity.AddClaim(Constants.SquidexPermissionsClaimName, "squidex.apps.{app}.*", Destinations.IdentityToken);

Could you please have a look and support us?

Many thanks

#7

You can add multiple claims with the same name.

A user has a few implicit permissions as a contributor. I guess you need to add all of them: https://github.com/Squidex/squidex/blob/master/backend/src/Squidex.Domain.Apps.Core.Model/Apps/Role.cs#L17

1 Like
#8

so you think the role mapping should work if the permission is defined correctly. I have removed it when I tested with manual adding permissions. I will try tomorrow.

Thanks again.

1 Like
#9

I tried but it does not work. I meant after login successfully my identity server redirected me to

http://localhost:5000/signin-oidc (with HTTP 500 error)

. but I cannot login using the user credentials

Here is the generated token from my identity server

{
  "sub": "b9bdeb49-83db-3f95-75b1-db61e3849612",
  "name": "testuser",
  "email": "testuser@squidex.io",
  "urn:squidex:permissions": [
    "squidex.apps.myapp.contents",
    "squidex.apps.myapp.assets"
  ],
  "role": "CustomDeveloper",
  "azp": "CoreAppSquidex",
  "nonce": "637853921990736236.OGNkMDExNmEtYzViZS00OGYwLWFmNTAtYTU0ZmNkMDZmZGFkYTIyMDFiNjYtYTNiMy00MzgyLWI0OGMtNmM1YzMyZjcwZWMx",
  "oi_tkn_id": "0b51bc1b-9da2-45c7-a839-4618bda59332",
  "aud": "CoreAppSquidex",
  "exp": 1649796624,
  "iss": "http://localhost:5108/",
  "iat": 1649795424
}

I expected to see new user is created in my local squidex with those two permissions but it is not :frowning:

Do you have any ideas why it is not working?

Thanks

#10

Could be a bug, perhaps only one claim of each type is copied over.

1 Like
#11

At least I cannot find it by looking at the code. If you can debug it, the relevant part could be this one: https://github.com/Squidex/squidex/blob/59904163016e7e115331128cc1b71fd662cd7ca1/backend/src/Squidex.Domain.Users/UserManagerExtensions.cs#L128

1 Like
#12

Hi Seb

I can confirm that I am able to add multiple permissions per an user, such as.

image

However, I cannot access to the content. It gives me this error when I tried

image
image1122Ă—746 25.3 KB

Other permissions are working well.

Could you please give us supports?

Thanks

#13

Please do not ask this all the time, I am answering there in the forum, right? :wink:

You can check the Chrome network tab to see which endpoint throws a 403.

1 Like
#14

Hi,

the following endpoint throws exception

http://mysquidex.com/api/apps/corecms/languages

#15

The permission for that was on my list :wink:

#16

I thought I did add AppRolesRead permission in my identity server

identity.AddClaim(Constants.SquidexPermissionsClaimName, "squidex.apps.corecms.roles.read", Destinations.IdentityToken);
#17

But it is not part of the screenshot you posted

#18

image is not the same

#19

Sorry, I mean the languages permission. My link is wrong.

1 Like
#20

Perfect. It is working now. Also, we know how to debug and trace the permission issues.

Thanks for your support :smiley:

1 Like