Login through External Authorization Server

doantranthanh · April 12, 2022, 5:49pm

thanks Seb.

Is there anyway we can map the role with its permissions so we dont need to manually add the permissions in the identity server.

I found that in the appsettings.json in Squidex, there are two properties which is oidcRoleClaimType and oidcRoleMapping. So if I config that settings to

"oidcRoleClaimType": "role",
        "oidcRoleMapping": {
            "CustomEditor": [
                "squidex.apps.myapp.assets",
                "squidex.apps.myapp.contents"
            ],
            "CustomDeveloper": [
                "squidex.myapp.corecms.*"
            ]
        }

Then in my identity server, we just need to add the correct role such as CustomDeveloper or CustomEditor for example.

Cheers

doantranthanh · April 12, 2022, 5:56pm

It is fully working now when I added permission manually in my identity server.

Thank you for your prompt support. It is really helpful

Sebastian · April 12, 2022, 7:24pm

Perfect. I have forgotten the think with the role mapping.

doantranthanh · April 12, 2022, 7:27pm

Hi Seb,

Unfortunately, it is not working as we expected. In particularly, if we add the permissions manually with squidex.apps.{app}.* it is working. But if we add granular permission such as squidex.apps.{app}.contents.pages|posts|articles. then we cannot login and new user is not created.

Also, I honestly dont know how to add multiple permission per user through our Identity Server. At this moment, what I did is

 identity.AddClaim(Constants.SquidexPermissionsClaimName, "squidex.apps.{app}.*", Destinations.IdentityToken);

Could you please have a look and support us?

Many thanks

Sebastian · April 12, 2022, 7:30pm

You can add multiple claims with the same name.

A user has a few implicit permissions as a contributor. I guess you need to add all of them: https://github.com/Squidex/squidex/blob/master/backend/src/Squidex.Domain.Apps.Core.Model/Apps/Role.cs#L17

doantranthanh · April 12, 2022, 7:39pm

so you think the role mapping should work if the permission is defined correctly. I have removed it when I tested with manual adding permissions. I will try tomorrow.

Thanks again.

doantranthanh · April 12, 2022, 8:35pm

I tried but it does not work. I meant after login successfully my identity server redirected me to

http://localhost:5000/signin-oidc (with HTTP 500 error)

. but I cannot login using the user credentials

Here is the generated token from my identity server

{
  "sub": "b9bdeb49-83db-3f95-75b1-db61e3849612",
  "name": "testuser",
  "email": "testuser@squidex.io",
  "urn:squidex:permissions": [
    "squidex.apps.myapp.contents",
    "squidex.apps.myapp.assets"
  ],
  "role": "CustomDeveloper",
  "azp": "CoreAppSquidex",
  "nonce": "637853921990736236.OGNkMDExNmEtYzViZS00OGYwLWFmNTAtYTU0ZmNkMDZmZGFkYTIyMDFiNjYtYTNiMy00MzgyLWI0OGMtNmM1YzMyZjcwZWMx",
  "oi_tkn_id": "0b51bc1b-9da2-45c7-a839-4618bda59332",
  "aud": "CoreAppSquidex",
  "exp": 1649796624,
  "iss": "http://localhost:5108/",
  "iat": 1649795424
}

I expected to see new user is created in my local squidex with those two permissions but it is not

Do you have any ideas why it is not working?

Thanks

Sebastian · April 12, 2022, 8:46pm

Could be a bug, perhaps only one claim of each type is copied over.

Sebastian · April 12, 2022, 8:52pm

At least I cannot find it by looking at the code. If you can debug it, the relevant part could be this one: https://github.com/Squidex/squidex/blob/59904163016e7e115331128cc1b71fd662cd7ca1/backend/src/Squidex.Domain.Users/UserManagerExtensions.cs#L128

doantranthanh · April 13, 2022, 11:37am

Hi Seb

I can confirm that I am able to add multiple permissions per an user, such as.

However, I cannot access to the content. It gives me this error when I tried

Other permissions are working well.

Could you please give us supports?

Thanks

Sebastian · April 13, 2022, 11:51am

Please do not ask this all the time, I am answering there in the forum, right?

You can check the Chrome network tab to see which endpoint throws a 403.

doantranthanh · April 13, 2022, 12:19pm

Hi,

the following endpoint throws exception

http://mysquidex.com/api/apps/corecms/languages

Sebastian · April 13, 2022, 12:23pm

The permission for that was on my list

github.com

Squidex/squidex/blob/master/backend/src/Squidex.Domain.Apps.Core.Model/Apps/Role.cs#L24


{
    public sealed record Role : Named
    {
        private static readonly HashSet<string> ExtraPermissions = new HashSet<string>
        {
            Shared.Permissions.AppComments,
            Shared.Permissions.AppContributorsRead,
            Shared.Permissions.AppHistory,
            Shared.Permissions.AppLanguagesRead,
            Shared.Permissions.AppPing,
            Shared.Permissions.AppRolesRead,
            Shared.Permissions.AppSchemasRead,
            Shared.Permissions.AppSearch,
            Shared.Permissions.AppTranslate,
            Shared.Permissions.AppUsage
        };

        public const string Editor = "Editor";
        public const string Developer = "Developer";
        public const string Owner = "Owner";
        public const string Reader = "Reader";

doantranthanh · April 13, 2022, 12:29pm

I thought I did add AppRolesRead permission in my identity server

identity.AddClaim(Constants.SquidexPermissionsClaimName, "squidex.apps.corecms.roles.read", Destinations.IdentityToken);

Sebastian · April 13, 2022, 12:33pm

But it is not part of the screenshot you posted

doantranthanh · April 13, 2022, 12:34pm

is not the same

Sebastian · April 13, 2022, 12:35pm

Sorry, I mean the languages permission. My link is wrong.

doantranthanh · April 13, 2022, 1:07pm

Perfect. It is working now. Also, we know how to debug and trace the permission issues.

Thanks for your support

parrish · April 14, 2022, 1:56pm

Related question, but how did you go about setting up SquidEx to use an external auth server?

Sebastian · April 14, 2022, 4:37pm

You have to configure these properties: https://github.com/Squidex/squidex/blob/master/backend/src/Squidex/appsettings.json#L520