thanks Seb.
Is there anyway we can map the role with its permissions so we dont need to manually add the permissions in the identity server.
I found that in the appsettings.json in Squidex, there are two properties which is oidcRoleClaimType and oidcRoleMapping. So if I config that settings to
"oidcRoleClaimType": "role",
"oidcRoleMapping": {
"CustomEditor": [
"squidex.apps.myapp.assets",
"squidex.apps.myapp.contents"
],
"CustomDeveloper": [
"squidex.myapp.corecms.*"
]
}
Then in my identity server, we just need to add the correct role such as CustomDeveloper or CustomEditor for example.
Cheers
It is fully working now when I added permission manually in my identity server.
Thank you for your prompt support. It is really helpful
Perfect. I have forgotten the think with the role mapping.
1 Like
Hi Seb,
Unfortunately, it is not working as we expected. In particularly, if we add the permissions manually with squidex.apps.{app}. * it is working. But if we add granular permission such as squidex.apps.{app}.contents.pages|posts|articles. then we cannot login and new user is not created.
Also, I honestly dont know how to add multiple permission per user through our Identity Server. At this moment, what I did is
identity.AddClaim(Constants.SquidexPermissionsClaimName, "squidex.apps.{app}.*", Destinations.IdentityToken);
Could you please have a look and support us?
Many thanks
You can add multiple claims with the same name.
A user has a few implicit permissions as a contributor. I guess you need to add all of them: https://github.com/Squidex/squidex/blob/master/backend/src/Squidex.Domain.Apps.Core.Model/Apps/Role.cs#L17
1 Like
so you think the role mapping should work if the permission is defined correctly. I have removed it when I tested with manual adding permissions. I will try tomorrow.
Thanks again.
1 Like
I tried but it does not work. I meant after login successfully my identity server redirected me to
http://localhost:5000/signin-oidc (with HTTP 500 error)
. but I cannot login using the user credentials
Here is the generated token from my identity server
{
"sub": "b9bdeb49-83db-3f95-75b1-db61e3849612",
"name": "testuser",
"email": "testuser@squidex.io",
"urn:squidex:permissions": [
"squidex.apps.myapp.contents",
"squidex.apps.myapp.assets"
],
"role": "CustomDeveloper",
"azp": "CoreAppSquidex",
"nonce": "637853921990736236.OGNkMDExNmEtYzViZS00OGYwLWFmNTAtYTU0ZmNkMDZmZGFkYTIyMDFiNjYtYTNiMy00MzgyLWI0OGMtNmM1YzMyZjcwZWMx",
"oi_tkn_id": "0b51bc1b-9da2-45c7-a839-4618bda59332",
"aud": "CoreAppSquidex",
"exp": 1649796624,
"iss": "http://localhost:5108/",
"iat": 1649795424
}
I expected to see new user is created in my local squidex with those two permissions but it is not
Do you have any ideas why it is not working?
Thanks
Could be a bug, perhaps only one claim of each type is copied over.
1 Like
Hi Seb
I can confirm that I am able to add multiple permissions per an user, such as.
However, I cannot access to the content. It gives me this error when I tried
Other permissions are working well.
Could you please give us supports?
Thanks
Please do not ask this all the time, I am answering there in the forum, right?
You can check the Chrome network tab to see which endpoint throws a 403.
1 Like
The permission for that was on my list
{
public sealed record Role : Named
{
private static readonly HashSet<string> ExtraPermissions = new HashSet<string>
{
Shared.Permissions.AppComments,
Shared.Permissions.AppContributorsRead,
Shared.Permissions.AppHistory,
Shared.Permissions.AppLanguagesRead,
Shared.Permissions.AppPing,
Shared.Permissions.AppRolesRead,
Shared.Permissions.AppSchemasRead,
Shared.Permissions.AppSearch,
Shared.Permissions.AppTranslate,
Shared.Permissions.AppUsage
};
public const string Editor = "Editor";
public const string Developer = "Developer";
public const string Owner = "Owner";
public const string Reader = "Reader";
I thought I did add AppRolesRead permission in my identity server
identity.AddClaim(Constants.SquidexPermissionsClaimName, "squidex.apps.corecms.roles.read", Destinations.IdentityToken);
But it is not part of the screenshot you posted
Sorry, I mean the languages permission. My link is wrong.
1 Like
Perfect. It is working now. Also, we know how to debug and trace the permission issues.
Thanks for your support
1 Like
Related question, but how did you go about setting up SquidEx to use an external auth server?