Admin users switched to non-admin user after login with OIDC

[Intimaria]

So if I set a user as administrator in the database, they are able to view the administrator panel and administer the site. However, if they login with OIDC (specifically using Keycloak), the database is changed and the user is set back to non admin.
The plugin seems to be writing to the database with each login.

This is only happening when logging in with OIDC, if the user logs in normally, the database isn´t touched and the user remains and administrator.

[syswipe]

I've found the same issue. Have you solved one?

[Intimaria]

Yes, it requires setup on the keycloak administration dashboard for the client. There's a setting in the plugin configuration page where you can set the admin group or role. You have to create an admin group.

These are instructions specifically for Keycloak idp:

1. Within your client, in the roles tab, add a role, for instance admin.
2. From within Groups, create a group to define administrators.
3. Within the group, in role-mappings, select the client for your app, and add to the group the role you just created.
4. When you add users to the group, they will automatically have the admin role.
5. Check the JWT Access Token generation. It should include the admin role

[ecswai201]

ｃａｎ　Ｉ　ｓｅｅ　ｙｏｕｒ　ｋｅｙｃｌｏａｋ　ａｎｄ　ｒｅｄｍｍｉｎｅ　configuratioｎ？
ｉ　ｈａｖｅ　ａ　ｔｒｏｕｂｌｅ　ｉｎ　this　ｊｏｂ　

#75

[sergiovilaseco]

Hi @Intimaria,

I am trying to configure this plugin with Microsoft OpneID. I have added the roles as you mentioned in your previous post but I am still having the same issue (admin users are set as normal users).

This is the token I get from MS:
{
...
"roles": [
"admin"
],
...
}

Is this the way that the plugin is expecting the role? if not, is there any modification I can make on the plugin to adapt it?

Thanks in advance

[Intimaria]

Hi @Intimaria,

I am trying to configure this plugin with Microsoft OpneID. I have added the roles as you mentioned in your previous post but I am still having the same issue (admin users are set as normal users).

This is the token I get from MS: { ... "roles": [ "admin" ], ... }

Is this the way that the plugin is expecting the role? if not, is there any modification I can make on the plugin to adapt it?

Thanks in advance

Yes, you have to configure the plugin from within redmine to give administrator access to the admin role you created.

[bilelzr]

hello , did any one find a solution still having the same issue :'( .
thank you in advance

[malmoussa]

Hi I have the same issue.

The token generated by my IDP looks like this, according to the documentation.

{
"sub": "xxxxxxxxxxxxxxxxxx",
"name": "firstname lastname",
"email": "[email protected]",
"ver": 1,
"iss": "url",
"aud": "audience",
"iat": nnnnnnnnn,
"exp": mmmmmmmmm,
"jti": "ID.xxxxxxxxxxxxxxxxxxx",
"amr": [
"pwd"
],
"idp": "IDP",
"preferred_username": "[email protected]",
"auth_time": uuuuuuuu,
"at_hash": "azefegrhtnuoykuil",
"member_of": [
"admin"
]
}

The member_of claim is an array that contain a group which is mapped in redmine to be administrator.

But this doesn't work.

The authentication works but the users are not admin in Redmine.

Could someone help me?

Regards

[vokamut]

Made a PR to solve this problem. Added a flag that cancels the group change:
#86