Comments (18)
You have to go to ⚙️ > Users > External. Inside the editor paste a config of the following form:
{
"providers": [{
"id": "azure-oauth",
"label": "Azure SSO Login",
"provider": "azureAD",
"params": {
"tenant": "your-tenant-id",
"clientId": "your-client-id",
"clientSecret": "your-client-secret",
"callbackUrl": "your-domain/azure-oauth",
"fields": {
"username": "/email",
"groups": "/groups",
"defaultGroups": ["some-group"]
},
"scopes": ["openid"]
}
}]
}
You can get the tenant ID, client ID and client secret from Azure.
Note: if you do not see an editor in that tab, please update Yaade. I just published a bugfix that fixed a previous version not displaying this editor.
docker rm -f yaade
docker pull esperotech/yaade:latest
docker run -d --restart=always -p 9339:9339 \
-e YAADE_ADMIN_USERNAME=admin -v yaade:/app/data \
--name yaade esperotech/yaade:latest
from yaade.
Thanks, I'll check this today. Can you maybe update the base image because trivy found some critical vulnerbilities in there.
from yaade.
Thank you for pointing this out.
from yaade.
It works like charm. Thanks for your assistance in this case. But how the users can work in a same team. Like the example below:
- All login via MS Azure Auth
- Peter and John should work in "Team Backend"
- Adam and Will should work in "Team Frontend"
Option 1 is, that the admins create the teams and add the users to the team.
Option 2 is (better option), the first user and creator of a team can add other members to their team (like hoppscotch).
Team Backend should not see the content from Team Frontend of course.
Is there a option or is this a feature request?
from yaade.
It should be possible to configure your groups in Active Directory. You can add your users to a specific group (e.g. "Team Backend", "Team Frontend"). https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-fed-group-claims
Now what you need to do is configure your tokens in a way that they include the groups in the /groups
field (see this line in the config "groups": "/groups",
)
Now all users that belong to a group in AD will automatically have that group assigned in yaade as well.
Does that solve your problem?
from yaade.
Nice, do you have an config example for me, when I have more than two groups and a default group?
{
"providers": [{
"id": "azure-oauth",
"label": "Azure SSO Login",
"provider": "azureAD",
"params": {
"tenant": "your-tenant-id",
"clientId": "your-client-id",
"clientSecret": "your-client-secret",
"callbackUrl": "your-domain/azure-oauth",
"fields": {
"username": "/email",
"groups": "/groups/Team-Backend","/groups/Team-Frondend",
"defaultGroups": ["default"]
},
"scopes": ["openid"]
}
}]
}
check the configuration above, is this right?
from yaade.
and @jonrosner as I know I can't create sub-groups in azureAD so how should the application fetch sub groups by the instruction which you told to me?
Thanks for your assistance. :-)
from yaade.
hey, the groups field should stay the same as I posted earlier "groups": "/groups"
. You will have to create and assign the proper groups in azure AD and you have to configure azure to put the groups into the /groups
field in the JWT (id-token).
There is currently no way to configure specific external users in Yaade itself, so you will have to do it via Azure for now.
from yaade.
Hey @jonrosner we do this exactly like you describe but when I'm logged in with a new session and fresh cleared browser the group wasn't show up.
What we do in azures was this below:
- We created groups (Team A, Team B)
- We're added the groups to the auth app
- We're configured the token like the /groups/groupname was imported to the token
- We're added my user to the "Team A" Group
- After restart of containers and browser cache clear, the groups doesn't shows up
"Default" comes from the configuration snippet.
from yaade.
Please check the JWT token and make sure that the groups are actually put into the correct field that you configured using the "groups"
property. If possible you could post that part of the JWT.
from yaade.
Hey @jonrosner , may you have a reliable way to debug the token? How do you debug the jwt azure token?
from yaade.
you can do this via Yaade and your browser directly.
- in your browser open a new tab and open the developer console (cmd+shift+c for chrome)
- go to the network tab in developer console
- now open the URL
https://login.microsoftonline.com/${tenant}/oauth2/v2.0/authorize?client_id=${client_id}&client_secret=${client_secret}&response_type=code&redirect_uri=${redirect_uri}&scope=${scope}&state=${state}
where you replace all the variables with the respective values that you configured in yaade in the external provider tab. As state you can just put in123456
, scope must beopenid
. - now you should be prompted to log into your Microsoft account. Do that and upon successful login you will be redirected back to yaade.
- The callback to yaade will probably fail, that's fine. The important thing is to extract the URL to where the call was made from the network tab. In the query parameters of this call there should be
?code=XXXX
parameter. You need to copy this. Make sure to copy it correctly and do not have any other params in there. - Now open yaade as you would normally, create a new request that has the following form:
POST https://login.microsoftonline.com/${tenant}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id=${client_id}
&client_secret=${client_secret}
&code=${code}
&redirect_uri=${redirect_uri}
&grant_type=authorization_code
- Again set all the environment variables correctly to the things you defined in your external providers config. Also set the code to the value you copied earlier.
- Now execute the request and you should receive a response of the following form
{
"token_type": "Bearer",
"scope": "profile openid email User.Read",
"expires_in": 5288,
"ext_expires_in": 5288,
"access_token": "ey....",
"id_token": "ey....
}
- Copy the ID token into jwt.io to inspect it's content.
Unfortunately, I don't know an easier way to obtain the same access token that yaade would receive...
from yaade.
Thanks @jonrosner, can you told me, is this the right permissions for the application?
from yaade.
I think there is "openid" missing, right?
from yaade.
I will evaluate this tomorrow in the azure AD and the jwt token.
from yaade.
@jonrosner we're add also "openid" in the permissions tab but still not works for us. Maybe the migration to Entra Azure is a cause for this?
For your informations, this is my jwt azure token:
===========================================================================================
= Decoded JWT Azure AD Token
===========================================================================================
{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/XXXXXXXXXXXXXXXXXXX/",
"iat": XXXXXXXXXXXXXXXXXXX,
"nbf": XXXXXXXXXXXXXXXXXXX,
"exp": XXXXXXXXXXXXXXXXXXX,
"aio": "XXXXXXXXXXXXXXXXXXX",
"app_displayname": "yaade",
"appid": "XXXXXXXXXXXXXXXXXXX",
"appidacr": "1",
"idp": "https://sts.windows.net/XXXXXXXXXXXXXXXXXXX/",
"idtyp": "app",
"oid": "XXXXXXXXXXXXXXXXXXX",
"rh": "XXXXXXXXXXXXXXXXXXX",
"roles": [
"User.Read.All"
],
"sub": "XXXXXXXXXXXXXXXXXXX",
"tenant_region_scope": "EU",
"tid": "XXXXXXXXXXXXXXXXXXX",
"uti": "XXXXXXXXXXXXXXXXXXX",
"ver": "1.0",
"wids": [
"XXXXXXXXXXXXXXXXXXX"
],
"xms_tcdt": XXXXXXXXXXXXXXXXXXX,
"xms_tdbr": "EU"
}
===========================================================================================
= End of decoded JWT Azure AD Token
===========================================================================================
from yaade.
Unfortunately I don't know the exact working of Azure AD. But basically the solution to your problem is that you need to get your groups claims into this token somehow.
One thing that I see is that your claim is optional. This probably means that in your client that issues those yaade tokens you need to somehow make it required.
from yaade.
Closed due to inactivity.
from yaade.
Related Issues (20)
- Variables feature on Body doesnt work HOT 6
- GraphQL Support? HOT 5
- Yaade adding extra characters to requests HOT 3
- Feature request: Command-Click Env variable for direct edit
- Patch not send body? HOT 8
- Feature Request: Make web->extension timeout configurable HOT 3
- mTLS/Client Certificate Authentication HOT 8
- Feature Request: Support body content-type: `application/x-www-form-urlencoded` HOT 1
- sanitize clipboard when pasting into parameter input field
- API Endpoints Require Manual Encoding of Special Characters in URLs
- Adding provider failing with error - issuer cannot be null. HOT 3
- Facebook Graph API response not formatted. HOT 2
- Feature Request: Allow groups to be added and removed for external users. HOT 1
- Feature Request: Add support for keyboard shortcuts. HOT 1
- After Upgrade - Error: Could not retrieve collections HOT 7
- Feature Request: Generate code from requests HOT 1
- Import after Export not working HOT 1
- certificate form overflows modal
- Environment not available HOT 8
- Error importing collection HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from yaade.