How can I add Azure AD as auth provider in docker environment about yaade HOT 18 CLOSED

You have to go to ⚙️ > Users > External. Inside the editor paste a config of the following form:

{
    "providers": [{
        "id": "azure-oauth",
        "label": "Azure SSO Login",
        "provider": "azureAD",
        "params": {
            "tenant": "your-tenant-id",
            "clientId": "your-client-id",
            "clientSecret": "your-client-secret",
            "callbackUrl": "your-domain/azure-oauth",
            "fields": {
                "username": "/email",
                "groups": "/groups",
                "defaultGroups": ["some-group"]
            },
            "scopes": ["openid"]
        }
    }]
}

You can get the tenant ID, client ID and client secret from Azure.

Note: if you do not see an editor in that tab, please update Yaade. I just published a bugfix that fixed a previous version not displaying this editor.

docker rm -f yaade
docker pull esperotech/yaade:latest
docker run -d --restart=always -p 9339:9339 \
    -e YAADE_ADMIN_USERNAME=admin -v yaade:/app/data \
    --name yaade esperotech/yaade:latest

from yaade.

Thanks, I'll check this today. Can you maybe update the base image because trivy found some critical vulnerbilities in there.

from yaade.

Thank you for pointing this out.

from yaade.

It works like charm. Thanks for your assistance in this case. But how the users can work in a same team. Like the example below:

• All login via MS Azure Auth
• Peter and John should work in "Team Backend"
• Adam and Will should work in "Team Frontend"

Option 1 is, that the admins create the teams and add the users to the team.
Option 2 is (better option), the first user and creator of a team can add other members to their team (like hoppscotch).

Team Backend should not see the content from Team Frontend of course.

Is there a option or is this a feature request?

from yaade.

It should be possible to configure your groups in Active Directory. You can add your users to a specific group (e.g. "Team Backend", "Team Frontend"). https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-fed-group-claims

Now what you need to do is configure your tokens in a way that they include the groups in the /groups field (see this line in the config "groups": "/groups",)

Now all users that belong to a group in AD will automatically have that group assigned in yaade as well.

Does that solve your problem?

from yaade.

Nice, do you have an config example for me, when I have more than two groups and a default group?

{
    "providers": [{
        "id": "azure-oauth",
        "label": "Azure SSO Login",
        "provider": "azureAD",
        "params": {
            "tenant": "your-tenant-id",
            "clientId": "your-client-id",
            "clientSecret": "your-client-secret",
            "callbackUrl": "your-domain/azure-oauth",
            "fields": {
                "username": "/email",
                "groups": "/groups/Team-Backend","/groups/Team-Frondend",
                "defaultGroups": ["default"]
            },
            "scopes": ["openid"]
        }
    }]
}

check the configuration above, is this right?

from yaade.

and @jonrosner as I know I can't create sub-groups in azureAD so how should the application fetch sub groups by the instruction which you told to me?

Thanks for your assistance. :-)

from yaade.

hey, the groups field should stay the same as I posted earlier "groups": "/groups". You will have to create and assign the proper groups in azure AD and you have to configure azure to put the groups into the /groups field in the JWT (id-token).

There is currently no way to configure specific external users in Yaade itself, so you will have to do it via Azure for now.

from yaade.

Hey @jonrosner we do this exactly like you describe but when I'm logged in with a new session and fresh cleared browser the group wasn't show up.

What we do in azures was this below:

1. We created groups (Team A, Team B)
2. We're added the groups to the auth app
3. We're configured the token like the /groups/groupname was imported to the token
4. We're added my user to the "Team A" Group
5. After restart of containers and browser cache clear, the groups doesn't shows up

"Default" comes from the configuration snippet.

from yaade.

Please check the JWT token and make sure that the groups are actually put into the correct field that you configured using the "groups" property. If possible you could post that part of the JWT.

from yaade.

Hey @jonrosner , may you have a reliable way to debug the token? How do you debug the jwt azure token?

from yaade.

you can do this via Yaade and your browser directly.

1. in your browser open a new tab and open the developer console (cmd+shift+c for chrome)
2. go to the network tab in developer console
3. now open the URL https://login.microsoftonline.com/${tenant}/oauth2/v2.0/authorize?client_id=${client_id}&client_secret=${client_secret}&response_type=code&redirect_uri=${redirect_uri}&scope=${scope}&state=${state} where you replace all the variables with the respective values that you configured in yaade in the external provider tab. As state you can just put in 123456, scope must be openid.
4. now you should be prompted to log into your Microsoft account. Do that and upon successful login you will be redirected back to yaade.
5. The callback to yaade will probably fail, that's fine. The important thing is to extract the URL to where the call was made from the network tab. In the query parameters of this call there should be ?code=XXXX parameter. You need to copy this. Make sure to copy it correctly and do not have any other params in there.
6. Now open yaade as you would normally, create a new request that has the following form:

POST https://login.microsoftonline.com/${tenant}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

client_id=${client_id}
&client_secret=${client_secret}
&code=${code}
&redirect_uri=${redirect_uri}
&grant_type=authorization_code

7. Again set all the environment variables correctly to the things you defined in your external providers config. Also set the code to the value you copied earlier.
8. Now execute the request and you should receive a response of the following form

{
    "token_type": "Bearer",
    "scope": "profile openid email User.Read",
    "expires_in": 5288,
    "ext_expires_in": 5288,
    "access_token": "ey....",
    "id_token": "ey....
}

9. Copy the ID token into jwt.io to inspect it's content.

Unfortunately, I don't know an easier way to obtain the same access token that yaade would receive...

from yaade.

Thanks @jonrosner, can you told me, is this the right permissions for the application?

from yaade.

I think there is "openid" missing, right?

from yaade.

I will evaluate this tomorrow in the azure AD and the jwt token.

from yaade.

@jonrosner we're add also "openid" in the permissions tab but still not works for us. Maybe the migration to Entra Azure is a cause for this?

For your informations, this is my jwt azure token:

===========================================================================================
= Decoded JWT Azure AD Token
===========================================================================================

{
    "aud": "https://graph.microsoft.com",
    "iss": "https://sts.windows.net/XXXXXXXXXXXXXXXXXXX/",
    "iat": XXXXXXXXXXXXXXXXXXX,
    "nbf": XXXXXXXXXXXXXXXXXXX,
    "exp": XXXXXXXXXXXXXXXXXXX,
    "aio": "XXXXXXXXXXXXXXXXXXX",
    "app_displayname": "yaade",
    "appid": "XXXXXXXXXXXXXXXXXXX",
    "appidacr": "1",
    "idp": "https://sts.windows.net/XXXXXXXXXXXXXXXXXXX/",
    "idtyp": "app",
    "oid": "XXXXXXXXXXXXXXXXXXX",
    "rh": "XXXXXXXXXXXXXXXXXXX",
    "roles": [
        "User.Read.All"
    ],
    "sub": "XXXXXXXXXXXXXXXXXXX",
    "tenant_region_scope": "EU",
    "tid": "XXXXXXXXXXXXXXXXXXX",
    "uti": "XXXXXXXXXXXXXXXXXXX",
    "ver": "1.0",
    "wids": [
        "XXXXXXXXXXXXXXXXXXX"
    ],
    "xms_tcdt": XXXXXXXXXXXXXXXXXXX,
    "xms_tdbr": "EU"
}

===========================================================================================
= End of decoded JWT Azure AD Token
===========================================================================================

from yaade.

Unfortunately I don't know the exact working of Azure AD. But basically the solution to your problem is that you need to get your groups claims into this token somehow.

One thing that I see is that your claim is optional. This probably means that in your client that issues those yaade tokens you need to somehow make it required.

from yaade.

Closed due to inactivity.

from yaade.