Error "userGroups" is null or No value specified for parameter 1 when implementing OpenID about traccar HOT 7 CLOSED

It looks like your provider doesn't return "groups". That's why it fails.

from traccar.

Weird!

Azure Active Directory / EntraID certain supports groups in its OIDC implementation and I am successfully using it with this Wordpress plugin https://github.com/psignoret/aad-sso-wordpress for example to login and assign different members of security groups in the directory to different Wordpress roles. It must return groups for that? I've given the app permission to read all users and groups in the directory too.

from traccar.

It could be that they report it as a different parameter.

from traccar.

Okay I have made some progress.....

I had to add groups as an optional claim so that it is retuned in the token. I've also ensured email and UPN are returned in the token

However, now I get

Your OpenID Groups do not permit access to Traccar. - GeneralSecurityException (OpenIdProvider:189 < SessionResource:172 < ... < OverrideFilter:49 < ...)

I am a member of both the groups and the app in EntraID has access to the groups specified in openid.allowGroup and openid.adminGroup. When I remove these entries in the Traccar config file I get this error again.

No value specified for parameter 1 - SQLException (... < QueryBuilder:413 < DatabaseStorage:76 < Storage:49 < ...)

Any ideas where I'm going wrong?

from traccar.

Probably something is wrong with your openid.allowGroup or openid.adminGroup:

https://github.com/traccar/traccar/blob/master/src/main/java/org/traccar/database/OpenIdProvider.java#L188

from traccar.

I'm having this exact same issue. I did end up getting it to work without the allowGroup or adminGroup functionality.

You need to make sure you use the correct issuerUrl, instead of defining the URLs individually.

<entry key='openid.issuerUrl'>https://login.microsoftonline.com/<your-m365-tenantid>/v2.0</entry>

If you do put in allowGroup or adminGroup, the login will fail with the below error:

AADSTS650053: The application 'Traccar' asked for scope 'groups' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'

That UUID refers to Microsoft Graph. My guess is somehow the groups aren't being read correctly, at least on an Azure standpoint.

from traccar.

I am using ADFS without openid.allowGroup or openid.adminGroup rather than Entra ID, but I've encountered the same error:

No value specified for parameter 1 - SQLException (... < QueryBuilder:413 < DatabaseStorage:76 < Storage:49 < ...)

I've concluded that this is because Traccar is trying to retrieve the email claim from the userinfo endpoint, but ADFS only returns the sub claim. Microsoft recommends using the id_token instead of the userinfo endpoint for performance reasons, but I don't see how this would impact Entra ID since the email scope is supposed to cause the email claim to be included in the userinfo response anyway.

Unfortunately, I can't get ADFS on Windows Server 2019 to return the email claim in the id_token. It doesn't respect the email scope and using custom claim mappings doesn't affect the access_token or id_token at all... I can't think of a good workaround for this since Traccar doesn't have a username field. In other applications, I would have just used upn (i.e. "User Principal Name") as the username and set the email manually.

from traccar.