I have added the env variables to the docker-compose
STRATEGY_AZURE_AD: “true”
AZURE_AD_ORG_NAME: “Enter with B+G Account”
AZURE_AD_IDENTITY_METADATA: “Link to the OpenID Connect Discovery Page which is copied out of Azure AD”
AZURE_AD_ISSUER: “Bollinger+Grohmann”
AZURE_AD_CLIENT_ID: “Application ID”
AZURE_AD_CLIENT_SECRET: “using the certificate”
you have made your way to my favorite rabbithole, the AAD auth…
first things first, lets make sure your basic AAD variables are configured:
The registered app has to be a WEB type app, not a SPA
The source app url has to be matching the ${CANNONICAL_URL} env variable
The callback url has to match this scheme: ${CANNONICAL_URL}/auth/azure/callback
pls replace ${CANNONICAL_ULR} with your server url in both cases.
If its still failing, could u attach your server logs, just for the speckle-server component and your browser console logs with this report, to help diagnose things a bit further?
Identitty Meta Data: Tenant ID was actually correct, just removed it for the post. If this would not be correct it would not have shown me the overview of accounts to select from for OpenID Connect
Maybe another thought … should I use the other general OpenID Connect method? I believe you implemented that also independent of AzureAD and as a general method.
Or should I provide another link … but I believe I saw that you use the OpenID for Speckle.
Like always @gjedlicska: I only need to make an appointment with you without the actual meeting … and things are starting to work
Reason for the issue:
I have a separate NGINX reverse proxy on another machine that had a configuration the auth didn’t like. I don’t know what I have changed for the better but it works now.
One final issue:
it seems the server has imprinted on OpenID Connect and does not want to show Azure anymore. I don’t care about the Microsoft Logo and am happy that it finally works now, but it is still interesting that AzureAD doesn’t want to show up anymore. By commenting the OpenID Connect and uncommenting the Azure, the local strategy activates itself although it was deactivated with setting it to “false”. Would be interesting why …
Thanks for your help and time Gergő. It is super appreciated and I owe you a few drinks now.
I wanted to have a login option for external users who are not part of our organization
the external users are only allowed to be invited and shall not be able to create accounts for themselves by knowing the domain.
The OpenID Connect needs to have the Speckle Server admin setting “by Invite only” off … otherwise, no new members (of our Azure Security Group linked to the registered Azure app) can join.
in order for external users to not be able to create accounts I had to make “Strategy Local” to false so that the registration mask is hidden.
→ It would be cool to allow account creation with the auth method by default and still have the login fields for external guests… or to make it simple auth is always allowed to create accounts but the local strategy only with invites
→ In the current scenario we would need to add external users via the Network Security group in Azure. It is the more secure method but also the most unflexible for the project teams as they need to involve the IT department to add guests to the organization (restricted access) and the security group
B) data from the auth provider
Is there a way to transfer the company name or set it by default? It would be cool to have the photo transferred from the Microsoft Account too, but this is more a nice to have.
C) more a general question
The login works token based as far as I understand. The password does not leave the identity provider as it is entered at Azure AD in this case. Correct? What is stored in the Postgres? The access token?
Perhaps something along these lines, but with an added prerequisite for invitation only?
Or, a simpler solution may be that the default server role state be switchable from (editor) able to add streams to collaborator. That way some may add an account invite or no, and only have access to streams they are invited to until they are elevated to server role editor….
Thanks @jonathon: Something like the second approach. This would especially aid medium to large organizations.
Hierarchy:
Speckle Admin = Admin on company-level → has the rights for invites (external guests) + project creation
Speckle Project Owner = Admin on project level → has the rights for inviting team members (existing on the server) into the project → manages the project
Speckle Project Member = just works on it = writing rights
Speckle Project Guest = can only watch and comment = reading rights
Autodesk Construction Cloud has a similar approach … a bit too complicated though
It is not just about keeping control over who has access, but also about maintaining order.
With MS Teams we had total madness until we limited the creation and invested in an admin tool for the approval process … to prevent project duplicates and to maintain a project naming convention.
Some aspects I have also mentioned here Administration of Projects and Invites
yeah, you are correct. If an external identity provider is used, we only link speckle tokens to the identity data. We do not store any user passwords. Its only used, when the local strategy is authenticating the user.
Aslo back to point A,
I don’t quite get it, why you need to keep the invite only setting off. I know its inconvenient to invite everyone to the server even if they have an AAD account, but it might be a workaround until we sort this thing out.
If we are setting the server to invite only on we have this error message, see image below.
Colleagues who are part of the Auth Security group, but not yet part of Speckle are not allowed to enter.
So invite only needs to be off.
As a result I don’t want to open the server to the public for everyone like with speckle.xyz, because if the URL is known everyone would be able to enter. → Strategy local needs to be off
what happens if you send an invite from your server to your colleague’s AAD email?
I think they would be able to register with the link sent in the email.
That is what i mean, when i said i know its a bit painful, having to add access for ppl both in AAD and invite them on the Speckle server.
Maybe you could use the admin bulk invite feature for this.
)
