Azure AD Authentification

Hello dear Specklers,

I’m currently trying to figure out the AzureAD connection for login into to the SpeckleServer.

  1. I have created a Network Security Group with the users in AzureAD - works
  2. I have created a registered App
  3. I have added the env variables to the docker-compose
    STRATEGY_AZURE_AD: “true”
    AZURE_AD_ORG_NAME: “Enter with B+G Account”
    AZURE_AD_IDENTITY_METADATA: “Link to the OpenID Connect Discovery Page which is copied out of Azure AD”
    AZURE_AD_ISSUER: “Bollinger+Grohmann”
    AZURE_AD_CLIENT_ID: “Application ID”
    AZURE_AD_CLIENT_SECRET: “using the certificate”

image

→ Speckle shows the Azure Icon

→ Finds the discovery page

→ But gives me a bloody nose after selecting the account
Error | Speckle (bollinger-grohmann.com)

What am I doing wrong?

Hey @AlexHofbeck

you have made your way to my favorite rabbithole, the AAD auth…

first things first, lets make sure your basic AAD variables are configured:

The registered app has to be a WEB type app, not a SPA
The source app url has to be matching the ${CANNONICAL_URL} env variable
The callback url has to match this scheme: ${CANNONICAL_URL}/auth/azure/callback

pls replace ${CANNONICAL_ULR} with your server url in both cases.

If its still failing, could u attach your server logs, just for the speckle-server component and your browser console logs with this report, to help diagnose things a bit further?

3 Likes

But I don’t know where to put the source app

And this would be the Identity Metadata Link
https://login.microsoftonline.com/tenantid/v2.0/.well-known/openid-configuration

maybe I have used the wrong one, but according to what I see it is OpenID connect which it needs.

Hey,

I’ve done some testing, turns out you don’t need the source app url to get things rolling (i cannot find where we were supposed to put it :smiley: )

About the identity metadata, make sure the tenantid part is replaced with your Directory (tenant) id as shown below:

And I’ve just realized, the error is very possibly caused by the ID token checkbox not being ticked on your app authentication page, see below.

Lemme know how it goes.

2 Likes

Identitty Meta Data: Tenant ID was actually correct, just removed it for the post. If this would not be correct it would not have shown me the overview of accounts to select from for OpenID Connect

And ID Tokens was switched on too

Strange stuff

and here is the log
host":“speckle-server:3000”,“user-agent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.63”,“referer”:“Speckle; charset=utf-8”,“x-ratelimit-remaining”:49,“x-request-id”:“44220fdd-a6fd-4785-a0df-2376adccf45c”}},“responseTime”:36,“msg”:“request completed”}
{“level”:“info”,“time”:“2023-03-10T13:42:16.616Z”,“req”:{“id”:“268479d6-3925-4973-b91b-d1dd4284d1e3”,“method”:“POST”,“path”:“/graphql”,“headers”:{“host”:“speckle-server:3000”,“user-agent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.63”,“referer”:“Speckle; charset=utf-8”,“x-ratelimit-remaining”:48,“x-request-id”:“63949c64-4e9b-407f-ab23-3472c043f081”}},“responseTime”:39,“msg”:“request completed”}
{“level”:“info”,“time”:“2023-03-10T13:44:17.686Z”,“req”:{“id”:“79567777-3679-4d4a-807c-4d2ea15a5518”,“method”:“POST”,“path”:“/graphql”,“headers”:{“host”:“speckle-server:3000”,“user-agent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.63”,“referer”:“Speckle; charset=utf-8”,“x-ratelimit-remaining”:48,“x-request-id”:“0efe531e-8c39-496a-b032-a5c2add13692”}},“responseTime”:77,“msg”:“request completed”}
{“level”:“info”,“time”:“2023-03-10T13:44:17.693Z”,“req”:{“id”:“8477f0b7-244b-4678-89df-edd46d71ebab”,“method”:“POST”,“path”:“/graphql”,“headers”:{“host”:“speckle-server:3000”,“user-agent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.63”,“referer”:“Speckle; charset=utf-8”,“x-ratelimit-remaining”:49,“x-request-id”:“da04938e-5163-4161-a292-3a32de4477b2”}},“responseTime”:85,“msg”:“request completed”}

Maybe another thought … should I use the other general OpenID Connect method? I believe you implemented that also independent of AzureAD and as a general method.

Or should I provide another link … but I believe I saw that you use the OpenID for Speckle.

1 Like

Like always @gergo: I only need to make an appointment with you without the actual meeting … and things are starting to work :wink:

Reason for the issue:
I have a separate NGINX reverse proxy on another machine that had a configuration the auth didn’t like. I don’t know what I have changed for the better but it works now.

One final issue:

  • it seems the server has imprinted on OpenID Connect and does not want to show Azure anymore. I don’t care about the Microsoft Logo and am happy that it finally works now, but it is still interesting that AzureAD doesn’t want to show up anymore. By commenting the OpenID Connect and uncommenting the Azure, the local strategy activates itself although it was deactivated with setting it to “false”. Would be interesting why …

Thanks for your help and time Gergő. It is super appreciated and I owe you a few drinks now.

Best,
Alex

1 Like

A few questions I had after making it work:

A) Auth vs. External Guests

  • I wanted to have a login option for external users who are not part of our organization
  • the external users are only allowed to be invited and shall not be able to create accounts for themselves by knowing the domain.
  • The OpenID Connect needs to have the Speckle Server admin setting “by Invite only” off … otherwise, no new members (of our Azure Security Group linked to the registered Azure app) can join.
  • in order for external users to not be able to create accounts I had to make “Strategy Local” to false so that the registration mask is hidden.

→ It would be cool to allow account creation with the auth method by default and still have the login fields for external guests… or to make it simple auth is always allowed to create accounts but the local strategy only with invites
→ In the current scenario we would need to add external users via the Network Security group in Azure. It is the more secure method but also the most unflexible for the project teams as they need to involve the IT department to add guests to the organization (restricted access) and the security group

B) data from the auth provider
Is there a way to transfer the company name or set it by default? It would be cool to have the photo transferred from the Microsoft Account too, but this is more a nice to have.
image

C) more a general question
The login works token based as far as I understand. The password does not leave the identity provider as it is entered at Azure AD in this case. Correct? What is stored in the Postgres? The access token?

2 Likes

A special subclass of the Vorfuhreffekt.

1 Like

Perhaps something along these lines, but with an added prerequisite for invitation only?

Or, a simpler solution may be that the default server role state be switchable from (editor) able to add streams to collaborator. That way some may add an account invite or no, and only have access to streams they are invited to until they are elevated to server role editor….

What do you think?

1 Like

Thanks @jonathon: Something like the second approach. This would especially aid medium to large organizations.

Hierarchy:

  • Speckle Admin = Admin on company-level → has the rights for invites (external guests) + project creation
  • Speckle Project Owner = Admin on project level → has the rights for inviting team members (existing on the server) into the project → manages the project
  • Speckle Project Member = just works on it = writing rights
  • Speckle Project Guest = can only watch and comment = reading rights

Autodesk Construction Cloud has a similar approach … a bit too complicated though

It is not just about keeping control over who has access, but also about maintaining order.
With MS Teams we had total madness until we limited the creation and invested in an admin tool for the approval process … to prevent project duplicates and to maintain a project naming convention.
Some aspects I have also mentioned here Administration of Projects and Invites

2 Likes

Ahh, the good old rubber duck effect (even if its async).
Glad it worked @AlexHofbeck!

It would be fun to get those drinks, maybe we get a chance irl some day :slight_smile:

Lemme know if u need more help.

async rubber duck ^^ … nice.

One more question:

This would be interesting as the postgres has a password value. Will have a discussion with our IT manager about this topic.

Hey,

yeah, you are correct. If an external identity provider is used, we only link speckle tokens to the identity data. We do not store any user passwords. Its only used, when the local strategy is authenticating the user.

Aslo back to point A,
I don’t quite get it, why you need to keep the invite only setting off. I know its inconvenient to invite everyone to the server even if they have an AAD account, but it might be a workaround until we sort this thing out.

1 Like

I also managed to fix the painpoint with the outlook desktop invitations, so hopefully it will be less painful.

1 Like

If we are setting the server to invite only on we have this error message, see image below.

  • Colleagues who are part of the Auth Security group, but not yet part of Speckle are not allowed to enter.
  • So invite only needs to be off.
  • As a result I don’t want to open the server to the public for everyone like with speckle.xyz, because if the URL is known everyone would be able to enter. → Strategy local needs to be off

1 Like

But also this is fine for now @gergo :slight_smile:

what happens if you send an invite from your server to your colleague’s AAD email?

I think they would be able to register with the link sent in the email.
That is what i mean, when i said i know its a bit painful, having to add access for ppl both in AAD and invite them on the Speckle server.

Maybe you could use the admin bulk invite feature for this.

1 Like