- Webapp type was used as it was already mentioned in the other post
Auth with Azure AD - Help / Developers - Speckle Community - Callback Url was used for the redirect URI
But I don’t know where to put the source app
But I don’t know where to put the source app
And this would be the Identity Metadata Link
https://login.microsoftonline.com/tenantid/v2.0/.well-known/openid-configuration
maybe I have used the wrong one, but according to what I see it is OpenID connect which it needs.
Hey,
I’ve done some testing, turns out you don’t need the source app url to get things rolling (i cannot find where we were supposed to put it )
About the identity metadata, make sure the tenantid
part is replaced with your Directory (tenant) id as shown below:
And I’ve just realized, the error is very possibly caused by the ID token checkbox not being ticked on your app authentication page, see below.
Lemme know how it goes.
Identitty Meta Data: Tenant ID was actually correct, just removed it for the post. If this would not be correct it would not have shown me the overview of accounts to select from for OpenID Connect
And ID Tokens was switched on too
Strange stuff
and here is the log
host":“speckle-server:3000”,“user-agent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.63”,“referer”:“Speckle; charset=utf-8”,“x-ratelimit-remaining”:49,“x-request-id”:“44220fdd-a6fd-4785-a0df-2376adccf45c”}},“responseTime”:36,“msg”:“request completed”}
{“level”:“info”,“time”:“2023-03-10T13:42:16.616Z”,“req”:{“id”:“268479d6-3925-4973-b91b-d1dd4284d1e3”,“method”:“POST”,“path”:“/graphql”,“headers”:{“host”:“speckle-server:3000”,“user-agent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.63”,“referer”:“Speckle; charset=utf-8”,“x-ratelimit-remaining”:48,“x-request-id”:“63949c64-4e9b-407f-ab23-3472c043f081”}},“responseTime”:39,“msg”:“request completed”}
{“level”:“info”,“time”:“2023-03-10T13:44:17.686Z”,“req”:{“id”:“79567777-3679-4d4a-807c-4d2ea15a5518”,“method”:“POST”,“path”:“/graphql”,“headers”:{“host”:“speckle-server:3000”,“user-agent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.63”,“referer”:“Speckle; charset=utf-8”,“x-ratelimit-remaining”:48,“x-request-id”:“0efe531e-8c39-496a-b032-a5c2add13692”}},“responseTime”:77,“msg”:“request completed”}
{“level”:“info”,“time”:“2023-03-10T13:44:17.693Z”,“req”:{“id”:“8477f0b7-244b-4678-89df-edd46d71ebab”,“method”:“POST”,“path”:“/graphql”,“headers”:{“host”:“speckle-server:3000”,“user-agent”:“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.63”,“referer”:“Speckle; charset=utf-8”,“x-ratelimit-remaining”:49,“x-request-id”:“da04938e-5163-4161-a292-3a32de4477b2”}},“responseTime”:85,“msg”:“request completed”}
Maybe another thought … should I use the other general OpenID Connect method? I believe you implemented that also independent of AzureAD and as a general method.
Or should I provide another link … but I believe I saw that you use the OpenID for Speckle.
Like always @gjedlicska: I only need to make an appointment with you without the actual meeting … and things are starting to work
Reason for the issue:
I have a separate NGINX reverse proxy on another machine that had a configuration the auth didn’t like. I don’t know what I have changed for the better but it works now.
One final issue:
Thanks for your help and time Gergő. It is super appreciated and I owe you a few drinks now.
Best,
Alex
A few questions I had after making it work:
A) Auth vs. External Guests
→ It would be cool to allow account creation with the auth method by default and still have the login fields for external guests… or to make it simple auth is always allowed to create accounts but the local strategy only with invites
→ In the current scenario we would need to add external users via the Network Security group in Azure. It is the more secure method but also the most unflexible for the project teams as they need to involve the IT department to add guests to the organization (restricted access) and the security group
B) data from the auth provider
Is there a way to transfer the company name or set it by default? It would be cool to have the photo transferred from the Microsoft Account too, but this is more a nice to have.
C) more a general question
The login works token based as far as I understand. The password does not leave the identity provider as it is entered at Azure AD in this case. Correct? What is stored in the Postgres? The access token?
A special subclass of the Vorfuhreffekt.
Perhaps something along these lines, but with an added prerequisite for invitation only?
Or, a simpler solution may be that the default server role state be switchable from (editor) able to add streams to collaborator. That way some may add an account invite or no, and only have access to streams they are invited to until they are elevated to server role editor….
What do you think?
Thanks @jonathon: Something like the second approach. This would especially aid medium to large organizations.
Hierarchy:
Autodesk Construction Cloud has a similar approach … a bit too complicated though
It is not just about keeping control over who has access, but also about maintaining order.
With MS Teams we had total madness until we limited the creation and invested in an admin tool for the approval process … to prevent project duplicates and to maintain a project naming convention.
Some aspects I have also mentioned here Administration of Projects and Invites
Ahh, the good old rubber duck effect (even if its async).
Glad it worked @AlexHofbeck!
It would be fun to get those drinks, maybe we get a chance irl some day
Lemme know if u need more help.
async rubber duck ^^ … nice.
One more question:
This would be interesting as the postgres has a password value. Will have a discussion with our IT manager about this topic.
Hey,
yeah, you are correct. If an external identity provider is used, we only link speckle tokens to the identity data. We do not store any user passwords. Its only used, when the local strategy is authenticating the user.
Aslo back to point A,
I don’t quite get it, why you need to keep the invite only setting off. I know its inconvenient to invite everyone to the server even if they have an AAD account, but it might be a workaround until we sort this thing out.
I also managed to fix the painpoint with the outlook desktop invitations, so hopefully it will be less painful.
If we are setting the server to invite only on we have this error message, see image below.
what happens if you send an invite from your server to your colleague’s AAD email?
I think they would be able to register with the link sent in the email.
That is what i mean, when i said i know its a bit painful, having to add access for ppl both in AAD and invite them on the Speckle server.
Maybe you could use the admin bulk invite feature for this.
aah now I understand … most of the colleagues will never click on the invite mail. This way it is more convenient. When they have to use it, they will click on it.
Also what I found out is, that having the Auth login and the user/password field, it was confusing. My colleague tried to login with her Windows Account via the Login field and not via the Auth Button. Would be good if there is an option to define a custom text for the login … like “Guest Login”
Just want to second what @AlexHofbeck mentioned about using the external identity provider and stumbling on the “invite-only” issue. That’s unexpected that I need an extra invitation for a party where I am supposed to be a VIP.
Would appreciate if the external provider authentication would override any invitation-only server settings upon registration/first login.