-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Microsoft SSO auth OpenID results in JsonWebTokenError #9149
Comments
Same issue here but with Auth0 as SSO provider.
|
Also same issue with auth0 (was working before with rc96 - rc98) auth0 configured with openid - driver:
auth0 configured with oauth2 - driver:
Auth0 - configuration was working fine before update to rc99 and necessary change of the sso configuration. Auth0 is also working fine with other apps on this server. I´ve also double checked the configuration parameters, no error. OpenID - configuration is same as described by "ms-at-github" Tested with chrome and firefox (both latest versions) |
@keesvanbemmel Are you using Otherwise I'm fairly sure the errors are caused by: #9053 which already has a fix in place. @mp-itconsulting @ms-at-github You can verify if you are experiencing the above bug by appending "?test" to your login URL before authenticating with SSO. |
Hi @aidenfoxx the tenantid is filled out correctly. Just redacted in this issue description for security reasons. I'll edit my original post to show it's redacted. |
Hi @aidenfoxx,
|
@ms-at-github What happens if you visit: |
Hi @aidenfoxx, when I visit this URL manually, after the redirect to the SSO login page and successful authentication there, I get the following error: |
@ms-at-github And you're sure you have a user with the correct email in your system under the |
@aidenfoxx : I´ve also checked the username and email is identical in directus / auth0. But result is the same as at ms-at-github |
The issue may not be that the details don't match. You have to make sure that your authenticating user has the correct "Provider" attached to them, for example, in the screenshot below my user can only authenticate with Google SSO: |
@aidenfoxx, well finally I've got it somehow working. Here are the things I needed to change:
Unfortunately I'm unable to login via my local credentials (as fallback) anymore. Not sure if this is the expected behavior, at least it's different to the previous SSO implementation. |
@ms-at-github It is different behavior. We decided for the sake of security with other auth providers (like LDAP) to limit users to only be able to authenticate through one login method. This is why you cannot login to the local account anymore. I have added a fix so that it will be possible to have 2 seperate Directus accounts linked to the same email (one local, one oauth), but that is the best compromise for now. #9153 |
We had the same error with Keycloak and OpenID configuration. (no other providers configured) |
@erik-konrad The "default" provider is always configured (the local login). So make sure your users are assigned to your keycloak provider. |
Did you mean over the email address? There was a local testaccount with the same email address in the keycloak user. AUTH_KEYCLOAK_ALLOW_PUBLIC_REGISTRATION was set to true too and AUTH_KEYCLOAK_DEFAULT_ROLE_ID was set to admin account UUID. |
@erik-konrad The fact you have an existing user with the same email is most likely the issue. You either need to make sure that no other users share the Keycloak users email, or wait for #9153 to release. |
Nope, I tested it with an existing local user and a non existing. Both ways doesn't work. In both ways I got the "JsonWebTokenError jwt must be provided" error. Here is my configuration:
|
@erik-konrad You need to read more of the thread. That error is a known and has a fix coming. See here for temporary solution via "?test" #9149 (comment) |
Oh sorry, this was a missunderstanding. |
@aidenfoxx For when is the fixed planned? |
@infomiho It was released in rc100 I believe. |
@aidenfoxx is correct, this was fixed #9054 |
Preflight Checklist
Describe the Bug
After upgrading to RC99 I needed to reconfigure the Microsoft AUTH provider and I wanted to used openID.
I think I did everything correctly, but it seems that the token is not passed to open id auth driver.
These are the ENV variables to set up SSO (redacted of course):
To Reproduce
Added env variables like above, expected it to work like that. So either it's a bug or, more likely, I'm missing a config key?
Errors Shown
What version of Directus are you using?
rc99
What version of Node.js are you using?
14lts
What database are you using?
Postgres 13
What browser are you using?
chrome
What operating system are you using?
macos
How are you deploying Directus?
docker
The text was updated successfully, but these errors were encountered: