How can I add Azure AD as auth provider in docker environment

[pthoelken]

Hello Contributors,

how can I add Azure AD (https://docs.yaade.io/users-groups.html#azuread) in my running docker environment as auth provider? It's possible for you to give me a exact path and config file / snippet to configure this auth provider?

Thanks.

[jonrosner]

You have to go to ⚙️ > Users > External. Inside the editor paste a config of the following form:

{
    "providers": [{
        "id": "azure-oauth",
        "label": "Azure SSO Login",
        "provider": "azureAD",
        "params": {
            "tenant": "your-tenant-id",
            "clientId": "your-client-id",
            "clientSecret": "your-client-secret",
            "callbackUrl": "your-domain/azure-oauth",
            "fields": {
                "username": "/email",
                "groups": "/groups",
                "defaultGroups": ["some-group"]
            },
            "scopes": ["openid"]
        }
    }]
}

You can get the tenant ID, client ID and client secret from Azure.

Note: if you do not see an editor in that tab, please update Yaade. I just published a bugfix that fixed a previous version not displaying this editor.

docker rm -f yaade
docker pull esperotech/yaade:latest
docker run -d --restart=always -p 9339:9339 \
    -e YAADE_ADMIN_USERNAME=admin -v yaade:/app/data \
    --name yaade esperotech/yaade:latest

[pthoelken]

Thanks, I'll check this today. Can you maybe update the base image because trivy found some critical vulnerbilities in there.

[jonrosner]

Thank you for pointing this out.

[pthoelken]

It works like charm. Thanks for your assistance in this case. But how the users can work in a same team. Like the example below:

• All login via MS Azure Auth
• Peter and John should work in "Team Backend"
• Adam and Will should work in "Team Frontend"

Option 1 is, that the admins create the teams and add the users to the team.
Option 2 is (better option), the first user and creator of a team can add other members to their team (like hoppscotch).

Team Backend should not see the content from Team Frontend of course.

Is there a option or is this a feature request?

[jonrosner]

It should be possible to configure your groups in Active Directory. You can add your users to a specific group (e.g. "Team Backend", "Team Frontend"). https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-fed-group-claims

Now what you need to do is configure your tokens in a way that they include the groups in the /groups field (see this line in the config "groups": "/groups",)

Now all users that belong to a group in AD will automatically have that group assigned in yaade as well.

Does that solve your problem?

[pthoelken]

Nice, do you have an config example for me, when I have more than two groups and a default group?

{
    "providers": [{
        "id": "azure-oauth",
        "label": "Azure SSO Login",
        "provider": "azureAD",
        "params": {
            "tenant": "your-tenant-id",
            "clientId": "your-client-id",
            "clientSecret": "your-client-secret",
            "callbackUrl": "your-domain/azure-oauth",
            "fields": {
                "username": "/email",
                "groups": "/groups/Team-Backend","/groups/Team-Frondend",
                "defaultGroups": ["default"]
            },
            "scopes": ["openid"]
        }
    }]
}

check the configuration above, is this right?

[pthoelken]

and @jonrosner as I know I can't create sub-groups in azureAD so how should the application fetch sub groups by the instruction which you told to me?

Thanks for your assistance. :-)

[jonrosner]

hey, the groups field should stay the same as I posted earlier "groups": "/groups". You will have to create and assign the proper groups in azure AD and you have to configure azure to put the groups into the /groups field in the JWT (id-token).

There is currently no way to configure specific external users in Yaade itself, so you will have to do it via Azure for now.

[pthoelken]

Hey @jonrosner we do this exactly like you describe but when I'm logged in with a new session and fresh cleared browser the group wasn't show up.

What we do in azures was this below:

1. We created groups (Team A, Team B)
2. We're added the groups to the auth app
3. We're configured the token like the /groups/groupname was imported to the token
4. We're added my user to the "Team A" Group
5. After restart of containers and browser cache clear, the groups doesn't shows up

"Default" comes from the configuration snippet.

[jonrosner]

Please check the JWT token and make sure that the groups are actually put into the correct field that you configured using the "groups" property. If possible you could post that part of the JWT.

[pthoelken]

Hey @jonrosner , may you have a reliable way to debug the token? How do you debug the jwt azure token?

[jonrosner]

you can do this via Yaade and your browser directly.

1. in your browser open a new tab and open the developer console (cmd+shift+c for chrome)
2. go to the network tab in developer console
3. now open the URL https://login.microsoftonline.com/${tenant}/oauth2/v2.0/authorize?client_id=${client_id}&client_secret=${client_secret}&response_type=code&redirect_uri=${redirect_uri}&scope=${scope}&state=${state} where you replace all the variables with the respective values that you configured in yaade in the external provider tab. As state you can just put in 123456, scope must be openid.
4. now you should be prompted to log into your Microsoft account. Do that and upon successful login you will be redirected back to yaade.
5. The callback to yaade will probably fail, that's fine. The important thing is to extract the URL to where the call was made from the network tab. In the query parameters of this call there should be ?code=XXXX parameter. You need to copy this. Make sure to copy it correctly and do not have any other params in there.
6. Now open yaade as you would normally, create a new request that has the following form:

POST https://login.microsoftonline.com/${tenant}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded

client_id=${client_id}
&client_secret=${client_secret}
&code=${code}
&redirect_uri=${redirect_uri}
&grant_type=authorization_code

7. Again set all the environment variables correctly to the things you defined in your external providers config. Also set the code to the value you copied earlier.
8. Now execute the request and you should receive a response of the following form

{
    "token_type": "Bearer",
    "scope": "profile openid email User.Read",
    "expires_in": 5288,
    "ext_expires_in": 5288,
    "access_token": "ey....",
    "id_token": "ey....
}

9. Copy the ID token into jwt.io to inspect it's content.

Unfortunately, I don't know an easier way to obtain the same access token that yaade would receive...

[pthoelken]

Thanks @jonrosner, can you told me, is this the right permissions for the application?

[pthoelken]

I think there is "openid" missing, right?

[pthoelken]

I will evaluate this tomorrow in the azure AD and the jwt token.

[pthoelken]

@jonrosner we're add also "openid" in the permissions tab but still not works for us. Maybe the migration to Entra Azure is a cause for this?

For your informations, this is my jwt azure token:

===========================================================================================
= Decoded JWT Azure AD Token
===========================================================================================

{
    "aud": "https://graph.microsoft.com",
    "iss": "https://sts.windows.net/XXXXXXXXXXXXXXXXXXX/",
    "iat": XXXXXXXXXXXXXXXXXXX,
    "nbf": XXXXXXXXXXXXXXXXXXX,
    "exp": XXXXXXXXXXXXXXXXXXX,
    "aio": "XXXXXXXXXXXXXXXXXXX",
    "app_displayname": "yaade",
    "appid": "XXXXXXXXXXXXXXXXXXX",
    "appidacr": "1",
    "idp": "https://sts.windows.net/XXXXXXXXXXXXXXXXXXX/",
    "idtyp": "app",
    "oid": "XXXXXXXXXXXXXXXXXXX",
    "rh": "XXXXXXXXXXXXXXXXXXX",
    "roles": [
        "User.Read.All"
    ],
    "sub": "XXXXXXXXXXXXXXXXXXX",
    "tenant_region_scope": "EU",
    "tid": "XXXXXXXXXXXXXXXXXXX",
    "uti": "XXXXXXXXXXXXXXXXXXX",
    "ver": "1.0",
    "wids": [
        "XXXXXXXXXXXXXXXXXXX"
    ],
    "xms_tcdt": XXXXXXXXXXXXXXXXXXX,
    "xms_tdbr": "EU"
}

===========================================================================================
= End of decoded JWT Azure AD Token
===========================================================================================

[jonrosner]

Unfortunately I don't know the exact working of Azure AD. But basically the solution to your problem is that you need to get your groups claims into this token somehow.

One thing that I see is that your claim is optional. This probably means that in your client that issues those yaade tokens you need to somehow make it required.

[jonrosner]

Closed due to inactivity.

[tknisch]

Hi,

we are also facing an issue when trying to configure Yaade with EntraID / AzureAD.

The id_token looks like this:

{
  "aud": "XXXXXXXXXXXXXXXXXXX",
  "iss": "https://login.microsoftonline.com/XXXXXXXXXXXXXXXXXXX/v2.0",
  "iat": 1728994999,
  "nbf": 1728994999,
  "exp": 1728998899,
  "email": "XXXXXXXXXXXXXXXXXXX",
  "groups": [
    "XXXXXXXXXXXXXXXXXXX"
  ],
  "idp": "https://sts.windows.net/XXXXXXXXXXXXXXXXXXX/",
  "login_hint": "XXXXXXXXXXXXXXXXXXX",
  "name": "XXXXXXXXXXXXXXXXXXX",
  "oid": "XXXXXXXXXXXXXXXXXXX",
  "preferred_username": "XXXXXXXXXXXXXXXXXXX",
  "rh": "XXXXXXXXXXXXXXXXXXX",
  "roles": [
    "admin"
  ],
  "sub": "XXXXXXXXXXXXXXXXXXX",
  "tid": "XXXXXXXXXXXXXXXXXXX",
  "uti": "XXXXXXXXXXXXXXXXXXX",
  "ver": "2.0"
}

We want to use the roles Array as Groups. But if we configure it with the following configuration:

{
    "providers": [{
        "id": "entra",
        "label": "Login with Entra",
        "provider": "azureAD",
        "params": {
            "tenant": "XXXXXXXXXXXXXXXXXXX",
            "clientId": "XXXXXXXXXXXXXXXXXXX",
            "clientSecret": "XXXXXXXXXXXXXXXXXXX",
            "callbackUrl": "https://yaade.mydomain.net/oidc/callback",
            "fields": {
                "username": "/email",
                "groups": "/roles"
            },
            "scopes": ["openid", "email", "profile"]
        }
    }]
}

the Groups are alwasy empty.

Any suggestions?

Best regards

[jonrosner]

This looks correct. Please check those two things as well:

1. you are using the id_token. Is this info available in the access_token?
2. can you try with a completely fresh yaade instance. Especially make sure that the AD user never logged into Yaade before.

[tknisch]

Hi,

thanks for the fast response!

1. No, the roles attribute is only present in the id_token. But when I test another attribute which is present in the access_token it is not working too.
2. I've tested it with a completely fresh instance and got the same behaviour.

Best regards

[jonrosner]

Does the email field work correctly? When logging in via OIDC open the Settings and go to account. Check if the Username displayed there matches your email.

[tknisch]

Yes, this is working fine. Only the groups are empty:

[jonrosner]

Thanks, I was able to replicate it. I will push a fix asap.

[jonrosner]

I added a fix for this. Can you pull the nightly container and check if it works?

[tknisch]

I added a fix for this. Can you pull the nightly container and check if it works?

Good morning Jonathan,

I've checked and can confirm it is working fine :)

Gave me the roles admin and user and got them both: