[BUG] Unable to save configuration when logged in as admin via GitLab OIDC

[alexNMD]

Environment

Self-Hosted (Docker)

System

Debian GNU/Linux 12 (bookworm) | Docker version 29.2.1

Version

4.3.1

Describe the problem

We had set up OIDC auth through GitLab as below:

    enableOidc: true
    oidc:
      clientId: xxxxxxxxxxxxxxxxxx
      endpoint: https://xxxxxxxxxxxxxxx
      scope: openid profile email
      adminGroup: cinego

After successful login, the browser console shows:

Authenticated as alexandre (admin)
{"groups":["cinego","cinego/devops","cinego/devops/ansible","cinego/distri","cinego/stock","cinego/tools","cinego/cinepeer","cinego/ententes"],"roles":[]}

And when i try to save the configuration, i got this error :

POST https://xxxxxxxxxxxxxx/config-manager/save 403 (Forbidden)

Potential Root Cause

When decoding the idToken the claim containing the groups is named 'groups_direct' instead of 'groups' :

  "groups_direct": [
    "cinego"
  ]

This mismatch could cause the admin verification to fail, resulting in the 403 error.

Additional info

No response

Please tick the boxes

• You have explained the issue clearly, and included all relevant info
• You are using a supported version of Dashy
• You've checked that this issue hasn't already been raised
• You've checked the docs and troubleshooting guide
• You agree to the code of conduct

[lissy93]

Hey @alexNMD, thanks for the clear report.

Your thoughts on the root cause seem correct, and I can recreate. I've got a fix in progress (it will probably come out in 4.3.3), and am just spinning up and setting up a gitlab environment to test it out with. The fix is just making the admin check read the groups_direct in both the server-side auth check, and on the client. So once it is out, your config should work as-is, no changes needed (except logout and login again).

One small note for anyone else landing here: GitLab only includes direct memberships in groups_direct. So adminGroup needs to be a group the user is directly a member of, rather than one inherited through a subgroup.

[liss-bot]

Hey @alexNMD, this has now been implemented in #2203, and will be released shortly in 4.3.3 😇

If you're enjoying Dashy, consider sponsoring us on GitHub to help with development 💖