H
Homarr3w ago
Zbe

Oicd groups not working

Hello. I am using oicd to connect auth to authelia. There i have groups admins and arrs. I dont really know the difference between owner and admin in homarr, but i have set arrs as admin and admins as owner. But after login, i cannot modify the dashboards, saying I do not have the persmission. Authelia config:
client_id: 'homarr' client_name: 'Homarr' client_secret: 'secret' public: false authorization_policy: 'two_factor' redirect_uris: - 'https://homarr.jajaa.si/api/auth/callback/oidc' scopes: - 'openid' - 'groups' - 'email'
- 'profile' userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
client_id: 'homarr' client_name: 'Homarr' client_secret: 'secret' public: false authorization_policy: 'two_factor' redirect_uris: - 'https://homarr.jajaa.si/api/auth/callback/oidc' scopes: - 'openid' - 'groups' - 'email'
- 'profile' userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
homarr:
container_name: homarr
image: ghcr.io/ajnart/homarr:latest
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock # Optional, only if you want docker integration
- /opt/configs/homarr/configs:/app/data/configs
- /opt/configs/homarr/icons:/app/public/icons
- /opt/configs/homarr/data:/data
environment:
- TZ=Europe/Ljubljana
- DEFAULT_COLOR_SCHEME=dark
- BASE_URL=homarr.shsjsj.si
- NEXTAUTH_URL=https://homarr.ajaja.si
- AUTH_PROVIDER=oidc
- AUTH_OIDC_URI=https://auth.sjsjs.si AUTH_OIDC_CLIENT_ID=homarr
- AUTH_OIDC_CLIENT_NAME=Authelia
- AUTH_OIDC_ADMIN_GROUP=admins
- AUTH_OIDC_OWNER_GROUP=admins
ports:
- '7575:7575'
networks:
- traefik
homarr:
container_name: homarr
image: ghcr.io/ajnart/homarr:latest
restart: always
volumes:
- /var/run/docker.sock:/var/run/docker.sock # Optional, only if you want docker integration
- /opt/configs/homarr/configs:/app/data/configs
- /opt/configs/homarr/icons:/app/public/icons
- /opt/configs/homarr/data:/data
environment:
- TZ=Europe/Ljubljana
- DEFAULT_COLOR_SCHEME=dark
- BASE_URL=homarr.shsjsj.si
- NEXTAUTH_URL=https://homarr.ajaja.si
- AUTH_PROVIDER=oidc
- AUTH_OIDC_URI=https://auth.sjsjs.si AUTH_OIDC_CLIENT_ID=homarr
- AUTH_OIDC_CLIENT_NAME=Authelia
- AUTH_OIDC_ADMIN_GROUP=admins
- AUTH_OIDC_OWNER_GROUP=admins
ports:
- '7575:7575'
networks:
- traefik
Solution:
So, the issue with my sites was my new shiny catchall. Homarr also no longer gives group errors. It does not sill work however. I will try to reset the volume and see if that helps...
Jump to solution
38 Replies
Cakey Bot
Cakey Bot3w ago
Thank you for submitting a support request. Depending on the volume of requests, our team should get in contact with you shortly.
⚠️ Please include the following details in your post or we may reject your request without further comment: - Log (See https://homarr.dev/docs/community/faq#how-do-i-open-the-console--log) - Operating system (Unraid, TrueNAS, Ubuntu, ...) - Exact Homarr version (eg. 0.15.0, not latest) - Configuration (eg. docker-compose, screenshot or similar. Use ``your-text`` to format) - Other relevant information (eg. your devices, your browser, ...)
❓ Frequently Asked Questions | Homarr documentation
Can I install Homarr on a Raspberry Pi?
Manicraft1001
Manicraft10013w ago
Your groups are the same. Can you try different groups?
No description
Zbe
Zbe3w ago
This was the latest try I will retry One moment
- AUTH_OIDC_ADMIN_GROUP=arrs
- AUTH_OIDC_OWNER_GROUP=admins
- AUTH_OIDC_ADMIN_GROUP=arrs
- AUTH_OIDC_OWNER_GROUP=admins
Same result. Would it affect if my user is member of both groups?
Manicraft1001
Manicraft10013w ago
I would try to see whether it does Ensure that you log out and in again as this may have some effect
Zbe
Zbe3w ago
One moment
Starting production server...
Listening on port 7575 url: http://b08567f88e4e:7575

WARN no groups found in profile of oidc user

updating roles of user zbe

WARN no groups found in profile of oidc user

updating roles of user zbe
Starting production server...
Listening on port 7575 url: http://b08567f88e4e:7575

WARN no groups found in profile of oidc user

updating roles of user zbe

WARN no groups found in profile of oidc user

updating roles of user zbe
It doesnt fetch any groups?
Manicraft1001
Manicraft10013w ago
Just checked quickly, both groups being the same shouldn't be a problem. @Tag can you jump in?
Zbe
Zbe3w ago
I have changed the groups, but noticed this in the logs
Tag
Tag3w ago
So, this was working before right? Or are you setting it up right now and just not working?
Zbe
Zbe3w ago
I was just setting it up Had authelia working on other services before tho
Tag
Tag3w ago
Alright, so this is not an issue that came with the new version, good to know You use Authelia, and what do you use as a database? Ldap?
Zbe
Zbe3w ago
Openldap yes
Tag
Tag3w ago
Is it possible you haven't configured the groups properly in Authelia?
Zbe
Zbe3w ago
Hmmm, let me try it out It does appear so, i will check it out more as soon as i get to the PC
Tag
Tag3w ago
https://gist.github.com/dgalli1/3193fd3e0476a0495c0fd91e1e055022 I am thinking the groups are not working because authelia is not transmitting any groups. This is a link to how Authelia is configured with OpenLdap
Zbe
Zbe3w ago
The funny thing is my setup is based directly from this I will investigate
Tag
Tag3w ago
I actually believe you, I followed the same for LLDAP instead but they're quite easy to find
Zbe
Zbe3w ago
I was thinking of migrating to lldap but i didnt find any info on if they can send login info to the user like ldap-user-manager does (what i use atm)
Tag
Tag3w ago
That's a good question, I'd say just try it. You don't need to delete your openLdap to try LLDAP.
Zbe
Zbe3w ago
I did, since i use traefik i can make the reverse proxy straight from the compose so its quite quick But i didnt find any options So i thought it might be an env var
Tag
Tag3w ago
I remember checking that too actually, I've searched arround a bit more and it seems you can't modify the lldap database from outside, so apps like user-ldap-management wouldn't work. You can only use the GUI of LLDAP
Zbe
Zbe3w ago
So, i have noticed this log in authelia: time="2024-05-13T02:40:56+02:00" level=debug msg="Check authorization of subject username=zbe groups=admins,arrs ip=185.65.228.215 and object https://awdawda.si/radarr/api/v3/command (method GET)." And the groups are here, so authelia should recognize the groups
Tag
Tag3w ago
Alright, another interesting thing I just found in the code, if you actually indeed not have any groups, you would have an error logged into homarr's logs Which you do So the problem is not that the env variable is wrong, it's that when the user connects, it doesn't return any groups So basically, Authelia is not giving the groups. No idea if that's because you need to enable something somewhere maybe Ah! Maybe because of how you configure OIDC in authelia? Do you have all the scopes correctly added in authelia's OIDC configuration? Namely, "groups"?
Zbe
Zbe3w ago
scopes:
- 'openid'
- 'groups'
- 'email'
- 'profile'
scopes:
- 'openid'
- 'groups'
- 'email'
- 'profile'
Tag
Tag3w ago
Too bad... It's quite confusing, we're at the point where we know Authelia has the groups, but it doesn't give it to us through OIDC...
Zbe
Zbe3w ago
I will do some more checks with authelia, i have noticed the group domain locks dont work either It does seem to find the groups according to the log I have no idea where i messed it up
Tag
Tag3w ago
That wasn't supposed to happen, wth Sorry you got message policed
Zbe
Zbe3w ago
Happens hahaha I probably messed around in the config and didnt notice it before And just now noticed with this homarr fiasco
Solution
Zbe
Zbe3w ago
So, the issue with my sites was my new shiny catchall. Homarr also no longer gives group errors. It does not sill work however. I will try to reset the volume and see if that helps
Tag
Tag3w ago
You've set back the env variables in homarr right
Zbe
Zbe3w ago
Lol Reseting the volume fixed it Guess it caches something somewhere Thanks for all your input and help!
Tag
Tag3w ago
Glad we got it working I'm actually glad it was a setup problem and not from the modifications I had to do recently possibly wrecking it up.
Zbe
Zbe3w ago
Do feel that. While I have you here, is it normal to redirect me to torrent galaxy in torrent search? I would think it would use prowlarr for it
Tag
Tag3w ago
Torrent search was implemented a long time ago and prowlarr just recently so nothing to do with one another. It was recently asked to be able to use any torrent indexer you could want though. But this is such a better idea, could you please make a github issue with the idea? I actually didn't like much that we had an indexer hardcoded in so something like that would be great.
Zbe
Zbe3w ago
What's homarr written in again?
Tag
Tag3w ago
Typescript
Zbe
Zbe3w ago
Will try to play around and send a pull. If not I'll make an issue
Tag
Tag3w ago
Alright, I'll mark this ticket as resolved. If you have further questions please do so in #🦞・general or make a new ticket, it's better for referencement if someone searches for the issue.
Zbe
Zbe3w ago
Alright, thanks again for your help and time