H
Homarr•4w ago
zodac

OIDC Auth - Stop updating roles?

Hi, I've configured integration with Authentik. I want any users that login though Authentik to be created as 'normal' users, and all seems to be set up fine. However, I also want my personal account to be an administrator, while still using Authentik to log in (I have an 'admin' account as the owner). I log in once, then switch to the admin account to promote my account to administrator, then disable credential login. But whenever I log in through my personal account, I see this message in the logs, highlighting that my user is demoted back to a normal account on each login. updating roles of user <username> Is there a way to disable updating the roles of a user when logging in through OIDC? Thanks
Solution:
if one of my OIDC logged in users is part of the homarr-admin role, they'll automatically be setup as an admin in homarr, similar for Owner
Jump to solution
8 Replies
Cakey Bot
Cakey Bot•4w ago
Thank you for submitting a support request. Depending on the volume of requests, our team should get in contact with you shortly.
⚠️ Please include the following details in your post or we may reject your request without further comment: - Log (See https://homarr.dev/docs/community/faq#how-do-i-open-the-console--log) - Operating system (Unraid, TrueNAS, Ubuntu, ...) - Exact Homarr version (eg. 0.15.0, not latest) - Configuration (eg. docker-compose, screenshot or similar. Use ``your-text`` to format) - Other relevant information (eg. your devices, your browser, ...)
❓ Frequently Asked Questions | Homarr documentation
Can I install Homarr on a Raspberry Pi?
zodac
zodac•4w ago
Log: https://pastebin.com/xVKFAvQQ Operating system: Docker Exact Homarr version: 0.15.3 Configuration:
homarr:
image: ghcr.io/ajnart/homarr:0.15.3
container_name: homarr
hostname: homarr
environment:
# Auth config
AUTH_OIDC_CLIENT_ID: "clientId"
AUTH_OIDC_CLIENT_NAME: "Authentik"
AUTH_OIDC_CLIENT_SECRET: "clientSecret"
AUTH_OIDC_URI: "https://auth.site.com/application/o/homarr"
AUTH_PROVIDER: "oidc"
BASE_URL: "https://homarr.site.com"
NEXTAUTH_URL: "https://homarr.site.com"
ports:
- "7575:7575"
restart: unless-stopped
volumes:
- homarr_configs:/app/data/configs
- homarr_data:/data
- homarr_icons:/app/public/icons
homarr:
image: ghcr.io/ajnart/homarr:0.15.3
container_name: homarr
hostname: homarr
environment:
# Auth config
AUTH_OIDC_CLIENT_ID: "clientId"
AUTH_OIDC_CLIENT_NAME: "Authentik"
AUTH_OIDC_CLIENT_SECRET: "clientSecret"
AUTH_OIDC_URI: "https://auth.site.com/application/o/homarr"
AUTH_PROVIDER: "oidc"
BASE_URL: "https://homarr.site.com"
NEXTAUTH_URL: "https://homarr.site.com"
ports:
- "7575:7575"
restart: unless-stopped
volumes:
- homarr_configs:/app/data/configs
- homarr_data:/data
- homarr_icons:/app/public/icons
Laehar
Laehar•4w ago
there are env vars you can set normally to configure the roles mapped to Owner & Admin looking in my own config (just need to login xD) AUTH_OIDC_ADMIN_GROUP=homarr-admin AUTH_OIDC_OWNER_GROUP=homarr-owner
Solution
Laehar
Laehar•4w ago
if one of my OIDC logged in users is part of the homarr-admin role, they'll automatically be setup as an admin in homarr, similar for Owner
Laehar
Laehar•4w ago
I personally setup a seperate admin account as owner and made my personal account admin
zodac
zodac•4w ago
But if I set those environment values, what happens when another user (who I would like to allow log in) tries to connect? Won't they also be made admins? Or do I need to assign them to another group in Authentik? Oh, I think see. If there's no match the logged in user is normal. If there is a match on either of those environment variables it will become admin and/or user? And the values for those cars match the group the user belongs to in Authentik? I'll give that a try tomorrow, seems like it should work as you set. 🙂
Laehar
Laehar•4w ago
the values are groups I setup in my own LDAP ( I got LDAP + Authelia setup) but indeed, all users can login and are assigned users by default if the Admin role is present -> Admin gets assigned if the Owner role is present -> Owner gets assigned (not sure if there can be multiple owners, hence why I set it up on a seperate technical account)
zodac
zodac•4w ago
Thanks so much @Laehar , that all worked perfectly. 🙂