SSO/OIDC with Zitadel

Hey yall, I racked my brain for a very long time on why zitadel was not passing roles to homarr which meant I could not create an admin user, well I have found the reason and solution, so this is more for people with my own setup which is homarr 1.0+ along with Zitadel for SSO.
The simple reason why Homarr does not like Zitadel is seemingly homarr only supports flat roles whereas Zitadel traverses a complex role json structure. Here is how I got it working:

Adding Zitadel SSO to homarr

Zitadel setup:

- Create application
- Web + Basic Auth
- Redirect URIs:
- https://home.domain.com/api/auth/callback/oidc
- Token Settings:
- Bearer Token -> User Roles inside ID Token -> User Info inside ID Token
- Create a zitadel action:
- name: onlyRoles

function onlyRoles(ctx, api) {
  if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) {
    return;
  }

  let grants = [];
  ctx.v1.user.grants.grants.forEach(claim => {
    claim.roles.forEach(role => {
        grants.push(role)  
    })
  })

  api.v1.claims.setClaim('my:zitadel:grants', grants)
}

function onlyRoles(ctx, api) {
  if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) {
    return;
  }

  let grants = [];
  ctx.v1.user.grants.grants.forEach(claim => {
    claim.roles.forEach(role => {
        grants.push(role)  
    })
  })

  api.v1.claims.setClaim('my:zitadel:grants', grants)
}

- Flows -> Complement Token -> Pre UserInfo Creation + Pre Access Token Creation
- Add admin role to zitadel and assign user to it, in my case role and key were both called "admin"

Add OIDC client and secret to homarr (docker compose environment variables):

     AUTH_PROVIDERS: oidc #credentials
      AUTH_OIDC_ISSUER: https://auth.domain.com
      AUTH_OIDC_CLIENT_SECRET: some-nasty-secret
      AUTH_OIDC_CLIENT_ID: client-id-hehe
      AUTH_OIDC_CLIENT_NAME: Zitadel
      AUTH_OIDC_SCOPE_OVERWRITE: "openid email profile"
      AUTH_OIDC_GROUPS_ATTRIBUTE: "my:zitadel:grants"

     AUTH_PROVIDERS: oidc #credentials
      AUTH_OIDC_ISSUER: https://auth.domain.com
      AUTH_OIDC_CLIENT_SECRET: some-nasty-secret
      AUTH_OIDC_CLIENT_ID: client-id-hehe
      AUTH_OIDC_CLIENT_NAME: Zitadel
      AUTH_OIDC_SCOPE_OVERWRITE: "openid email profile"
      AUTH_OIDC_GROUPS_ATTRIBUTE: "my:zitadel:grants"

Startup homarr
Enter admin group name in homarrs web ui: "admin"

login with Zitadel and you are an admin, woooo

Solution

Great, thanks for this writeout. We got another user that had a similar problem with keycloak and there exists a github issue to solve this in the future with allowing object paths:
https://github.com/homarr-labs/homarr/issues/2657

GitHub

feat(auth): support object path for groups and username claims · I...

Describe the bug I have a homarr group called "admins" with admin privileges. In Keycloak, in Client scopes -> roles -> mappers -> roles, the "client roles" mapper has ...

Jump to solution

SSO/OIDC with Zitadel

function onlyRoles(ctx, api) {
  if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) {
    return;
  }

  let grants = [];
  ctx.v1.user.grants.grants.forEach(claim => {
    claim.roles.forEach(role => {
        grants.push(role)  
    })
  })

  api.v1.claims.setClaim('my:zitadel:grants', grants)
}

function onlyRoles(ctx, api) {
  if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) {
    return;
  }

  let grants = [];
  ctx.v1.user.grants.grants.forEach(claim => {
    claim.roles.forEach(role => {
        grants.push(role)  
    })
  })

  api.v1.claims.setClaim('my:zitadel:grants', grants)
}

     AUTH_PROVIDERS: oidc #credentials
      AUTH_OIDC_ISSUER: https://auth.domain.com
      AUTH_OIDC_CLIENT_SECRET: some-nasty-secret
      AUTH_OIDC_CLIENT_ID: client-id-hehe
      AUTH_OIDC_CLIENT_NAME: Zitadel
      AUTH_OIDC_SCOPE_OVERWRITE: "openid email profile"
      AUTH_OIDC_GROUPS_ATTRIBUTE: "my:zitadel:grants"

     AUTH_PROVIDERS: oidc #credentials
      AUTH_OIDC_ISSUER: https://auth.domain.com
      AUTH_OIDC_CLIENT_SECRET: some-nasty-secret
      AUTH_OIDC_CLIENT_ID: client-id-hehe
      AUTH_OIDC_CLIENT_NAME: Zitadel
      AUTH_OIDC_SCOPE_OVERWRITE: "openid email profile"
      AUTH_OIDC_GROUPS_ATTRIBUTE: "my:zitadel:grants"

Startup homarr
Enter admin group name in homarrs web ui: "admin"

login with Zitadel and you are an admin, woooo

Solution

GitHub

feat(auth): support object path for groups and username claims · I...

Describe the bug I have a homarr group called "admins" with admin privileges. In Keycloak, in Client scopes -> roles -> mappers -> roles, the "client roles" mapper has ...

Jump to solution

SSO/OIDC with Zitadel

SSO/OIDC with Zitadel

Similar Threads

Similar Threads

Similar Threads