diff --git a/common.js b/common.js
index 7e6c551ecc..fb67134972 100644
--- a/common.js
+++ b/common.js
@@ -386,4 +386,17 @@ module.exports.moveOldFiles = function (filelist) {
for (var i in filelist) { if (fs.existsSync(filelist[i] + oldFileExt) == true) { extOk = false; } }
} while (extOk == false);
for (var i in filelist) { try { fs.renameSync(filelist[i], filelist[i] + oldFileExt); } catch (ex) { } }
+}
+
+// Convert strArray to Array, returns array if strArray or null if any other type
+module.exports.convertStrArray = function (object, split) {
+ if (split && typeof object === 'string') {
+ return object.split(split)
+ } else if (typeof object === 'string') {
+ return Array(object);
+ } else if (Array.isArray(object)) {
+ return object
+ } else {
+ return []
+ }
}
\ No newline at end of file
diff --git a/docs/docs/meshcentral/index.md b/docs/docs/meshcentral/index.md
index be0834e733..de64943bfb 100644
--- a/docs/docs/meshcentral/index.md
+++ b/docs/docs/meshcentral/index.md
@@ -1659,7 +1659,39 @@ Enabling SAML will require MeshCentral to install extra modules from NPM, so dep
!!!note
MeshCentral only supports "POST". [For example Authentik's](https://github.com/Ylianst/MeshCentral/issues/4725) default setting is to use "Redirect" as a "Service Provider Binding".
-
+
+### Generic OpenID Connect Setup
+
+Generally, if you are using an IdP that supports OpenID Connect (OIDC), you can use a very basic configuration to get started, and if needed, add more specific or advanced configurations later. Here is what your config file will look like with a basic, generic, configuration.
+
+``` json
+{
+ "settings": {
+ "cert": "mesh.your.domain",
+ "port": 443,
+ "sqlite3": true
+ },
+ "domains": {
+ "": {
+ "title": "Mesh",
+ "title2": ".Your.Domain",
+ "authStrategies": {
+ "oidc": {
+ "issuer": "https://sso.your.domain",
+ "clientid": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
+ "clientsecret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
+ "newAccounts": true
+ }
+ }
+ }
+ }
+}
+```
+
+As you can see, this is roughly the same as all the other OAuth2 based authentication strategies. These are the basics you need to get started using OpenID Connect because it's still authenticating with OAuth2. If you plan to take advantage of some of the more advanced features provided by this strategy you should consider reading the [additional strategy documentation](./openidConnectStrategy.md).
+
+> NOTE: MeshCentral will use `https://mesh.your.domain/auth-oidc-callback` as the default redirect uri.
+
## Improvements to MeshCentral
In 2007, the first version of MeshCentral was built. We will refer to it as “MeshCentral1”. When MeshCentral1 was designed, HTML5 did not exist and web sockets where not implemented in any of the major browsers. Many design decisions were made at the time that are no longer optimal today. With the advent of the latest MeshCentral, MeshCentral1 is no longer supported and MeshCentral v2 has been significantly redesigned and mostly re-written based of previous version. Here is a list of improvements made in MeshCentral when compared with MeshCentral1:
diff --git a/docs/docs/meshcentral/openidConnectStrategy.md b/docs/docs/meshcentral/openidConnectStrategy.md
new file mode 100644
index 0000000000..aab4ffddbd
--- /dev/null
+++ b/docs/docs/meshcentral/openidConnectStrategy.md
@@ -0,0 +1,654 @@
+# Using the OpenID Connect Strategy on MeshCentral
+
+## Overview
+
+### Introduction
+
+There is a lot of information to go over, but first, why OpenID Connect?
+
+Esentially its because its both based on a industry standard authorization protocol, and is becoming an industry standard authentication protocol. Put simply it's reliable and reusable, and we use OpenID Connect for exactly those reasons, almost every everyone does, and we want to be able to integrate with almost anyone. This strategy allows us to expand the potential of MeshCentral through the potential of OpenID Connect.
+
+In this document, we will learn about the OpenID Connect specification at a high level, and then use that information to configure the OpenID Connect strategy for MeshCentral using a generic OpenID Connect compatible IdP. After that we will go over some advanced configurations and then continue by explaining how to use the new presets for popular IdPs, specifically Google or Azure. Then we will explore the configuration and usage of the groups feature.
+
+> ATTENTION: As of MeshCentral `v1.1.22` there are multiple config options being depreciated. Using any of the old configs will only generate a warning in the authlog and will not stop you from using this strategy at this time. If there is information found in both the new and old config locations the new config location will be used. We will go over the specifics later, now lets jump in.
+
+### Chart of Frequently Used Terms and Acronyms
+| Term | AKA | Descriptions |
+| --- | --- | --- |
+| OAuth 2.0 | OAuth2 | OAuth 2.0 is the industry-standard protocol for user *authorization*. |
+| OpenID Connect | OIDC | Identity layer built on top of OAuth2 for user *authentication*. |
+| Identity Provider | IdP | The *service used* to provide authentication and authorization. |
+| Preset Configs | Presets | Set of *pre-configured values* to allow some specific IdPs to connect correctly. |
+| OAuth2 Scope | Scope | A flag *requesting access* to a specific resource or endpoint |
+| OIDC Claim | Claim | A *returned property* in the user info provided by your IdP |
+| User Authentication | AuthN | Checks if you *are who you say you are*. Example: Username and password authentication |
+| User Authorization | AuthZ | Check if you have the *permissions* required to access a specific resource or endpoint |
+
+### OpenID Connect Technology Overview
+
+OpenID Connect is a simple identity layer built on top of the OAuth2 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an “Authorization Server”, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
+
+OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, allowing participants to use optional features such as encryption of identity data, discovery of OpenID Providers, and logout, when it makes sense for them.
+
+That description was straight from [OpenID Connect Documentation](https://openid.net/connect/), but basically, OAuth2 is the foundation upon which OpenID Connect was built, allowing for wide ranging compatability and interconnection. OpenID Connect appends the secure user *authentication* OAuth2 is known for, with user *authorization* by allowing the request of additional *scopes* that provide additional *claims* or access to API's in an easily expandable way.
+
+## Basic Config
+
+### *Introduction*
+
+Generally, if you are using an IdP that supports OIDC, you can use a very basic configuration to get started, and if needed, add more specific or advanced configurations later. Here is what your config file will look like with a basic, generic, configuration.
+
+### *Basic Config File Example*
+
+``` json
+{
+ "settings": {
+ "cert": "mesh.your.domain",
+ "port": 443,
+ "sqlite3": true
+ },
+ "domains": {
+ "": {
+ "title": "MeshCentral",
+ "title2": "Your sub-title",
+ "authStrategies": {
+ "oidc": {
+ "issuer": "https://sso.your.domain",
+ "clientid": "2d5685c5-0f32-4c1f-9f09-c60e0dbc948a",
+ "clientsecret": "7PiGSLSLL4e7NGi67KM229tfK7Z7TqzQ",
+ "newAccounts": true
+ }
+ }
+ }
+ }
+}
+```
+
+As you can see, this is roughly the same as all the other OAuth2 based authentication strategies. These are the basics you need to get started, however, if you plan to take advantage of some of the more advanced features provided by this strategy, you'll need to keep reading.
+
+In this most basic of setups, you only need the URL of the issuer, as well as a client ID and a client secret. Notice in this example that the callback URL (or client redirect uri) is not configured, thats because MeshCentral will use `https://mesh.your.domain/auth-oidc-callback` as the default. Once you've got your configuration saved, restart MeshCentral and you should see an OpenID Connect Single Sign-on button on the login screen.
+
+> WARNING: The redirect endpoint must EXACTLY match the value provided to your IdP or your will deny the connection.
+
+> ATTENTION: You are required to configure the cert property in the settings section for the default domain, and configure the dns property under each additional domain.
+
+## Advanced Options
+
+### Overview
+
+There are plenty of options at your disposal if you need them. In fact, you can configure any property that node-openid-client supports. The openid-client module supports far more customization than I know what to do with, if you want to know more check out [node-openid-client on GitHub](https://github.com/panva/node-openid-client) for expert level configuration details. There are plenty of things you can configure with this strategy and there is a lot of decumentation behind the tools used to make this all happen. I strongly recommend you explore the [config schema](https://github.com/Ylianst/MeshCentral/blob/master/meshcentral-config-schema.json), and if you have a complicated config maybe check out the [openid-client readme](https://github.com/panva/node-openid-client/blob/main/docs/README.md). Theres a list of resources at the end if you want more information on any specific topics. In the meantime, let’s take a look at an example of what your config file could look with a slightly more complicated configuration, including multiple manually defined endpoints.
+
+#### *Advanced Config File Example*
+
+``` json
+{
+ "settings": {
+ "cert": "mesh.your.domain",
+ "port": 443,
+ "redirPort": 80,
+ "AgentPong": 300,
+ "TLSOffload": "192.168.1.50",
+ "SelfUpdate": false,
+ "AllowFraming": false,
+ "sqlite3": true,
+ "WebRTC": true
+ },
+ "domains": {
+ "": {
+ "title": "Mesh",
+ "title2": ".Your.Domain",
+ "orphanAgentUser": "~oidc:e48f8ef3-a9cb-4c84-b6d1-fb7d294e963c",
+ "authStrategies": {
+ "oidc": {
+ "issuer": {
+ "issuer": "https://sso.your.domain",
+ "authorization_endpoint": "https://auth.your.domain/auth-endpoint",
+ "token_endpoint": "https://tokens.sso.your.domain/token-endpoint",
+ "endsession_endpoint": "https://sso.your.domain/logout",
+ "jwks_uri": "https://sso.your.domain/jwks-uri"
+ },
+ "client": {
+ "client_id": "110d5612-0822-4449-a057-8a0dbe26eca5",
+ "client_secret": "4TqST46K53o3Z2Q88p39YwR6YwJb7Cka",
+ "redirect_uri": "https://mesh.your.domain/oauth2/oidc/redirect",
+ "post_logout_redirect_uri": "https://mesh.your.domain/login",
+ "token_endpoint_auth_method": "client_secret_post",
+ "response_types": "authorization_code"
+ },
+ "custom": {
+ "scope": [ "openid", "profile", "read.EmailAlias", "read.UserProfile" ],
+ "preset": null
+ },
+ "groups": {
+ "recursive": true,
+ "required": ["Group1", "Group2"],
+ "siteadmin": ["GroupA", "GroupB"],
+ "revokeAdmin": true,
+ "sync": {
+ "filter": ["Group1", "GroupB", "OtherGroup"]
+ },
+ "claim": "GroupClaim",
+ "scope": "read.GroupMemberships"
+ },
+ "logouturl": "https://sso.your.domain/logout?r=https://mesh.your.domain/login",
+ "newAccounts": true
+ },
+ {...}
+ }
+ }
+ }
+}
+```
+
+### "Issuer" Options
+
+#### *Introduction*
+
+In the advanced example config above, did you notice that the issuer property has changed from a *string* to an *object* compared to the basic example? This not only allows for much a much smaller config footprint when advanced issuer options are not required, it successfully fools you in to a false sense of confidence early on in this document. If you are manually configuring the issuer endpoints, keep in mind that MeshCentral will still attempt to discover **ALL** issuer information. Obviously if you manually configure an endpoint, it will be used even if the discovered information is different from your config.
+
+> NOTE: If you are using a preset, you dont need to define an issuer. If you do, the predefined information will be ignored.
+
+#### *Common Config Chart*
+
+| Name | Description | Default | Example | Required |
+| --- | --- | --- | --- | --- |
+| `issuer` | The primary URI that represents your Identity Providers authentication endpoints. | N/A | `"issuer": "https://sso.your.domain"`
`"issuer": { "issuer": "https://sso.your.domain" }` | Unless using preset. |
+
+#### *Advanced Config Example*
+
+``` json
+"issuer": {
+ "issuer": "https://sso.your.domain",
+ "authorization_endpoint": "https://auth.your.domain/auth-endpoint",
+ "token_endpoint": "https://tokens.sso.your.domain/token-endpoint",
+ "endsession_endpoint": "https://sso.your.domain/logout",
+ "jwks_uri": "https://sso.your.domain/jwks-uri"
+},
+```
+
+#### *Required and Commonly Used Configs*
+
+The `issuer` property in the `issuer` object is the only one required, and its only required if you aren't using a preset. Besides the issuer, these are mostly options related to the endpoints and their configuration. The schema below looks intimidating but it comes down to being able to support any IdP. Setting the issuer, and endsession_endpoint are the two main ones you want to setup.
+
+#### *Schema*
+
+``` json
+"issuer": {
+ "type": ["string","object"],
+ "format": "uri",
+ "description": "Issuer options. Requires issuer URI (issuer.issuer) to discover missing information unless using preset",
+ "properties": {
+ "issuer": { "type": "string", "format": "uri", "description": "URI of the issuer." },
+ "authorization_endpoint": { "type": "string", "format": "uri" },
+ "token_endpoint": { "type": "string", "format": "uri" },
+ "jwks_uri": { "type": "string", "format": "uri" },
+ "userinfo_endpoint": { "type": "string", "format": "uri" },
+ "revocation_endpoint": { "type": "string", "format": "uri" },
+ "introspection_endpoint": { "type": "string", "format": "uri" },
+ "end_session_endpoint": {
+ "type": "string",
+ "format": "uri",
+ "description": "URI to direct users to when logging out of MeshCentral.",
+ "default": "this.issuer/logout"
+ },
+ "registration_endpoint": { "type": "string", "format": "uri" },
+ "token_endpoint_auth_methods_supported": { "type": "string" },
+ "token_endpoint_auth_signing_alg_values_supported": { "type": "string" },
+ "introspection_endpoint_auth_methods_supported": { "type": "string" },
+ "introspection_endpoint_auth_signing_alg_values_supported": { "type": "string" },
+ "revocation_endpoint_auth_methods_supported": { "type": "string" },
+ "revocation_endpoint_auth_signing_alg_values_supported": { "type": "string" },
+ "request_object_signing_alg_values_supported": { "type": "string" },
+ "mtls_endpoint_aliases": {
+ "type":"object",
+ "properties": {
+ "token_endpoint": { "type": "string", "format": "uri" },
+ "userinfo_endpoint": { "type": "string", "format": "uri" },
+ "revocation_endpoint": { "type": "string", "format": "uri" },
+ "introspection_endpoint": { "type": "string", "format": "uri" }
+ }
+ }
+ },
+ "additionalProperties": false
+},
+```
+
+### "Client" Options
+
+#### *Introduction*
+
+There are just about as many option as possible here since openid-client also provides a Client class, because of this you are able to manually configure the client how ever you need. This includes setting your redirect URI to any available path, for example, if I was using the "google" preset and wanted to have Google redirect me back to "https://mesh.your.domain/oauth2/oidc/redirect/givemebackgooglemusicyoujerks", MeshCentral will now fully support you in that. One of the other options is the post logout redirect URI, and it is exactly what it sounds like. After MeshCentral logs out a user using the IdPs end session endpoint, it send the post logout redirect URI to your IdP to forward the user back to MeshCentral or to an valid URI such as a homepage.
+
+> NOTE: The client object is required, however an exception would be with using old configs, which will be discussed later.
+
+#### *Common Configs*
+
+| Name | Description | Default | Example | Required |
+| --- | --- | --- | --- | --- |
+| `client_id` | The client ID provided by your Identity Provider (IdP) | N/A | `bdd6aa4b-d2a2-4ceb-96d3-b3e23cd17678` | `true` |
+| `client_secret` | The client secret provided by your Identity Provider (IdP) | N/A | `vUg82LJ322rp2bvdzuVRh3dPn3oVo29m` | `true` |
+| `redirect_uri` | "URI your IdP sends you after successful authorization. | `https://mesh.your.domain/auth-oidc-callback` | `https://mesh.your.domain/oauth2/oidc/redirect` | `false` |
+| `post_logout_redirect_uri` | URI for your IdP to send you after logging out of IdP via MeshCentral. | `https://mesh.your.domain/login` | `https://site.your.other.domain/login` | `false` |
+
+#### *Advanced Config Example*
+
+``` json
+"client": {
+ "client_id": "00b3875c-8d82-4238-a8ef-25303fa7f9f2",
+ "client_secret": "7PP453H577xbFDCqG8nYEJg8M3u8GT8F",
+ "redirect_uri": "https://mesh.your.domain/oauth2/oidc/redirect",
+ "post_logout_redirect_uri": "https://mesh.your.domain/login",
+ "token_endpoint_auth_method": "client_secret_post",
+ "response_types": "authorization_code"
+},
+```
+
+#### *Required and Commonly Used Configs*
+
+There are many available options you can configure but most of them go unused. Although there are a few *commonly used* properties. The first two properties, `client_id` and `client_secret` are required. The next one `redirect_uri` is used to setup a custom URI for the redirect back to MeshCentral after being authenicated by your IdP. The `post_logout_redirect_uri` property is used to tell your IdP where to send you after being logged out. These work in conjunction with the issuers `end_session_url` to automatically fill in any blanks in the config.
+
+#### *Schema*
+``` json
+"client": {
+ "type": "object",
+ "description": "OIDC Client Options",
+ "properties": {
+ "client_id": {
+ "type": "string",
+ "description": "REQUIRED: The client ID provided by your Identity Provider (IdP)"
+ },
+ "client_secret": {
+ "type": "string",
+ "description": "REQUIRED: The client secret provided by your Identity Provider (IdP)"
+ },
+ "redirect_uri": {
+ "type": "string",
+ "format": "uri",
+ "description": "URI your IdP sends you after successful authorization. This must match what is listed with your IdP. (Default is https://[currentHost][currentPath]/auth-oidc-callback)"
+ },
+ "post_logout_redirect_uri": {
+ "type": "string",
+ "format": "uri",
+ "description": "URI for your IdP to send you after logging out of IdP via MeshCentral.",
+ "default": "https:[currentHost][currentPath]/login"
+ },
+ "id_token_signed_response_alg": { "type": "string", "default": "RS256" },
+ "id_token_encrypted_response_alg": { "type": "string" },
+ "id_token_encrypted_response_enc": { "type": "string" },
+ "userinfo_signed_response_alg": { "type": "string" },
+ "userinfo_encrypted_response_alg": { "type": "string" },
+ "userinfo_encrypted_response_enc": { "type": "string" },
+ "response_types": { "type": ["string", "array"], "default": ["code"] },
+ "default_max_age": { "type": "number" },
+ "require_auth_time": { "type": "boolean", "default": false },
+ "request_object_signing_alg": { "type": "string" },
+ "request_object_encryption_alg": { "type": "string" },
+ "request_object_encryption_enc": { "type": "string" },
+ "token_endpoint_auth_method": {
+ "type": "string",
+ "default": "client_secret_basic",
+ "enum": [ "none", "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt" ]
+ },
+ "introspection_endpoint_auth_method": {
+ "type": "string",
+ "default": "client_secret_basic",
+ "enum": [ "none", "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt" ]
+ },
+ "revocation_endpoint_auth_method": {
+ "type": "string",
+ "default": "client_secret_basic",
+ "enum": [ "none", "client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt" ]
+ },
+ "token_endpoint_auth_signing_alg": { "type": "string" },
+ "introspection_endpoint_auth_signing_alg": { "type": "string" },
+ "revocation_endpoint_auth_signing_alg": { "type": "string" },
+ "tls_client_certificate_bound_access_tokens": { "type": "boolean" }
+ },
+ "required": [ "client_id", "client_secret" ],
+ "additionalProperties": false
+},
+```
+
+### "Custom" Options
+
+#### *Introduction*
+
+These are all the options that dont fit with the issuer or client, including the presets. The presets define more than just the issuer URL used in discovery, they also define API endpoints, and specific ways to assemble your data. You are able to manually override most of the effects of the preset, but not all. You are able to manually configure the *scope* of the authorization request though, as well as choose which claims to use if your IdP uses something other than the defaults.
+
+> NOTE: The scope must be a string, an array of strings, or a space separated list of scopes as a single string.
+
+#### *Common Config Chart*
+
+| Name | Description | Default | Example | Required |
+| -------- | ------------------------------------------------ | --------------------------------------------------------- | ----------------------------------- | -------- |
+| `scope` | A list of scopes to request from the issuer. | `"openid profile email"` | `["openid", "profile"]` | `false` |
+| `claims` | A group of claims to use instead of the defaults | Defauts to name of property except that `uuid` used `sub` | `"claims": {"uuid": "unique_name"}` | `false` |
+
+#### *Advanced Config Example*
+
+``` json
+"custom": {
+ "scope": [ "openid", "profile", "read.EmailAlias", "read.UserProfile" ],
+ "preset": null,
+ "claims": {
+ "name": "nameOfUser",
+ "email": "publicEmail"
+ }
+},
+```
+
+> NOTE: You can `preset` to null if you want to explicitly disable presets.
+
+#### *Required and Commonly Used Configs*
+
+As should be apparent by the name alone, the custom property does not need to be configured and is used for optional or advanced configurations. With that said, lets look at few common options strategy will default to using the `openid`, `profile`, and `email` scopes to gather the required information about the user, if your IdP doesn't support or require all these, you can set up the scope manually. Combine that with the ability to set the group scope and you can end up with an entirely custom scope being sent to your IdP. Not to mention the claims property, which allows you to pick and choose what claims to use to gather your data in case you have issues with any of the default behaviors of OpenID Connect and your IdP. This is also where you would set the preset and any values required by the presets.
+
+#### *Schema*
+``` json
+"custom": {
+ "type": "object",
+ "properties": {
+ "scope": {
+ "type": ["string", "array"],
+ "description": "A list of scopes to request from the issuer.",
+ "default": "openid profile email",
+ "examples": ["openid", ["openid", "profile"], "openid profile email", "openid profile email groups"]
+ },
+ "claims": {
+ "type": "object",
+ "properties": {
+ "email": { "type": "string" },
+ "name": { "type": "string" },
+ "uuid": { "type": "string" }
+ }
+ },
+ "preset": { "type": "string", "enum": ["azure", "google"]},
+ "tenant_id": { "type": "string", "description": "REQUIRED FOR AZURE PRESET: Tenantid for Azure"},
+ "customer_id": { "type": "string", "description": "REQUIRED FOR GOOGLE PRESET IF USING GROUPS: Customer ID from Google, should start with 'C'."}
+ },
+ "additionalProperties": false
+},
+```
+
+### "Groups" Options
+
+#### *Introduction*
+
+The groups option allows you to use the groups you already have with your IdP in MeshCentral in a few ways. First you can set a group that the authorized user must be in to sign in to MeshCentral. You can also allow users with the right memberships automatic admin privlidges, and there is even an option to revoke privlidges if the user is NOT in the admin group. Besides these filters, you can filter the sync property to mirror only certain groups as MeshCentral User Groups, dynamically created as the user logs in. You can of course simply enable sync and mirror all groups from your IdP as User Groups. Additionally you can define the scope and claim of the groups for a custom setup, again allowing for a wide range of IdPs to be used, even without a preset.
+
+#### *Common Config Chart*
+
+| Name | Description | Default | Example | Required |
+| --- | --- | --- | --- | --- |
+| `sync` | Allows you to mirror user groups from your IdP. | `false` | `"sync": { "filter": ["Group1", "Group2"] }`
`"sync": true` | `false` |
+| `required` | Access is only granted to users who are a member
of at least one of the listed required groups. | `undefined` | `"required": ["Group1", "Group2"]` | `false` |
+| `siteadmin` | Full site admin priviledges will be granted to users
who are a member of at least one of the listed admin groups | `undefined` | `"siteadmin": ["Group1", "Group2"]` | `false` |
+| `revokeAdmin` | If true, admin privileges will be revoked from users
who arent a member of at least one of the listed admin groups. | `true` | `"revokeAdmin": false` | `false` |
+
+#### *Advanced Config Example*
+
+``` json
+"groups": {
+ "recursive": true,
+ "required": ["Group1", "Group2"],
+ "siteadmin": ["GroupA", "GroupB"],
+ "revokeAdmin": false,
+ "sync": {
+ "filter": ["Group1", "GroupB", "OtherGroup"]
+ },
+ "claim": "GroupClaim",
+ "scope": "read.GroupMemberships"
+},
+```
+
+#### *Required and Commonly Used Configs*
+
+As you can see in the schema below, there aren't any required properties in the groups object, however there are some commonly used ones. The first, and maybe most commonly used one, is the sync property. The sync property mirrors IdP provided groups into MeshCentral as user groups. You can then configure access as required to those groups, and as users log in, they will be added to the now existing groups if they are a member. You also have other options like using a custom *scope* or *claim* to get your IdP communicating with MeshCentral properly, without the use of preset configs. You also can set the required property if you need to limit authorization to users that are a member of at least one of the groups you set. or the siteadmin property to grant admin privilege, with the revokeAdmin property available to allow revoking admin rights also.
+
+#### *Schema*
+
+``` json
+"groups": {
+ "type": "object",
+ "properties": {
+ "recursive": {
+ "type": "boolean",
+ "default": false,
+ "description": "When true, the group memberships will be scanned recursively."
+ },
+ "required": {
+ "type": [ "string", "array" ],
+ "description": "Access is only granted to users who are a member of at least one of the listed required groups."
+ },
+ "siteadmin": {
+ "type": [ "string", "array" ],
+ "description": "Full site admin priviledges will be granted to users who are a member of at least one of the listed admin groups."
+ },
+ "revokeAdmin": {
+ "type": "boolean",
+ "default": false,
+ "description": "If true, admin privileges will be revoked from users who are NOT a member of at least one of the listed admin groups."
+ },
+ "sync": {
+ "type": [ "boolean", "object" ],
+ "default": false,
+ "description": "If true, all groups found during user login are mirrored into MeshCentral user groups.",
+ "properties": {
+ "filter": {
+ "type": [ "string", "array" ],
+ "description": "Only groups listed here are mirrored into MeshCentral user groups."
+ }
+ }
+ },
+ "scope": { "type": "string", "default": "groups", "description": "Custom scope to use." },
+ "claim": { "type": "string", "default": "groups", "description": "Custom claim to use." }
+ },
+ "additionalProperties": false
+}
+```
+
+## Preset OpenID Connect Configurations
+
+### Overview
+
+#### *Introduction*
+
+Google is a blah and is used by tons of blahs as its so great. Lets move on.
+
+#### *Common Config Chart*
+
+> NOTE: All settings directly related to presets are in the custom section of the config.
+
+| Name | Description | Example | Required |
+| --- | --- | --- | --- |
+| `preset` | Manually enable the use of a preset. | `"preset": "google"`
`"preset": "azure"` | `false` |
+| `customer_id` | Customer ID of the Google Workspaces instace you
plan to use with the groups feature.| `"customer_id": ["Group1", "Group2"]` | If `google` preset is used with `groups` feature |
+| `tenant_id` | Tenant ID from Azure AD, this is required to use
the `azure` preset as it is part of the issuer url. | `"siteadmin": ["Group1", "Group2"]` | `false` |
+
+### Google Preset
+
+#### *Prerequisites*
+
+> Check out this [documentation](https://developers.google.com/identity/protocols/oauth2/openid-connect) to get ready before we start.
+
+#### *Basic Config Example*
+
+``` json
+"oidc": {
+ "client": {
+ "client_id": "268438852161-r8xa7qxwf3rr0shp1xnpgmm70bnag21p.apps.googleusercontent.com",
+ "client_secret": "ETFWBX-gFEaxfPXs1tWmAOkuWDFTgoL3nwh"
+ }
+}
+```
+
+#### *Specifics*
+
+If you notice above I forgot to add any preset related configs, however because google tags the client ID we can detect that and automatically use the google preset. The above config is tested, the sentive data has been scrambled of course. That said, you would normally use this preset in more advaced setups, let take a look at an example.
+
+#### *Advanced Example with Groups*
+
+``` json
+"oidc": {
+ "client": {
+ "client_id": "424555768625-k7ub3ovqs0yp7mfo0usvyyx51nfii61c.apps.googleusercontent.com",
+ "client_secret": "QLBCQY-nRYmjnFWv3nKyHGmwQEGLokP6ldk"
+ },
+ "custom": {
+ "preset": "google",
+ "customer_id": "C46kyhmps"
+ },
+ "groups": {
+ "siteadmin": ["GroupA", "GroupB"],
+ "revokeAdmin": true,
+ "sync": true
+ },
+ "callbackURL": "https://mesh.your.domain/auth-oidc-google-callback"
+},
+```
+
+#### *Customer ID and Groups*
+
+As always, the client ID and secret are required, the customer ID on the other hand is only required if you plan to take advantage of the groups function *and* the google preset. This also requires you have a customer ID, if you have do, it is available in the Google Workspace Admin Console under Profile->View. Groups work the same as they would with any other IdP but they are pulled from the Workspace groups.
+
+#### *Schema*
+
+```json
+"custom": {
+ "type": "object",
+ "properties": {
+ "preset": { "type": "string", "enum": ["azure", "google"]},
+ "customer_id": { "type": "string", "description": "Customer ID from Google, should start with 'C'."}
+ },
+ "additionalProperties": false
+},
+```
+
+### Azure Preset
+
+#### *Prerequisites*
+
+To configure OIDC-based SSO, you need an Azure account with an active subscription. [Create an account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) for free. The account used for setup must be of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner the service principal.
+
+> Check this [documentation](https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-oidc-sso) for more information.
+
+#### *Basic Config Example*
+
+``` json
+"oidc": {
+ "client": {
+ "client_id": "a1gkl04i-40g8-2h74-6v41-2jm2o2x0x27r",
+ "client_secret": "AxT6U5K4QtcyS6gF48gndL7Ys22BL15BWJImuq1O"
+ },
+ "custom": {
+ "preset": "azure",
+ "tenant_id": "46a6022g-4h33-1451-h1rc-08102ga3b5e4"
+ }
+}
+```
+
+#### *Specifics*
+
+As with all other types of configuration for the OIDC strategy, the Azure preset requires a client ID and secret.The tenant ID is used as part of the issuer URI to make even the most basic AuthN requests so it is also required for the azure preset. besides that groups are available to the Azure preset as well as the recursive feature of groups. This allows you to search user groups recursively for groups they have membership in through other groups.
+
+> NOTE: The Azure AD preset uses the Tenant ID as part of the issuer URI:
`"https://login.microsoftonline.com/"` + `strategy`.custom.tenant_id + `"/v2.0"`
+
+#### *Advanced Example with Groups*
+
+``` json
+"oidc": {
+ "client": {
+ "client_id": "a1gkl04i-40g8-2h74-6v41-2jm2o2x0x27r",
+ "client_secret": "AxT6U5K4QtcyS6gF48gndL7Ys22BL15BWJImuq1O"
+ },
+ "custom": {
+ "preset": "azure",
+ "tenant_id": "46a6022g-4h33-1451-h1rc-08102ga3b5e4"
+ },
+ "groups": {
+ "recursive": true,
+ "siteadmin": ["GroupA", "GroupB"],
+ "revokeAdmin": true,
+ "sync": true
+ },
+ "callbackURL": "https://mesh.your.domain/auth-oidc-azure-callback"
+},
+```
+
+#### *Schema*
+
+```json
+"custom": {
+ "type": "object",
+ "properties": {
+ "preset": { "type": "string", "enum": ["azure", "google"]},
+ "tenant_id": { "type": "string", "description": "Tenant ID from Azure AD."}
+ },
+ "additionalProperties": false
+},
+```
+
+## Depreciated Properties
+
+### Overview
+
+#### Introduction
+
+As of MeshCentral `v1.1.22` and the writing of this documentation, the node module that handles everything was changed from [passport-openid-connect](https://github.com/jaredhanson/passport-openidconnect) to [openid-client](https://github.com/panva/node-openid-client). As a result of this change, multiple properties in the config have been depcrecated; this means some options in the strategy arent being used anymore. These are often referred to as "old configs" by this documentation.
+
+#### *Migrating Old Configs*
+
+We upgraded but what about all the existing users, we couldn't just invalidate every config pre `v1.1.22`. So in an effort to allow greater flexibility to all users of MeshCentral, and what futures scholars will all agree was an obvious move, all the depreciated configs will continue working as expected. Using any of the old options will just generate a warning in the authlog and will not stop you from using this the OIDC strategy with outdated configs, however if both the equivalent new and old config are set the new config will be used.
+
+#### *Old Config Example*
+```json
+"oidc": {
+ "newAccounts": true,
+ "clientid": "421326444155-i1tt4bsmk3jm7dri6jldekl86rfpg07r.apps.googleusercontent.com",
+ "clientsecret": "GNLXOL-kEDjufOCk6pIcTHtaHFOCgbT4hoi"
+}
+```
+
+This example was chosen because I wanted to highlight an advantage of supporting these old configs long term, even in a depreciated status. That is, the ability to copy your existing config from one of the related strategies without making any changes to your config by using the presets. This allows you to test out the oidc strategy without commiting to anything, since the user is always appended with the strategy used to login. In this example, the config was originally a google auth strategy config, changing the `"google"` to `"oidc"` is all that was done to the above config, besides obsfuscation of course.
+
+#### *Advcanced Old Config Example*
+
+``` json
+"oidc": {
+ "authorizationURL": "https://sso.your.domain/api/oidc/authorization",
+ "callbackURL": "https://mesh.your.domain/oauth2/oidc/callback",
+ "clientid": "tZiPTMDNuSaQPapAQJtwDXVnYjjhQybc",
+ "clientsecret": "vrQWspJxdVAxEFJdrxvxeQwWkooVcqdU",
+ "issuer": "https://sso.your.domain",
+ "tokenURL": "https://sso.your.domain/api/oidc/token",
+ "userInfoURL": "https://sso.your.domain/api/oidc/userinfo",
+ "logoutURL": "https://sso.your.domain/logout?rd=https://mesh.your.domain/login",
+ "groups": {
+ "recursive": true,
+ "required": ["Group1", "Group2"],
+ "siteadmin": ["GroupA", "GroupB"],
+ "sync": {
+ "filter": ["Group1", "GroupB", "OtherGroup"]
+ }
+ },
+ "newAccounts": true
+},
+```
+
+#### *Upgrading to v1.1.22*
+
+If you were already using a meticulusly configured oidc strategy, all of your configs will still be used. You will simply see a warning in the logs if any depreciated properties were used. If you check the authLog there are additional details about the old config and provide the new place to put that information. In this advanced config, even the groups will continue to work just as they did before without any user intervention when upgrading from a version of MeshCentral pre v1.1.22. There are no step to take and no action is needed, moving the configs to the new locations is completely optional at the moment.
+
+# Links
+
+https://cloud.google.com/identity/docs/reference/rest/v1/groups/list
+
+https://www.onelogin.com/learn/authentication-vs-authorization
+
+https://auth0.com/docs/authenticate/protocols/openid-connect-protocol
+
+https://github.com/panva/node-openid-client
+
+https://openid.net/connect/
+
+> You just read `openidConnectStrategy.ms v1.0.1` by [@mstrhakr](https://github.com/mstrhakr)
\ No newline at end of file
diff --git a/meshcentral-config-schema.json b/meshcentral-config-schema.json
index fb332e1e1f..3a8f4f3483 100644
--- a/meshcentral-config-schema.json
+++ b/meshcentral-config-schema.json
@@ -1135,7 +1135,10 @@
}
},
"allowedOrigin": {
- "type": [ "array", "boolean" ],
+ "type": [
+ "array",
+ "boolean"
+ ],
"default": false,
"uniqueItems": true,
"description": "A list of allowed hostnames for HTTP request origin header. If false, a default list is created, if true, all hostnames are allowed.",
@@ -2451,7 +2454,10 @@
}
}
}
- }
+ },
+ "required": [
+ "certs"
+ ]
},
"amtAcmActivation": {
"type": "object",
@@ -3020,93 +3026,444 @@
},
"oidc": {
"type": "object",
+ "description": "Enables the use of OpenID Connect SSO",
+ "anyOf": [
+ {
+ "required": [
+ "client"
+ ]
+ },
+ {
+ "required": [
+ "client",
+ "custom"
+ ]
+ },
+ {
+ "required": [
+ "client",
+ "issuer"
+ ]
+ },
+ {
+ "required": [
+ "clientid",
+ "clientsecret",
+ "issuer"
+ ]
+ }
+ ],
+ "additionalProperties": false,
"properties": {
- "authorizationURL": {
- "type": "string",
- "format": "uri",
- "description": "If set, this will be used as the authorization URL. (If set tokenURL and userInfoURL need set also)"
+ "newAccounts": {
+ "type": "boolean",
+ "description": "Enable the creation of new accounts based upon Idp Authorization",
+ "default": true
},
- "callbackURL": {
- "type": "string",
- "format": "uri",
- "description": "Required, this is the URL that your SSO provider sends auth approval to."
+ "newAccountsUserGroups": {
+ "type": [
+ "string",
+ "array"
+ ],
+ "description": "Add all new users to these static MeshCentral user groups. Use this if the new groups section does not work with your preset.",
+ "uniqueItems": true,
+ "items": {
+ "type": "string"
+ }
+ },
+ "newAccountsRights": {
+ "type": [
+ "array",
+ "string"
+ ],
+ "uniqueItems": true,
+ "items": {
+ "type": "string"
+ }
},
"clientid": {
- "type": "string"
+ "type": "string",
+ "depreciated": true,
+ "description": "REPLACED WITH 'client.client_id'"
},
"clientsecret": {
- "type": "string"
+ "type": "string",
+ "description": "REPLACED WITH 'client.client_secret'"
},
- "issuer": {
+ "authorizationURL": {
"type": "string",
"format": "uri",
- "description": "Full URL of SSO portal"
+ "depreciated": true,
+ "description": "REPLACED WITH 'issuer.authorization_endpoint'"
},
"tokenURL": {
"type": "string",
"format": "uri",
- "description": "If set, this will be used as the token URL. (If set authorizationURL and userInfoURL need set also)"
+ "depreciated": true,
+ "description": "REPLACED WITH 'issuer.token_endpoint': If set, this will be used as the token URL."
},
"userInfoURL": {
"type": "string",
"format": "uri",
- "description": "If set, this will be used as the user info URL. (If set authorizationURL and tokenURL need set also)"
+ "depreciated": true,
+ "description": "REPLACED WITH 'issuer.userinfo_endpoint': If set, this will be used as the user info URL."
+ },
+ "scope": {
+ "type": [
+ "string",
+ "array"
+ ],
+ "depreciated": true,
+ "description": "REPLACED WITH 'custom.scope': A list of scopes to request from the issuer."
+ },
+ "callbackURL": {
+ "type": "string",
+ "format": "uri",
+ "depreciated": true,
+ "description": "REPLACED WITH 'client.redirect_uri': The URI your IdP sends you back to after successful authorization. This must match what is listed with your IdP."
},
"logouturl": {
"type": "string",
"format": "uri",
- "description": "Then set, the user will be redirected to this URL when hitting the logout link."
+ "description": "Overrides defaults ( [issuer.end_session_endpoint]?post_logout_redirect_uri=[post_logout_redirect_uri] OR [issuer.end_session_endpoint] )"
},
- "newAccounts": {
- "type": "boolean",
- "default": true
+ "client": {
+ "type": "object",
+ "description": "OIDC Client Options",
+ "properties": {
+ "client_id": {
+ "type": "string",
+ "description": "REQUIRED: The client ID provided by your Identity Provider (IdP)"
+ },
+ "client_secret": {
+ "type": "string",
+ "description": "REQUIRED: The client secret provided by your Identity Provider (IdP)"
+ },
+ "id_token_signed_response_alg": {
+ "type": "string",
+ "default": "RS256",
+ "description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
+ },
+ "id_token_encrypted_response_alg": {
+ "type": "string",
+ "description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
+ },
+ "id_token_encrypted_response_enc": {
+ "type": "string",
+ "description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
+ },
+ "userinfo_signed_response_alg": {
+ "type": "string",
+ "description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
+ },
+ "userinfo_encrypted_response_alg": {
+ "type": "string",
+ "description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
+ },
+ "userinfo_encrypted_response_enc": {
+ "type": "string",
+ "description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
+ },
+ "redirect_uri": {
+ "type": "string",
+ "format": "uri",
+ "description": "URI your IdP sends you after successful authorization. This must match what is listed with your IdP. (Default is https://[currentHost][currentPath]/auth-oidc-callback)"
+ },
+ "response_types": {
+ "type": [
+ "string",
+ "array"
+ ],
+ "description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details",
+ "default": [
+ "code"
+ ]
+ },
+ "post_logout_redirect_uri": {
+ "type": "string",
+ "format": "uri",
+ "description": "URI for your IdP to send you after logging out of IdP via MeshCentral. (Default is https:[currentHost][currentPath]/login)"
+ },
+ "default_max_age": {
+ "type": "number",
+ "description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
+ },
+ "require_auth_time": {
+ "type": "boolean",
+ "default": false,
+ "description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
+ },
+ "request_object_signing_alg": {
+ "type": "string",
+ "description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
+ },
+ "request_object_encryption_alg": {
+ "type": "string",
+ "description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
+ },
+ "request_object_encryption_enc": {
+ "type": "string",
+ "description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
+ },
+ "token_endpoint_auth_method": {
+ "type": "string",
+ "default": "client_secret_basic",
+ "enum": [
+ "none",
+ "client_secret_basic",
+ "client_secret_post",
+ "client_secret_jwt",
+ "private_key_jwt"
+ ],
+ "description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
+ },
+ "introspection_endpoint_auth_method": {
+ "type": "string",
+ "default": "client_secret_basic",
+ "enum": [
+ "none",
+ "client_secret_basic",
+ "client_secret_post",
+ "client_secret_jwt",
+ "private_key_jwt"
+ ],
+ "description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
+ },
+ "revocation_endpoint_auth_method": {
+ "type": "string",
+ "default": "client_secret_basic",
+ "enum": [
+ "none",
+ "client_secret_basic",
+ "client_secret_post",
+ "client_secret_jwt",
+ "private_key_jwt"
+ ],
+ "description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
+ },
+ "token_endpoint_auth_signing_alg": {
+ "type": "string",
+ "description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
+ },
+ "introspection_endpoint_auth_signing_alg": {
+ "type": "string",
+ "description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
+ },
+ "revocation_endpoint_auth_signing_alg": {
+ "type": "string",
+ "description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
+ },
+ "tls_client_certificate_bound_access_tokens": {
+ "type": "boolean",
+ "description": "ADVANCED CONFIG: Check node-openid-client on GitHub for details"
+ }
+ },
+ "required": [
+ "client_id",
+ "client_secret"
+ ],
+ "additionalProperties": false
+ },
+ "issuer": {
+ "type": [
+ "string",
+ "object"
+ ],
+ "format": "uri",
+ "description": "Issuer options. Requires issuer URI (issuer.issuer) to discover missing information unless using preset",
+ "properties": {
+ "issuer": {
+ "type": "string",
+ "format": "uri",
+ "description": "URI of the issuer."
+ },
+ "authorization_endpoint": {
+ "type": "string",
+ "format": "uri"
+ },
+ "token_endpoint": {
+ "type": "string",
+ "format": "uri"
+ },
+ "jwks_uri": {
+ "type": "string",
+ "format": "uri"
+ },
+ "userinfo_endpoint": {
+ "type": "string",
+ "format": "uri"
+ },
+ "revocation_endpoint": {
+ "type": "string",
+ "format": "uri"
+ },
+ "introspection_endpoint": {
+ "type": "string",
+ "format": "uri"
+ },
+ "end_session_endpoint": {
+ "type": "string",
+ "format": "uri",
+ "description": "URI to direct users to when logging out of MeshCentral. (Attempts to autodetect, defaults to '[issuer.issuer]/logout')"
+ },
+ "registration_endpoint": {
+ "type": "string",
+ "format": "uri"
+ },
+ "token_endpoint_auth_methods_supported": {
+ "type": "string"
+ },
+ "token_endpoint_auth_signing_alg_values_supported": {
+ "type": "string"
+ },
+ "introspection_endpoint_auth_methods_supported": {
+ "type": "string"
+ },
+ "introspection_endpoint_auth_signing_alg_values_supported": {
+ "type": "string"
+ },
+ "revocation_endpoint_auth_methods_supported": {
+ "type": "string"
+ },
+ "revocation_endpoint_auth_signing_alg_values_supported": {
+ "type": "string"
+ },
+ "request_object_signing_alg_values_supported": {
+ "type": "string"
+ },
+ "mtls_endpoint_aliases": {
+ "type": "object",
+ "properties": {
+ "token_endpoint": {
+ "type": "string",
+ "format": "uri"
+ },
+ "userinfo_endpoint": {
+ "type": "string",
+ "format": "uri"
+ },
+ "revocation_endpoint": {
+ "type": "string",
+ "format": "uri"
+ },
+ "introspection_endpoint": {
+ "type": "string",
+ "format": "uri"
+ }
+ }
+ }
+ },
+ "additionalProperties": false
+ },
+ "custom": {
+ "type": "object",
+ "properties": {
+ "scope": {
+ "type": [
+ "string",
+ "array"
+ ],
+ "description": "A list of scopes to request from the issuer.",
+ "default": "openid profile email",
+ "examples": [
+ "openid",
+ [
+ "openid",
+ "profile"
+ ],
+ "openid profile email",
+ "openid profile email groups"
+ ]
+ },
+ "claims": {
+ "type": "object",
+ "properties": {
+ "email": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "uuid": {
+ "type": "string"
+ }
+ }
+ },
+ "preset": {
+ "type": "string",
+ "enum": [
+ "azure",
+ "google"
+ ]
+ },
+ "tenant_id": {
+ "type": "string",
+ "description": "REQUIRED FOR AZURE PRESET: Tenantid for Azure"
+ },
+ "customer_id": {
+ "type": "string",
+ "description": "REQUIRED IF USING GROUPS: Customer ID from Google Workspace Admin Console (https://admin.google.com/ac/accountsettings/profile)"
+ }
+ },
+ "additionalProperties": false
},
"groups": {
"type": "object",
"properties": {
+ "recursive": {
+ "type": "boolean",
+ "default": false,
+ "description": "When true, the group memberships will be scanned recursively."
+ },
"required": {
"type": [
"string",
"array"
],
- "description": "When set, the user must be part of one of the OIDC user groups to login to MeshCentral."
+ "description": "Access is only granted to users who are a member of at least one of the listed required groups."
},
"siteadmin": {
"type": [
"string",
"array"
],
- "description": "When set, users part of these groups will be promoted with site administrator in MeshCentral, users that are not part of these groups will be demoted."
+ "description": "Full site admin priviledges will be granted to users who are a member of at least one of the listed admin groups."
+ },
+ "revokeAdmin": {
+ "type": "boolean",
+ "description": "If true, admin privileges will be revoked from users who are NOT a member of at least one of the listed admin groups."
},
"sync": {
"type": [
"boolean",
"object"
],
- "description": "Allows some or all ODIC user groups to be mirrored within MeshCentral as user groups.",
+ "default": false,
+ "description": "If true, all groups found during user login are mirrored into MeshCentral user groups.",
"properties": {
- "enabled": {
- "type": "boolean",
- "default": false
- },
"filter": {
"type": [
"string",
"array"
],
- "description": "When set, limits what OIDC groups are mirrored into MeshCentral user groups."
+ "description": "Only groups listed here are mirrored into MeshCentral user groups."
}
}
+ },
+ "scope": {
+ "type": "string",
+ "default": "groups",
+ "description": "Custom scope to use."
+ },
+ "claim": {
+ "type": "string",
+ "default": "groups",
+ "description": "Custom claim to use."
}
- }
+ },
+ "additionalProperties": false
}
- },
- "required": [
- "issuer",
- "clientid",
- "clientsecret",
- "callbackURL"
- ]
+ }
}
}
},
diff --git a/meshcentral.js b/meshcentral.js
index d3e693f44b..9369410a4c 100644
--- a/meshcentral.js
+++ b/meshcentral.js
@@ -3758,9 +3758,9 @@ function CreateMeshCentralServer(config, args) {
if (obj.authlogfile != null) { // Write authlog to file
try {
const d = new Date(), month = ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec'][d.getMonth()];
- msg = month + ' ' + d.getDate() + ' ' + obj.common.zeroPad(d.getHours(), 2) + ':' + obj.common.zeroPad(d.getMinutes(), 2) + ':' + d.getSeconds() + ' meshcentral ' + server + '[' + process.pid + ']: ' + msg + ((obj.platform == 'win32') ? '\r\n' : '\n');
- obj.fs.write(obj.authlogfile, msg, function (err, written, string) { });
- } catch (ex) { console.log(ex); }
+ str = month + ' ' + d.getDate() + ' ' + obj.common.zeroPad(d.getHours(), 2) + ':' + obj.common.zeroPad(d.getMinutes(), 2) + ':' + d.getSeconds() + ' meshcentral ' + server + '[' + process.pid + ']: ' + msg + ((obj.platform == 'win32') ? '\r\n' : '\n');
+ obj.fs.write(obj.authlogfile, str, function (err, written, string) { if (err) {console.error(err); } });
+ } catch (ex) { console.error(ex); }
}
}
@@ -4001,14 +4001,22 @@ function mainStart() {
if (mstsc == false) { config.domains[i].mstsc = false; }
if (config.domains[i].ssh == true) { ssh = true; }
if ((typeof config.domains[i].authstrategies == 'object')) {
- if (passport == null) { passport = ['passport']; } // Passport v0.6.0 requires a patch, see https://github.com/jaredhanson/passport/issues/904
+ if (passport == null) { passport = ['passport@0.5.3']; } // Passport v0.6.0 is broken with cookie-session, see https://github.com/jaredhanson/passport/issues/904
if ((typeof config.domains[i].authstrategies.twitter == 'object') && (typeof config.domains[i].authstrategies.twitter.clientid == 'string') && (typeof config.domains[i].authstrategies.twitter.clientsecret == 'string') && (passport.indexOf('passport-twitter') == -1)) { passport.push('passport-twitter'); }
if ((typeof config.domains[i].authstrategies.google == 'object') && (typeof config.domains[i].authstrategies.google.clientid == 'string') && (typeof config.domains[i].authstrategies.google.clientsecret == 'string') && (passport.indexOf('passport-google-oauth20') == -1)) { passport.push('passport-google-oauth20'); }
if ((typeof config.domains[i].authstrategies.github == 'object') && (typeof config.domains[i].authstrategies.github.clientid == 'string') && (typeof config.domains[i].authstrategies.github.clientsecret == 'string') && (passport.indexOf('passport-github2') == -1)) { passport.push('passport-github2'); }
if ((typeof config.domains[i].authstrategies.reddit == 'object') && (typeof config.domains[i].authstrategies.reddit.clientid == 'string') && (typeof config.domains[i].authstrategies.reddit.clientsecret == 'string') && (passport.indexOf('passport-reddit') == -1)) { passport.push('passport-reddit'); }
if ((typeof config.domains[i].authstrategies.azure == 'object') && (typeof config.domains[i].authstrategies.azure.clientid == 'string') && (typeof config.domains[i].authstrategies.azure.clientsecret == 'string') && (typeof config.domains[i].authstrategies.azure.tenantid == 'string') && (passport.indexOf('passport-azure-oauth2') == -1)) { passport.push('passport-azure-oauth2'); passport.push('jwt-simple'); }
- if ((typeof config.domains[i].authstrategies.oidc == 'object') && (typeof config.domains[i].authstrategies.oidc.clientid == 'string') && (typeof config.domains[i].authstrategies.oidc.clientsecret == 'string') && (typeof config.domains[i].authstrategies.oidc.issuer == 'string') && (passport.indexOf('@mstrhakr/passport-openidconnect') == -1)) {
- if ((nodeVersion >= 17) || ((Math.floor(nodeVersion) == 16) && (nodeVersion >= 16.13)) || ((Math.floor(nodeVersion) == 14) && (nodeVersion >= 14.15)) || ((Math.floor(nodeVersion) == 12) && (nodeVersion >= 12.19))) { passport.push('@mstrhakr/passport-openidconnect'); passport.push('openid-client'); passport.push('connect-flash'); } else { addServerWarning('This NodeJS version does not support OpenID.', 25); delete config.domains[i].authstrategies.oidc; }
+ if ((typeof config.domains[i].authstrategies.oidc == 'object') && (passport.indexOf('openid-client') == -1)) {
+ if ((nodeVersion >= 17)
+ || ((Math.floor(nodeVersion) == 16) && (nodeVersion >= 16.13))
+ || ((Math.floor(nodeVersion) == 14) && (nodeVersion >= 14.15))
+ || ((Math.floor(nodeVersion) == 12) && (nodeVersion >= 12.19))) {
+ passport.push('openid-client');
+ } else {
+ addServerWarning('This NodeJS version does not support OpenID Connect on MeshCentral.', 25);
+ delete config.domains[i].authstrategies.oidc;
+ }
}
if ((typeof config.domains[i].authstrategies.saml == 'object') || (typeof config.domains[i].authstrategies.jumpcloud == 'object')) { passport.push('passport-saml'); }
}
diff --git a/sample-config-advanced.json b/sample-config-advanced.json
index 8a52d94c45..ef1eb0d58e 100644
--- a/sample-config-advanced.json
+++ b/sample-config-advanced.json
@@ -519,15 +519,14 @@
"cert": "saml.pem"
},
"oidc": {
- "authorizationURL": "https://sso.server.com/api/oidc/authorization",
- "callbackURL": "https://mesh.server.com/oidc-callback",
- "clientid": "00000000-0000-0000-0000-000000000000",
- "clientsecret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
- "issuer": "https://sso.server.com",
- "tokenURL": "https://sso.server.com/api/oidc/token",
- "userInfoURL": "https://sso.server.com/api/oidc/userinfo",
- "logoutURL": "https://sso.server.com/logout",
- "newAccounts": true,
+ "issuer": {
+ "issuer": "https://sso.server.com",
+ "end_session_endpoint": "https://sso.server.com/logout"
+ },
+ "client": {
+ "client_id": "00000000-0000-0000-0000-000000000000",
+ "client_secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+ },
"groups": {
"required": [ "groupA", "groupB", "groupC" ],
"siteadmin": [ "groupA" ],
@@ -535,7 +534,8 @@
"enable": true,
"filter": [ "groupB", "groupC" ]
}
- }
+ },
+ "newAccounts": true
}
}
},
diff --git a/translate/translate.json b/translate/translate.json
index 7430ed560d..c2aab08a58 100644
--- a/translate/translate.json
+++ b/translate/translate.json
@@ -88493,4 +88493,4 @@
]
}
]
-}
\ No newline at end of file
+}
diff --git a/views/login-mobile.handlebars b/views/login-mobile.handlebars
index 861b92bda2..5ce60acfa3 100644
--- a/views/login-mobile.handlebars
+++ b/views/login-mobile.handlebars
@@ -90,7 +90,9 @@
-
+
+
+
@@ -400,6 +402,8 @@
if (authStrategies.indexOf('reddit') >= 0) { QV('auth-reddit', true); }
if (authStrategies.indexOf('azure') >= 0) { QV('auth-azure', true); }
if (authStrategies.indexOf('oidc') >= 0) { QV('auth-oidc', true); }
+ if (authStrategies.indexOf('oidc-azure') >= 0) { QV('auth-oidc-azure', true); }
+ if (authStrategies.indexOf('oidc-google') >= 0) { QV('auth-oidc-google', true); }
if (authStrategies.indexOf('jumpcloud') >= 0) { QV('auth-jumpcloud', true); }
if (authStrategies.indexOf('intel') >= 0) { QV('auth-intel', true); }
if (authStrategies.indexOf('saml') >= 0) { QV('auth-saml', true); }
diff --git a/views/login.handlebars b/views/login.handlebars
index ef621293f0..bff9fcc698 100644
--- a/views/login.handlebars
+++ b/views/login.handlebars
@@ -84,6 +84,8 @@
+
+
@@ -425,6 +427,8 @@
if (authStrategies.indexOf('reddit') >= 0) { QV('auth-reddit', true); }
if (authStrategies.indexOf('azure') >= 0) { QV('auth-azure', true); }
if (authStrategies.indexOf('oidc') >= 0) { QV('auth-oidc', true); }
+ if (authStrategies.indexOf('oidc-azure') >= 0) { QV('auth-oidc-azure', true); }
+ if (authStrategies.indexOf('oidc-google') >= 0) { QV('auth-oidc-google', true); }
if (authStrategies.indexOf('jumpcloud') >= 0) { QV('auth-jumpcloud', true); }
if (authStrategies.indexOf('intel') >= 0) { QV('auth-intel', true); }
if (authStrategies.indexOf('saml') >= 0) { QV('auth-saml', true); }
diff --git a/views/login2.handlebars b/views/login2.handlebars
index a7822eba64..9d87d17442 100644
--- a/views/login2.handlebars
+++ b/views/login2.handlebars
@@ -107,6 +107,8 @@
+
+
@@ -509,6 +511,8 @@
if (authStrategies.indexOf('reddit') >= 0) { QV('auth-reddit', true); }
if (authStrategies.indexOf('azure') >= 0) { QV('auth-azure', true); }
if (authStrategies.indexOf('oidc') >= 0) { QV('auth-oidc', true); }
+ if (authStrategies.indexOf('oidc-azure') >= 0) { QV('auth-oidc-azure', true); }
+ if (authStrategies.indexOf('oidc-google') >= 0) { QV('auth-oidc-google', true); }
if (authStrategies.indexOf('jumpcloud') >= 0) { QV('auth-jumpcloud', true); }
if (authStrategies.indexOf('intel') >= 0) { QV('auth-intel', true); }
if (authStrategies.indexOf('saml') >= 0) { QV('auth-saml', true); }
diff --git a/webserver.js b/webserver.js
index 4cb3cd4921..09f019bdb6 100644
--- a/webserver.js
+++ b/webserver.js
@@ -457,7 +457,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
// Save this LDAP user to file if needed
if (typeof domain.ldapsaveusertofile == 'string') {
- obj.fs.appendFile(domain.ldapsaveusertofile, JSON.stringify(xxuser, null, 2) + '\r\n\r\n', function (err) { });
+ obj.fs.appendFile(domain.ldapsaveusertofile, JSON.stringify(xxuser) + '\r\n\r\n', function (err) { });
}
// Work on getting the userid for this LDAP user
@@ -489,17 +489,17 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
if (Array.isArray(userMemberships) == false) { userMemberships = []; }
// See if the user is required to be part of an LDAP user group in order to log into this server.
- if (typeof domain.ldapuserrequiredgroupmembership == 'string') { domain.ldapuserrequiredgroupmembership = [ domain.ldapuserrequiredgroupmembership ]; }
+ if (typeof domain.ldapuserrequiredgroupmembership == 'string') { domain.ldapuserrequiredgroupmembership = [domain.ldapuserrequiredgroupmembership]; }
if (Array.isArray(domain.ldapuserrequiredgroupmembership)) {
// Look for a matching LDAP user group
var userMembershipMatch = false;
for (var i in domain.ldapuserrequiredgroupmembership) { if (userMemberships.indexOf(domain.ldapuserrequiredgroupmembership[i]) >= 0) { userMembershipMatch = true; } }
- if (userMembershipMatch === false) { parent.debug('authlog', 'LDAP denying login to a user that is not a member of a LDAP required group.'); fn('denied'); return; } // If there is no match, deny the login
+ if (userMembershipMatch === false) { parent.authLog('ldapHandler', 'LDAP denying login to a user that is not a member of a LDAP required group.'); fn('denied'); return; } // If there is no match, deny the login
}
// Check if user is in an site administrator group
var siteAdminGroup = null;
- if (typeof domain.ldapsiteadmingroups == 'string') { domain.ldapsiteadmingroups = [ domain.ldapsiteadmingroups ]; }
+ if (typeof domain.ldapsiteadmingroups == 'string') { domain.ldapsiteadmingroups = [domain.ldapsiteadmingroups]; }
if (Array.isArray(domain.ldapsiteadmingroups)) {
siteAdminGroup = false;
for (var i in domain.ldapsiteadmingroups) {
@@ -559,7 +559,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
}
// Display user information extracted from LDAP data
- parent.debug('authlog', 'LDAP user login, id: ' + shortname + ', username: ' + username + ', email: ' + email + ', realname: ' + realname + ', phone: ' + phonenumber + ', image: ' + (userimage != null));
+ parent.authLog('ldapHandler', 'LDAP user login, id: ' + shortname + ', username: ' + username + ', email: ' + email + ', realname: ' + realname + ', phone: ' + phonenumber + ', image: ' + (userimage != null));
// If there is a testing userid, use that
if (ldapHandlerFunc.ldapShortName) {
@@ -619,7 +619,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
// See if the user is a member of the site admin group.
if (typeof siteAdminGroup === 'string') {
- parent.debug('authlog', `LDAP: Granting site admin privilages to new user "${user.name}" found in admin group: ${siteAdminGroup}`);
+ parent.authLog('ldapHandler', `LDAP: Granting site admin privilages to new user "${user.name}" found in admin group: ${siteAdminGroup}`);
user.siteadmin = 0xFFFFFFFF;
}
@@ -662,11 +662,11 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
// See if the user is a member of the site admin group.
if ((typeof siteAdminGroup === 'string') && (user.siteadmin !== 0xFFFFFFFF)) {
- parent.debug('authlog', `LDAP: Granting site admin privilages to user "${user.name}" found in administrator group: ${siteAdminGroup}`);
+ parent.authLog('ldapHandler', `LDAP: Granting site admin privilages to user "${user.name}" found in administrator group: ${siteAdminGroup}`);
user.siteadmin = 0xFFFFFFFF;
userChanged = true;
} else if ((siteAdminGroup === false) && (user.siteadmin === 0xFFFFFFFF)) {
- parent.debug('authlog', `LDAP: Revoking site admin privilages from user "${user.name}" since they are not found in any administrator groups.`);
+ parent.authLog('ldapHandler', `LDAP: Revoking site admin privilages from user "${user.name}" since they are not found in any administrator groups.`);
delete user.siteadmin;
userChanged = true;
}
@@ -836,17 +836,26 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
parent.debug('web', 'handleLogoutRequest: success.');
// If this user was logged in using an authentication strategy and there is a logout URL, use it.
- if ((userid != null) && (domain.authstrategies != null)) {
- const u = userid.split('/')[2];
- if (u.startsWith('~twitter:') && (domain.authstrategies.twitter != null) && (typeof domain.authstrategies.twitter.logouturl == 'string')) { res.redirect(domain.authstrategies.twitter.logouturl); return; }
- if (u.startsWith('~google:') && (domain.authstrategies.google != null) && (typeof domain.authstrategies.google.logouturl == 'string')) { res.redirect(domain.authstrategies.google.logouturl); return; }
- if (u.startsWith('~github:') && (domain.authstrategies.github != null) && (typeof domain.authstrategies.github.logouturl == 'string')) { res.redirect(domain.authstrategies.github.logouturl); return; }
- if (u.startsWith('~reddit:') && (domain.authstrategies.reddit != null) && (typeof domain.authstrategies.reddit.logouturl == 'string')) { res.redirect(domain.authstrategies.reddit.logouturl); return; }
- if (u.startsWith('~azure:') && (domain.authstrategies.azure != null) && (typeof domain.authstrategies.azure.logouturl == 'string')) { res.redirect(domain.authstrategies.azure.logouturl); return; }
- if (u.startsWith('~oidc:') && (domain.authstrategies.oidc != null) && (typeof domain.authstrategies.oidc.logouturl == 'string')) { res.redirect(domain.authstrategies.oidc.logouturl); return; }
- if (u.startsWith('~jumpcloud:') && (domain.authstrategies.jumpcloud != null) && (typeof domain.authstrategies.jumpcloud.logouturl == 'string')) { res.redirect(domain.authstrategies.jumpcloud.logouturl); return; }
- if (u.startsWith('~saml:') && (domain.authstrategies.saml != null) && (typeof domain.authstrategies.saml.logouturl == 'string')) { res.redirect(domain.authstrategies.saml.logouturl); return; }
- if (u.startsWith('~intel:') && (domain.authstrategies.intel != null) && (typeof domain.authstrategies.intel.logouturl == 'string')) { res.redirect(domain.authstrategies.intel.logouturl); return; }
+ if ((userid != null) && (domain.authstrategies?.authStrategyFlags != null)) {
+ let logouturl = null;
+ let userStrategy = ((userid.split('/')[2]).split(':')[0]).substring(1);
+ // Setup logout url for oidc
+ if (userStrategy == 'oidc' && domain.authstrategies.oidc != null) {
+ if (typeof domain.authstrategies.oidc.logouturl == 'string') {
+ logouturl = domain.authstrategies.oidc.logouturl;
+ } else if (typeof domain.authstrategies.oidc.issuer.end_session_endpoint == 'string' && typeof domain.authstrategies.oidc.client.post_logout_redirect_uri == 'string') {
+ logouturl = domain.authstrategies.oidc.issuer.end_session_endpoint + '?post_logout_redirect_uri=' + domain.authstrategies.oidc.client.post_logout_redirect_uri;
+ } else if (typeof domain.authstrategies.oidc.issuer.end_session_endpoint == 'string') {
+ logouturl = domain.authstrategies.oidc.issuer.end_session_endpoint;
+ }
+ // Log out all other strategies
+ } else if ((domain.authstrategies[userStrategy] != null) && (typeof domain.authstrategies[userStrategy].logouturl == 'string')) { logouturl = domain.authstrategies[userStrategy].logouturl; }
+ // If custom logout was setup, use it
+ if (logouturl != null) {
+ parent.authLog('handleLogoutRequest', userStrategy.toUpperCase() + ': LOGOUT: ' + logouturl);
+ res.redirect(logouturl);
+ return;
+ }
}
// This is the default logout redirect to the login page
@@ -1999,7 +2008,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
// Send a notification
obj.parent.DispatchEvent([user._id], obj, { action: 'notify', title: 'Email verified', value: user.email, nolog: 1, id: Math.random() });
- // Send to authlog
+ // Send to authLog
obj.parent.authLog('https', 'Verified email address ' + user.email + ' for user ' + user.name, { useragent: req.headers['user-agent'] });
}
});
@@ -2035,7 +2044,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
render(req, res, getRenderPage((domain.sitestyle == 2) ? 'message2' : 'message', req, domain), getRenderArgs({ titleid: 1, msgid: 8, domainurl: encodeURIComponent(domain.url).replace(/'/g, '%27'), arg1: EscapeHtml(user.name), arg2: EscapeHtml(newpass) }, req, domain));
parent.debug('web', 'handleCheckMailRequest: send temporary password.');
- // Send to authlog
+ // Send to authLog
obj.parent.authLog('https', 'Performed account reset for user ' + user.name);
}, 0);
});
@@ -2575,61 +2584,69 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
const domain = checkUserIpAddress(req, res);
if (domain == null) { return; }
if ((req.user != null) && (req.user.sid != null) && (req.user.strategy != null)) {
- const authStrategy = req.user.strategy
- parent.debug('authlog', `${authStrategy.toUpperCase()}: Verified user: ${JSON.stringify(req.user, null, 4)}` + JSON.stringify(req.user));
-
- // Check if any group related options exist
- var userMemberships = [];
- var siteAdminGroup = null;
- if (typeof domain.authstrategies[authStrategy].groups === 'object') {
- if (Array.isArray(req.user.groups)) { userMemberships = req.user.groups; }
- else if (typeof req.user.groups == 'string') { userMemberships = [req.user.groups]; }
- parent.debug('authlog', `${authStrategy.toUpperCase()}: Member Of: ${userMemberships.join(', ')}`);
-
- // See if the user is required to be part of a specific group in order to log into this server.
- if (typeof domain.authstrategies[authStrategy].groups.required == 'string') { domain.authstrategies[authStrategy].groups.required = [domain.authstrategies[authStrategy].groups.required]; }
- if (Array.isArray(domain.authstrategies[authStrategy].groups.required)) {
- var userMembershipMatch = false;
- for (var i in domain.authstrategies[authStrategy].groups.required) {
- if (userMemberships.indexOf(domain.authstrategies[authStrategy].groups.required[i]) >= 0) {
- userMembershipMatch = true;
- parent.debug('authlog', `${authStrategy.toUpperCase()}: ${req.user.name} is member of required group: ${domain.authstrategies[authStrategy].groups.required[i]}`);
+ const strategy = domain.authstrategies[req.user.strategy];
+ const groups = { 'enabled': typeof strategy.groups == 'object' }
+ parent.authLog(req.user.strategy.toUpperCase(), `User Authorized: ${JSON.stringify(req.user)}`);
+ if (groups.enabled) { // Groups only available for OIDC strategy currently
+ groups.userMemberships = obj.common.convertStrArray(req.user.groups)
+ groups.syncEnabled = (strategy.groups.sync === true || strategy.groups.sync?.filter) ? true : false
+ groups.syncMemberships = []
+ groups.siteAdminEnabled = strategy.groups.siteadmin ? true : false
+ groups.grantAdmin = false
+ groups.revokeAdmin = strategy.groups.revokeAdmin ? strategy.groups.revokeAdmin : true
+ groups.requiredGroups = obj.common.convertStrArray(strategy.groups.required)
+ groups.siteAdmin = obj.common.convertStrArray(strategy.groups.siteadmin)
+ groups.syncFilter = obj.common.convertStrArray(strategy.groups.sync?.filter)
+
+ // Fancy Logs
+ let groupMessage = ''
+ if (groups.userMemberships.length == 1) { groupMessage = ` Found membership: "${groups.userMemberships[0]}"` }
+ else { groupMessage = ` Found ${groups.userMemberships.length} memberships: ["${groups.userMemberships.join('", "')}"]` }
+ parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: GROUPS: USER: "${req.user.sid}"` + groupMessage);
+
+ // Check user membership in required groups
+ if (groups.requiredGroups != null) {
+ let match = false
+ for (var i in groups.requiredGroups) {
+ if (groups.userMemberships.indexOf(groups.requiredGroups[i]) != -1) {
+ match = true;
+ parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: GROUPS: USER: "${req.user.sid}" Membership to required group found: "${groups.requiredGroups[i]}"`);
}
}
- if (userMembershipMatch === false) {
- parent.debug('authlog', `${authStrategy}: User login denied. User not found in required group.`);
+ if (match === false) {
+ parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: GROUPS: USER: "${req.user.sid}" Login denied. No memberhip to required group.`);
req.session.loginmode = 1;
- req.session.messageid = 100; // Unable to create account.
+ req.session.messageid = 111; // Access Denied.
res.redirect(domain.url + getQueryPortion(req));
return;
}
}
- // Check if user is in an administrator group
- if (typeof domain.authstrategies[authStrategy].groups.siteadmin == 'string') { domain.authstrategies[authStrategy].groups.siteadmin = [ domain.authstrategies[authStrategy].groups.siteadmin ]; }
- if (Array.isArray(domain.authstrategies[authStrategy].groups.siteadmin)) {
- siteAdminGroup = false;
- for (var i in domain.authstrategies[authStrategy].groups.siteadmin) {
- if (userMemberships.indexOf(domain.authstrategies[authStrategy].groups.siteadmin[i]) >= 0) { siteAdminGroup = domain.authstrategies[authStrategy].groups.siteadmin[i]; }
+ // Check user membership in admin groups
+ if (groups.siteAdminEnabled === true) {
+ groups.grantAdmin = false;
+ for (var i in strategy.groups.siteadmin) {
+ if (groups.userMemberships.indexOf(strategy.groups.siteadmin[i]) >= 0) {
+ parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: GROUPS: USER: "${req.user.sid}" User membership found in site admin group: "${strategy.groups.siteadmin[i]}"`);
+ groups.siteAdmin = strategy.groups.siteadmin[i];
+ groups.grantAdmin = true;
+ break;
+ }
}
}
- // See if we need to sync user-memberships (IdP) with user-groups (meshcentral)
- if (domain.authstrategies[authStrategy].groups.sync === true) { domain.authstrategies[authStrategy].groups.sync = { enabled: true }; }
- if (typeof domain.authstrategies[authStrategy].groups.sync.filter == 'string' || Array.isArray(domain.authstrategies[authStrategy].groups.sync.filter)) {
- if (typeof domain.authstrategies[authStrategy].groups.sync.filter == 'string') { domain.authstrategies[authStrategy].groups.sync.filter = [ domain.authstrategies[authStrategy].groups.sync.filter ]; }
- const filteredMemberships = [];
- for (var i in userMemberships) {
- for (var j in domain.authstrategies[authStrategy].groups.sync.filter) {
- if (userMemberships[i].indexOf(domain.authstrategies[authStrategy].groups.sync.filter[j]) >= 0) { filteredMemberships.push(userMemberships[i]); }
- }
+ // Check if we need to sync user-memberships (IdP) with user-groups (meshcentral)
+ if (groups.syncEnabled === true) {
+ for (var i in groups.syncFilter) {
+ if (groups.userMemberships.indexOf(groups.syncFilter[i]) >= 0) { groups.syncMemberships.push(groups.syncFilter[i]); }
}
- if (filteredMemberships.length > 0) {
- parent.debug('authlog', `${authStrategy.toUpperCase()}: Filtered user memberships from config: ${filteredMemberships.join(', ')}`);
- } else {
- parent.debug('authlog', `${authStrategy.toUpperCase()}: No groups found with filter: ${domain.authstrategies[authStrategy].groups.sync.filter.join(', ')}`);
+ if (groups.syncMemberships.length > 0) {
+ parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: GROUPS: USER: "${req.user.sid}" Filtered user memberships from config to sync: ${groups.syncMemberships.join(', ')}`);
+ } else {
+ groups.syncMemberships = null;
+ groups.syncEnabled = false
+ parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: GROUPS: USER: "${req.user.sid}" No sync memberships found after filter: ${strategy.groups.sync.filter.join(', ')}`);
}
- userMemberships = filteredMemberships;
}
}
@@ -2643,25 +2660,25 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
if (domain.newaccounts === true) { newAccountAllowed = true; }
if (obj.common.validateStrArray(domain.newaccountrealms)) { newAccountRealms = domain.newaccountrealms; }
- if ((domain.authstrategies != null) && (domain.authstrategies[authStrategy] != null)) {
- if (domain.authstrategies[authStrategy].newaccounts === true) { newAccountAllowed = true; }
- if (obj.common.validateStrArray(domain.authstrategies[authStrategy].newaccountrealms)) { newAccountRealms = domain.authstrategies[req.user.strategy].newaccountrealms; }
+ if (domain.authstrategies[req.user.strategy]) {
+ if (domain.authstrategies[req.user.strategy].newaccounts === true) { newAccountAllowed = true; }
+ if (obj.common.validateStrArray(domain.authstrategies[req.user.strategy].newaccountrealms)) { newAccountRealms = domain.authstrategies[req.user.strategy].newaccountrealms; }
}
if (newAccountAllowed === true) {
// Create the user
- parent.debug('authlog', `${authStrategy.toUpperCase()}: Creating new login user: "${userid}"`);
+ parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: USER: "${req.user.sid}" Creating new login user: "${userid}"`);
user = { type: 'user', _id: userid, name: req.user.name, email: req.user.email, creation: Math.floor(Date.now() / 1000), login: Math.floor(Date.now() / 1000), access: Math.floor(Date.now() / 1000), domain: domain.id };
- if (req.user.email != null) { user.email = req.user.email; user.emailVerified = true; }
+ if (req.user.email != null) { user.email = req.user.email; user.emailVerified = req.user.email_verified ? req.user.email_verified : true; }
if (domain.newaccountsrights) { user.siteadmin = domain.newaccountsrights; } // New accounts automatically assigned server rights.
- if (domain.authstrategies[authStrategy].newaccountsrights) { user.siteadmin = obj.common.meshServerRightsArrayToNumber(domain.authstrategies[req.user.strategy].newaccountsrights); } // If there are specific SSO server rights, use these instead.
+ if (domain.authstrategies[req.user.strategy].newaccountsrights) { user.siteadmin = obj.common.meshServerRightsArrayToNumber(domain.authstrategies[req.user.strategy].newaccountsrights); } // If there are specific SSO server rights, use these instead.
if (newAccountRealms) { user.groups = newAccountRealms; } // New accounts automatically part of some groups (Realms).
obj.users[userid] = user;
// Auto-join any user groups
var newaccountsusergroups = null;
if (typeof domain.newaccountsusergroups == 'object') { newaccountsusergroups = domain.newaccountsusergroups; }
- if (typeof domain.authstrategies[authStrategy].newaccountsusergroups == 'object') { newaccountsusergroups = domain.authstrategies[req.user.strategy].newaccountsusergroups; }
+ if (typeof domain.authstrategies[req.user.strategy].newaccountsusergroups == 'object') { newaccountsusergroups = domain.authstrategies[req.user.strategy].newaccountsusergroups; }
if (newaccountsusergroups) {
for (var i in newaccountsusergroups) {
var ugrpid = newaccountsusergroups[i];
@@ -2684,13 +2701,16 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
}
}
- if (typeof domain.authstrategies[authStrategy].groups == 'object') {
+ if (groups.enabled === true) {
// Sync the user groups if enabled
- if ((typeof domain.authstrategies[authStrategy].groups.sync == 'object') && (domain.authstrategies[authStrategy].groups.sync.enabled === true)) { syncExternalUserGroups(domain, user, userMemberships, authStrategy) }
-
+ if (groups.syncEnabled === true) {
+ // Set groupType to the preset name if it exists, otherwise use the strategy name
+ const groupType = domain.authstrategies[req.user.strategy].custom?.preset ? domain.authstrategies[req.user.strategy].custom.preset : req.user.strategy;
+ syncExternalUserGroups(domain, user, groups.syncMemberships, groupType);
+ }
// See if the user is a member of the site admin group.
- if (typeof siteAdminGroup === 'string') {
- parent.debug('authlog', `${authStrategy.toUpperCase()}: Granting site admin privilages to new user "${user.name}" found in admin group: ${siteAdminGroup}`);
+ if (groups.grantAdmin === true) {
+ parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: GROUPS: USER: "${req.user.sid}" Granting site admin privilages`);
user.siteadmin = 0xFFFFFFFF;
}
}
@@ -2715,7 +2735,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
obj.parent.DispatchEvent(targets, obj, loginEvent);
} else {
// New users not allowed
- parent.debug('authlog', `${authStrategy.toUpperCase()}: Can\'t create new user, account creation is not allowed`);
+ parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: LOGIN FAILED: USER: "${req.user.sid}" New accounts are not allowed`);
req.session.loginmode = 1;
req.session.messageid = 100; // Unable to create account.
res.redirect(domain.url + getQueryPortion(req));
@@ -2726,19 +2746,19 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
var userChanged = false;
if ((req.user.name != null) && (req.user.name != user.name)) { user.name = req.user.name; userChanged = true; }
if ((req.user.email != null) && (req.user.email != user.email)) { user.email = req.user.email; user.emailVerified = true; userChanged = true; }
-
- if (typeof domain.authstrategies[authStrategy].groups == 'object') {
- // Sync the user groups if enabled
- if ((typeof domain.authstrategies[authStrategy].groups.sync == 'object') && (domain.authstrategies[authStrategy].groups.sync.enabled === true)) { syncExternalUserGroups(domain, user, userMemberships, authStrategy) }
+ if (groups.enabled === true) {
+ // Sync the user groups if enabled
+ if (groups.syncEnabled === true) {
+ syncExternalUserGroups(domain, user, groups.syncMemberships, req.user.strategy)
+ }
// See if the user is a member of the site admin group.
- if ((typeof domain.authstrategies[authStrategy].groups.siteadmin !== 'undefined') && (domain.authstrategies[authStrategy].groups.siteadmin !== null)) {
- if ((typeof siteAdminGroup === 'string') && (user.siteadmin !== 0xFFFFFFFF)) {
- parent.debug('authlog', `${authStrategy.toUpperCase()}: Granting site admin privilages to user "${user.name}" found in administrator group: ${siteAdminGroup}`);
- user.siteadmin = 0xFFFFFFFF;
- userChanged = true;
- } else if ((siteAdminGroup === false) && (user.siteadmin === 0xFFFFFFFF)) {
- parent.debug('authlog', `${authStrategy.toUpperCase()}: Revoking site admin privilages from user "${user.name}" since they are not found in any administrator groups.`);
+ if (groups.siteAdminEnabled === true) {
+ if (groups.grantAdmin === true) {
+ parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: GROUPS: USER: "${req.user.sid}" Granting site admin privilages`);
+ if (user.siteadmin !== 0xFFFFFFFF) { user.siteadmin = 0xFFFFFFFF; userChanged = true; }
+ } else if ((groups.revokeAdmin === true) && (user.siteadmin === 0xFFFFFFFF)) {
+ parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: GROUPS: USER: "${req.user.sid}" Revoking site admin privilages.`);
delete user.siteadmin;
userChanged = true;
}
@@ -2747,6 +2767,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
// Update db record for user if there are changes detected
if (userChanged) {
+ parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: CHANGED: USER: "${req.user.sid}" Updating user database entry`);
obj.db.SetUser(user);
// Event user change
@@ -2764,9 +2785,13 @@ module.exports.CreateWebServer = function (parent, db, args, certificates, doneF
const ua = obj.getUserAgentInfo(req);
const loginEvent = { etype: 'user', userid: user._id, username: user.name, account: obj.CloneSafeUser(user), action: 'login', msgid: 107, msgArgs: [req.clientIp, ua.browserStr, ua.osStr], msg: 'Account login', domain: domain.id, ip: req.clientIp, userAgent: req.headers['user-agent'], twoFactorType: 'sso' };
obj.parent.DispatchEvent(targets, obj, loginEvent);
- parent.debug('authlog', `${authStrategy.toUpperCase()}: User Logged In: Name: ${user.name} ID: ${user._id}`);
+ parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: LOGIN SUCCESS: USER: "${req.user.sid}"`);
}
- } else { parent.debug('warn', 'handleStrategyLogin: FAILED - No user'); }
+ } else {
+ parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: LOGIN FAILED: USER: "${req.user.sid}" REQUEST CONTAINS NO USER OR SID`);
+ }
+
+ parent.authLog('handleStrategyLogin', `${req.user.strategy.toUpperCase()}: User Authenticated: ${JSON.stringify(user)}`);
//res.redirect(domain.url); // This does not handle cookie correctly.
res.set('Content-Type', 'text/html');
res.end('