Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feedback] OpenID and multi-user #4029

Open
matt-fidd opened this issue Dec 23, 2024 · 10 comments
Open

[Feedback] OpenID and multi-user #4029

matt-fidd opened this issue Dec 23, 2024 · 10 comments
Labels
experimental feature Related to an experimental feature feedback Single feedback thread for bug reports on a new feature

Comments

@matt-fidd
Copy link
Contributor

matt-fidd commented Dec 23, 2024

Thanks to @lelemm, OpenID and multi-user support was added to Actual in #3878 as an experimental feature. This issue is to track feedback/bugs/issues/requests related specifically to that feature.

@matt-fidd matt-fidd added bug Something isn't working experimental feature Related to an experimental feature feedback Single feedback thread for bug reports on a new feature and removed bug Something isn't working labels Dec 23, 2024
@shaankhosla
Copy link
Contributor

shaankhosla commented Dec 24, 2024

Thanks @lelemm for this amazing feature!

I'm having some trouble setting this up with Authelia. I'm getting the following error after trying to sign in with OpenId:

status	"error"
reason	"openid-grant-failed"

When I look at the logs for Actual I see the following:

2024-12-24T02:24:06.997Z info: GET 200 /account/needs-bootstrap
2024-12-24T02:24:07.054Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.107Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.168Z info: GET 200 /admin/owner-created/
Logging in via openid
2024-12-24T02:24:08.554Z info: POST 200 /account/login
OpenID grant failed: RPError: iss missing from the response
    at Client.callback (/app/node_modules/openid-client/lib/client.js:436:13)
    at loginWithOpenIdFinalize (file:///app/src/accounts/openid.js:177:31)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async file:///app/src/app-openid.js:86:24 {
  params: {
    code: '<redacted>',
    state: '<redacted>'
  }
}

Anyone know what I might be doing wrong?

@lelemm
Copy link
Contributor

lelemm commented Dec 24, 2024

I'm not on the PC right now, but maybe authelia does not implement openid, but oauth2.

If that's the case, you have to setup it using the config.json on the server specifying the authMethod to oauth2 instead of openid
Check this PR for more details https://github.com/actualbudget/actual-server/pull/527/files

Thanks @lelemm for this amazing feature!

I'm having some trouble setting this up with Authelia. I'm getting the following error after trying to sign in with OpenId:

status	"error"
reason	"openid-grant-failed"

When I look at the logs for Actual I see the following:

2024-12-24T02:24:06.997Z info: GET 200 /account/needs-bootstrap
2024-12-24T02:24:07.054Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.107Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.168Z info: GET 200 /admin/owner-created/
Logging in via openid
2024-12-24T02:24:08.554Z info: POST 200 /account/login
OpenID grant failed: RPError: iss missing from the response
    at Client.callback (/app/node_modules/openid-client/lib/client.js:436:13)
    at loginWithOpenIdFinalize (file:///app/src/accounts/openid.js:177:31)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async file:///app/src/app-openid.js:86:24 {
  params: {
    code: '<redacted>',
    state: '<redacted>'
  }
}

Anyone know what I might be doing wrong?

@shaankhosla
Copy link
Contributor

I'm not on the PC right now, but maybe authelia does not implement openid, but oauth2.

If that's the case, you have to setup it using the config.json on the server specifying the authMethod to oauth2 instead of openid Check this PR for more details https://github.com/actualbudget/actual-server/pull/527/files

Thanks @lelemm for this amazing feature!
I'm having some trouble setting this up with Authelia. I'm getting the following error after trying to sign in with OpenId:

status	"error"
reason	"openid-grant-failed"

When I look at the logs for Actual I see the following:

2024-12-24T02:24:06.997Z info: GET 200 /account/needs-bootstrap
2024-12-24T02:24:07.054Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.107Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.168Z info: GET 200 /admin/owner-created/
Logging in via openid
2024-12-24T02:24:08.554Z info: POST 200 /account/login
OpenID grant failed: RPError: iss missing from the response
    at Client.callback (/app/node_modules/openid-client/lib/client.js:436:13)
    at loginWithOpenIdFinalize (file:///app/src/accounts/openid.js:177:31)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async file:///app/src/app-openid.js:86:24 {
  params: {
    code: '<redacted>',
    state: '<redacted>'
  }
}

Anyone know what I might be doing wrong?

Thanks, I'll dig around! I think Authelia has OpenID based on this, but I'll try the config.json.

@shaankhosla
Copy link
Contributor

I'm not on the PC right now, but maybe authelia does not implement openid, but oauth2.
If that's the case, you have to setup it using the config.json on the server specifying the authMethod to oauth2 instead of openid Check this PR for more details https://github.com/actualbudget/actual-server/pull/527/files

Thanks @lelemm for this amazing feature!
I'm having some trouble setting this up with Authelia. I'm getting the following error after trying to sign in with OpenId:

status	"error"
reason	"openid-grant-failed"

When I look at the logs for Actual I see the following:

2024-12-24T02:24:06.997Z info: GET 200 /account/needs-bootstrap
2024-12-24T02:24:07.054Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.107Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.168Z info: GET 200 /admin/owner-created/
Logging in via openid
2024-12-24T02:24:08.554Z info: POST 200 /account/login
OpenID grant failed: RPError: iss missing from the response
    at Client.callback (/app/node_modules/openid-client/lib/client.js:436:13)
    at loginWithOpenIdFinalize (file:///app/src/accounts/openid.js:177:31)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async file:///app/src/app-openid.js:86:24 {
  params: {
    code: '<redacted>',
    state: '<redacted>'
  }
}

Anyone know what I might be doing wrong?

Thanks, I'll dig around! I think Authelia has OpenID based on this, but I'll try the config.json.

I tried with the config.json and set the authMethod to "oauth2" but still got the same error.

@lelemm
Copy link
Contributor

lelemm commented Dec 24, 2024

I'm not on the PC right now, but maybe authelia does not implement openid, but oauth2.
If that's the case, you have to setup it using the config.json on the server specifying the authMethod to oauth2 instead of openid Check this PR for more details https://github.com/actualbudget/actual-server/pull/527/files

Thanks @lelemm for this amazing feature!
I'm having some trouble setting this up with Authelia. I'm getting the following error after trying to sign in with OpenId:

status	"error"
reason	"openid-grant-failed"

When I look at the logs for Actual I see the following:

2024-12-24T02:24:06.997Z info: GET 200 /account/needs-bootstrap
2024-12-24T02:24:07.054Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.107Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.168Z info: GET 200 /admin/owner-created/
Logging in via openid
2024-12-24T02:24:08.554Z info: POST 200 /account/login
OpenID grant failed: RPError: iss missing from the response
    at Client.callback (/app/node_modules/openid-client/lib/client.js:436:13)
    at loginWithOpenIdFinalize (file:///app/src/accounts/openid.js:177:31)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async file:///app/src/app-openid.js:86:24 {
  params: {
    code: '<redacted>',
    state: '<redacted>'
  }
}

Anyone know what I might be doing wrong?

Thanks, I'll dig around! I think Authelia has OpenID based on this, but I'll try the config.json.

I tried with the config.json and set the authMethod to "oauth2" but still got the same error.

To use the configuration in the file, you need to run the commands.
First disable the openid
yarn/npm run disable-openid
Then run
yarn/npm run enable-openid

This script will take the configuration from the file into the database

@shaankhosla
Copy link
Contributor

Ah thanks, I didn't realize I had to run that command for it to use the config. That worked! I had to switch my docker container from edge-alpine to just edge to have npm in it.

@shaankhosla
Copy link
Contributor

Actually, that seemed like it fixed the issue but I don't think it did.

After I run those commands I'm able to sign in (with account A) and assign a budget file to myself as admin. However, if I try to sign in through a different user account (with account B) in incognito mode I get the same openid-grant-failed error I was seeing before. I then re-ran the disable/enable commands again and signed in with account B, at which point account B became the admin and I couldn't see account A in the user directory list. Then I tried signing in with account A and got the same openid-grant-failed error as before.

@lelemm
Copy link
Contributor

lelemm commented Dec 24, 2024

You have to give access to the second user in the user directory

@lelemm
Copy link
Contributor

lelemm commented Dec 24, 2024

@shaankhosla
Copy link
Contributor

Got it, it's working as expected. I thought that new users would be added to that automatically at sign in. Thanks for all of your help!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
experimental feature Related to an experimental feature feedback Single feedback thread for bug reports on a new feature
Projects
None yet
Development

No branches or pull requests

3 participants