-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[OIDC] Allowed_groups directive issue #1114
Comments
Tried to upgrade up to beta3, but the same issue.
|
This is not a bug and rather a configuration issue. The following works for Keycloak (tested as of version 20.0.3):
(or whatever the name of your role is) Your headscale config can then be e.g:
No need for the leading slash. |
@yaroslavkasatikov Does the aforementionned workaround for the perceived issue work for you? Maybe this could be closed, then. |
I was facing the same error with Authentik, creating a group bind policy had no effect. |
@LEI Could you explain a little how you got it working with Authentik? |
@madjam002 Thanks for this, it worked! After some more investigating, I found it a bit easier to set it up with a "group membership mapper". And you can turn off "Full group path" off to remove the leading As that may be helpful to some as well, the Terraform code I'm using to create this configuration is:
|
@LEI I too would be curious to see how you got groups working with authentik |
To get it working I changed the issuer and removed the leading slash from the configuration:
OIDC authentication required the scope mapping to be correctly defined, the group part is relatively simple:
|
Any example of configuration on Azure AD? And there is the same error: "Unauthorised principal (allowed groups)" Without "allowed_groups" it works. But I want groups. |
Same issue with Azure AD. Doesn't seems to be working with it for the moment. |
This issue is stale because it has been open for 90 days with no activity. |
This issue was closed because it has been inactive for 14 days since being marked as stale. |
Hey team,
I faced with the issue while testing new
allowed_groups
directive.I have tried to use it with auth0 and Keycloak, but received
unauthorized principal (allowed groups)
and an error in Headscale log.My oidc config in config.yaml:
Keycloak version:
auth0.com Version:
Some screnshots from Keycloak and auth0:
The text was updated successfully, but these errors were encountered: