Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OIDC authn and authz not working with roles array (like ['Admin', 'ReadAll'] #7326

Open
1 task done
FabianNet opened this issue Jan 30, 2025 · 0 comments
Open
1 task done

Comments

@FabianNet
Copy link

FabianNet commented Jan 30, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

Hi all,

I have set up aspire dashboard in docker with OIDC and EntraID as authority.

When I use
Dashboard__Frontend__OpenIdConnect__RequiredClaimType="roles" together with Dashboard__Frontend__OpenIdConnect__RequiredClaimValue="Admin" then I get an error message "Aspire.Dashboard.Authentication.FrontendCompositeAuthenticationHandler[13] AuthenticationScheme: FrontendComposite was forbidden."

When I use Dashboard__Frontend__OpenIdConnect__RequiredClaimType="Name" together with my name from the token Dashboard__Frontend__OpenIdConnect__RequiredClaimValue="Lastname, Firstname" then it works.

My assumption is that the Array of roles cant be parsed correctly in the dashboard backend or is there a way to work with array differently?

Image

Thanks, Fabian

Expected Behavior

Login should work

Steps To Reproduce

Run docker with your EntraID tenant and client id and

docker run -it -d -p 18888:18888 -p 4317:4317 -e DOTNET_DASHBOARD_OTLP_ENDPOINT_URL=http://0.0.0.0:4317 -e Authentication__Schemes__OpenIdConnect__Authority=https://login.microsoftonline.com/xxxxx -e Dashboard__Frontend__AuthMode="OpenIdConnect" -e Authentication__Schemes__OpenIdConnect__ClientId="yyyyy" -e Authentication__Schemes__OpenIdConnect__ClientSecret="zzzzz" -e Authentication__Schemes__OpenIdConnect__ResponseType=code -e Authentication__Schemes__OpenIdConnect__Scope="openid profile email api://yyyyy/Api.Read" -e Authentication__Schemes__OpenIdConnect__CallbackPath=/signin-oidc -e Dashboard__Frontend__OpenIdConnect__RequiredClaimType="roles" -e Dashboard__Frontend__OpenIdConnect__RequiredClaimValue="Admin" --name aspire-dashboard mcr.microsoft.com/dotnet/aspire-dashboard:9.0

Exceptions (if any)

No response

.NET Version info

No response

Anything else?

No response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants