0
Under review

OpenID Connect - UserInfoRoleNamesPath format?

CBVista 4 months ago updated by RYC KLC 1 day ago 3

Trying to configure the OIDC login provider with AzureAD. Login is successful (i'm logged in) but can't do anything as it hasn't picked up my permissions:

The requested resource requires more permissions than provided by your existing authentication. Please login to continue.

I suspect this is because ScreenConnect is not reading the roles from the ID token correctly using the "'UserInfoRoleNamesPath" key. I can validate this by specifying my role 'Administrator' in the "ExtraRoleNames" field which then logs me in with fine. The documentation indicates the field should have 'JSON path, slash-separated ("/"), to a user's roles", but this isn't very helpful to understand what value you want entered here. I've tried the following values but none of them work:

  • roles
  • $.roles
  • $['roles']

Here is the JWT 'ID Token' (anonymised) from Azure that was obtained using the same Client ID, Client Secret & Scope as ScreenConnect, which clearly shows my role.

{
"aud": "fb6c9e00-e011-45a5-b47b-84a9493c0bb1",
"iss": "https://login.microsoftonline.com/9022722a-13a8-4a53-a9ba-4974a96be07d/v2.0",
"iat": 1591317833,
"nbf": 1591317833,
"exp": 1591321733,
"email": "firstname.lastname@domain.com",
"name": "FirstName LastName",
"oid": "932b3f5a-575b-4716-8088-3198ea5b5001",
"preferred_username": "FirstName.Berthoud@vista.co",
"roles": [
"Administrator"
],
"sub": "SKDJhfs9d-ASDOFjn09dsf-SDnvcfisduvc9h3nfcsd",
"tid": "861b4c2d-dc36-4e80-a700-9fb413388daa",
"uti": "aDSBJHKd8sfsdf",
"ver": "2.0"
}

ConnectWise Control Version:
20.5
Server Affected:
Host Client Affected:
Guest Client Affected:

Control will only look for roles in the response from the user info endpoint, in your case something like this:

"userinfo_endpoint":"https://login.microsoftonline.com/common/openid/userinfo"


The JWT access tokens are treated as opaque (therefore not parsed) and used when requesting the user info endpoint.

OK, so we're all effectively out of luck using OIDC with Microsoft AzureAD (and perhaps others because I can't find any that let you add roles to the userinfo endpoint)?

According to Microsoft's documentation, the UserInfo endpoint can only return these values:

  • "sub"
  • "name"
  • "family_name"
  • "given_name"
  • "email"

In the same documentation, Microsoft recommend using the ID token which is faster and more efficient than looking up the UserInfo endpoint... Why wouldn't Control do this?

Would be nice if connectwise would post documentation on configuring with oidc and azure. I have documentation from LastPass and the use OIDC. Perhaps we can extract what we need from there

https://assets.cdngetgo.com/49/4b/6c71c50c46a2a03587a6dd7ed0d0/federated-login-using-azure-ad.pdf