0
Under review

OpenID Connect - UserInfoRoleNamesPath format?

CBVista 10 months ago updated by Tom Wardrop 2 months ago 6

Trying to configure the OIDC login provider with AzureAD. Login is successful (i'm logged in) but can't do anything as it hasn't picked up my permissions:

The requested resource requires more permissions than provided by your existing authentication. Please login to continue.

I suspect this is because ScreenConnect is not reading the roles from the ID token correctly using the "'UserInfoRoleNamesPath" key. I can validate this by specifying my role 'Administrator' in the "ExtraRoleNames" field which then logs me in with fine. The documentation indicates the field should have 'JSON path, slash-separated ("/"), to a user's roles", but this isn't very helpful to understand what value you want entered here. I've tried the following values but none of them work:

  • roles
  • $.roles
  • $['roles']

Here is the JWT 'ID Token' (anonymised) from Azure that was obtained using the same Client ID, Client Secret & Scope as ScreenConnect, which clearly shows my role.

{
"aud": "fb6c9e00-e011-45a5-b47b-84a9493c0bb1",
"iss": "https://login.microsoftonline.com/9022722a-13a8-4a53-a9ba-4974a96be07d/v2.0",
"iat": 1591317833,
"nbf": 1591317833,
"exp": 1591321733,
"email": "firstname.lastname@domain.com",
"name": "FirstName LastName",
"oid": "932b3f5a-575b-4716-8088-3198ea5b5001",
"preferred_username": "FirstName.Berthoud@vista.co",
"roles": [
"Administrator"
],
"sub": "SKDJhfs9d-ASDOFjn09dsf-SDnvcfisduvc9h3nfcsd",
"tid": "861b4c2d-dc36-4e80-a700-9fb413388daa",
"uti": "aDSBJHKd8sfsdf",
"ver": "2.0"
}

ConnectWise Control Version:
20.5
Server Affected:
Host Client Affected:
Guest Client Affected:

Control will only look for roles in the response from the user info endpoint, in your case something like this:

"userinfo_endpoint":"https://login.microsoftonline.com/common/openid/userinfo"


The JWT access tokens are treated as opaque (therefore not parsed) and used when requesting the user info endpoint.

OK, so we're all effectively out of luck using OIDC with Microsoft AzureAD (and perhaps others because I can't find any that let you add roles to the userinfo endpoint)?

According to Microsoft's documentation, the UserInfo endpoint can only return these values:

  • "sub"
  • "name"
  • "family_name"
  • "given_name"
  • "email"

In the same documentation, Microsoft recommend using the ID token which is faster and more efficient than looking up the UserInfo endpoint... Why wouldn't Control do this?

Would be nice if connectwise would post documentation on configuring with oidc and azure. I have documentation from LastPass and the use OIDC. Perhaps we can extract what we need from there

https://assets.cdngetgo.com/49/4b/6c71c50c46a2a03587a6dd7ed0d0/federated-login-using-azure-ad.pdf

Yeah this is a show stopper for us. I'm actually surprised I can't find any official documentation for integrating with Azure using OAuth given I'd imagine this would be one of, if not the, most popular SSO endpoints.

It looks like what they need to do is allow the user to specify which data object (userinfo endpoint, id token, access token) the desired OAuth key/attribute lives in. Also, Azure returns the roles as a JSON array as opposed to a comma seperated list, so ConnectWise Control needs to handle JSON arrays correctly (if it doesn't already).

Something like this for example:

@Tom Wardrop

Did you get OAuth2 working with Azure?
If so so you have an example of the settings. 

Many Thanks, Jas

Hey Jas, no unfortuntely not. It's not currently possible. I ended up configuring SAML instead, which was a fair bit more verbose than OAuth. ConnectWise support acknowledged this, but didn't make any promises to implement support via OAuth. The only sugegstion they made was to raise a feature request here, which I couldn't be bothered raising at the time: https://control.product.connectwise.com/communities/1-feature-request-portal