Jump to content

Recommended Posts

  • Newbies

Hi

It's my first message here, generally I post in French on fmsource.com but nobody has any experience on this subject.

Until now, I have a server on MacOS and I use a LDAP on a Synology for the authentification.

Now I want to migrate (when the final version will be there) to the new version on Centos. 

First I tried to connect the server on LDAP with no success. So I searched an other way and find the white paper about other OAuth provider https://www.soliantconsulting.com/blog/oauth-providers-filemaker-apps/

I chose Auth0.com because they have a free offer up to 7000 users and it is easily synchronizable with my ldap server. But the white paper, although it says it works with Auth0, details another provider (Okta).

So something don't work on my setup, I have the "Microsoft" button but after I receive the code back. I have the message "authentication failed" 🤔

so I am blocked

Thanks in advance for the help

Esaïe

Link to post
Share on other sites

Are you using the preview build of FMS CentOS? If so what is the exact build number?

If not, what version of FMS are you using and on what platform?

From your description it seems like you actually get to Auth0 after you click the MS button and you successfully authenticate there, but the redirect doesn't work?

Have you tested your setup with something like https://oidcdebugger.com/ and Postman for the 2nd leg of the OAuth?

Are you attempting group-based auth or individual account auth?

The white papers that you'll find here written by Steven Blackwell and myself explain how to use those tools and what to check for in the id_token that you get back from Auth0.

 

Let us know and we should be able to get you all the way there.

 

Also, you could consider using something like Red Hat's Keycloak and install it on-prem and let it be the broker to your LDAP server.  That way you wouldn't need to sync anything and you can keep it all in-house.

Link to post
Share on other sites
  • Newbies
3 hours ago, Wim Decorte said:

Are you using the preview build of FMS CentOS? If so what is the exact build number?

19.1.1.39, I think it's the latest.

3 hours ago, Wim Decorte said:

From your description it seems like you actually get to Auth0 after you click the MS button and you successfully authenticate there, but the redirect doesn't work?

right

3 hours ago, Wim Decorte said:

Have you tested your setup with something like https://oidcdebugger.com/ and Postman for the 2nd leg of the OAuth?

I tried, but I'm not sure how to interpret the result 

 

4 hours ago, Wim Decorte said:

Are you attempting group-based auth or individual account auth?

group based but I tried to my account too

4 hours ago, Wim Decorte said:

Also, you could consider using something like Red Hat's Keycloak and install it on-prem and let it be the broker to your LDAP server.  That way you wouldn't need to sync anything and you can keep it all in-house.

It could be good, but maybe in a second step. 😅

thank you for trying to help me :) 

Link to post
Share on other sites

Late in the day here so I'll reply in full tomorrow.

But I don't believe that early build of FMS Linux supported external authentication of any kind.  I'll try tomorrow with a later build.

It should work just fine with the current versions of FMS17, 18 and 19 on macOS or Windows if you want to set it up there and not wait for when the Linux version gets released.

Link to post
Share on other sites

Yep, that old preview version of FMS Linux did not support External Authentication:

image.png.83f6597dc8d09a726d308de12ef2fc3b.png

 

If you are in the ETS beta testing program you should have access to a more recent version that does.

If you are in ETS, ping me in the ETS group on community.claris.com and I can help you set it up for Auth0.

If you are not then we should pick either Windows or macOS to help you set this up.

Let us know.

Link to post
Share on other sites

One of the main things to keep in mind about Auth0 is that they insist on namespacing the groups claim.  When you inspect the id_token they return you'll see this (line 2)

 

image.png.675059fb095ba41c97ebcd617a822e05.png

 

So you have to adjust your changes in the FMS dbs_config.xml file accordingly.  FMS typically just expects 'groups' as the key name for the array of groups.

Link to post
Share on other sites
  • Newbies

*******, no I don't have access to more recent version. Only the developer preview. I will try to apply.

So if I understand right, it's normal that LDAP don't work too. 

I tried to do the configuration under macOS, but I'm in version 17 (I have to buy the new version of MBS to be able to update).

my dbs_config file:

Quote

<keys name="oAuthProviders">
    <keys name="Microsoft">
      <key name="AuthCodeEndpoint" type="string">dev-esaeberg.eu.auth0.com/authorize</key>
      <key name="AuthType" type="integer">2</key>
      <key name="ClientID" type="string">-------------</key>
      <key name="ClientSecret" type="string">---------</key>
      <key name="EncryptedClientSecret" type="integer">1</key>
      <key name="OAuthGroupScheme" type="string">groups</key>
      <key name="OAuthIDName" type="string">nickname</key>
      <key name="OIDCEnabled" type="integer">1</key>
      <key name="OIDCIssuer" type="string"/>
      <key name="ProfileEndpoint" type="string"/>
      <key name="Provider" type="string">Microsoft</key>
      <key name="ProviderEnabled" type="integer">1</key>
      <key name="ProviderID" type="integer">4</key>
      <key name="ResponseType" type="string">code</key>
      <key name="Scope" type="string">openid email groups</key>
      <key name="TokenEndpoint" type="string">https://dev-esaeberg.eu.auth0.com/oauth/token</key>
    </keys>
  </keys>

I tried with <key name="OAuthGroupScheme" type="string">http://ets/claims/groups</key> too

so, when I try the authentification, I have the redirect page who stay open and white :

Quote

no failed message on the authentification web direct page like with centos version.

About Postman, I put the result in jwt but I revise only openid and email, not groups as asked in scope . And my ID is in a special format ""sub": "ad|MyApplicationName|MyID" 

 

Link to post
Share on other sites
33 minutes ago, Esaïe PA Bergier said:

About Postman, I put the result in jwt but I revise only openid and email, not groups as asked in scope

If you have asked for groups in the scope then it looks like your app on the Auth0 side is not configured to return groups.

 

33 minutes ago, Esaïe PA Bergier said:

tried with <key name="OAuthGroupScheme" type="string">http://ets/claims/groups</key> too

That particular string is only valid for my Auth0 app; you have to configure yours on the Auth0 app side and then use it in your dbs_config.xml file

Just verified that with the latest ETS build of FMS Linux, that Auth0 authentication works, just like with the current Windows and macOS servers.

It should work on your FMS17 box too once you have made the final tweaks on the Auth0 side of things.

Edited by Wim Decorte
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.