[Feedback] OpenID and multi-user #4029
Comments
matt-fidd
added
bug
|
Thanks @lelemm for this amazing feature! I'm having some trouble setting this up with Authelia. I'm getting the following error after trying to sign in with OpenId: When I look at the logs for Actual I see the following: Anyone know what I might be doing wrong? |
|
I'm not on the PC right now, but maybe authelia does not implement openid, but oauth2. If that's the case, you have to setup it using the config.json on the server specifying the authMethod to oauth2 instead of openid
|
Thanks, I'll dig around! I think Authelia has OpenID based on this, but I'll try the config.json. |
I tried with the config.json and set the authMethod to "oauth2" but still got the same error. |
To use the configuration in the file, you need to run the commands. This script will take the configuration from the file into the database |
|
Ah thanks, I didn't realize I had to run that command for it to use the config. That worked! I had to switch my docker container from edge-alpine to just edge to have npm in it. |
|
Actually, that seemed like it fixed the issue but I don't think it did. After I run those commands I'm able to sign in (with account A) and assign a budget file to myself as admin. However, if I try to sign in through a different user account (with account B) in incognito mode I get the same |
|
You have to give access to the second user in the user directory |
|
Got it, it's working as expected. I thought that new users would be added to that automatically at sign in. Thanks for all of your help! |
|
it is possible to use multi-user without need to login with openID ? |
Nope. They are tied together for now. One can expand for internal user management |
|
HI! Thank you for this future! Amazing! But could you write some documentation about it? For example: what is the redirect URL for OAuth2? |
|
just added via authentik. worked flawless so far. Enabling was quiet easy as well. The fact that it deletes the url in case you change auth-provider in setup is a little confusing though - or rather the fact that it accepts invalid url and does not tell you (it resetted to placeholders but i did not notice and hit ok again - and i was not able to see error on first sight) |
|
I noticed that arbitrary users seem to be able to access budget files of other users as long as they log in from the same device. Consider the following situation - I got two users in my IAM solution (Authentik), one is called Daniel Bodky and is Admin in Actualbudget, the other is called John Doe and got added to the user directory of Actualbudget manually:
There is only one budget file available on the server, called Daniel. It has been created by the admin user and is configured to be accessible only by him:
However, if I log in to Actualbudget with the second user John Doe, I am offered to open the budget file. It even states that the supposedly unprivileged user is the file owner. Consequently, I can open and edit the budget with the unprivileged user (note the username in the top right):
If I login as John Doe from a private browser window, the behavior is as expected: The user doesn't have a budget file yet, so none is displayed; the budget file(s) of other users don't show either.
I guess this is due to the offline capabilities of Actualbudget, and the fact that all local files are available in the device/browser? So once a budget file has been downloaded to a device/browser, it's accessible to all users that might log in on that device/browser? |
You are completely right. That's how its working atm |
|
Are there plans to mitigate this behavior in the future? Maybe by 'disabling' offline mode when enabling OIDC auth/multi-user support? |
|
AFAIK, not planned, but I guess with enough feedback for it will probably be mitigated |
|
Working well here with Pocket ID. Thanks for implementing! |
|
Would be nice if someone is using a different OpenID provider, give some information like this: {
label: 'Microsoft Entra',
value: 'microsoft',
issuer: 'https://login.microsoftonline.com/{tenant-id}',
clientIdRequired: true,
clientSecretRequired: true,
tip: (
<Link
variant="external"
to="https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc"
>
<Trans>OpenID Connect on the Microsoft identity platform</Trans>
</Link>
),
}So the list of validated providers can be increased for future users |
|
Where would I find that? |
That would be built by you, if you have the knowledge |
|
Firstly, thanks for this great features ! 😍 Quick question regarding claims used to retrieve user information.Actually, at least for Entra ID, the username seems to be mapped to the display name? Is it correct? Maybe it can be interesting to be customized to use the UPN (which is unique in Entra ID - not sure it's the case for display name), for example? This question aside, authentication process works perfectly. |
The username saved is a little clunky honestly. |
|
To test this, I:
|
lelemm will have to comment on access, but i know as of current if you have bank sync setup it is not per budget. that is to say, the token with the sync provider is set on the server and not associated with the budget files directly. |
|
Okay I managed to get this working with Authelia, thanks to the above. For Authelia, I added the following to configuration.yml and then restarted it. identity_providers:
oidc:
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
## See: https://www.authelia.com/c/oidc
clients:
# Actual
- client_id: 'actualbudget'
client_name: 'Actual'
client_secret: ''$pbkdf2-digestedsecret'
authorization_policy: 'two_factor'
redirect_uris:
- 'https://actualbudget.example.com/openid/callback'
public: false
require_pkce: true
pkce_challenge_method: 'S256'
grant_types:
- 'authorization_code'
scopes:
- 'openid'
- 'profile'
- 'groups'
- 'email'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'For Actual, I had to create the {
"openId": {
"issuer": "https://auth.example.com",
"client_id": "actual",
"client_secret": "insecure_secret",
"server_hostname": "https://actualbudget.example.com",
"authMethod": "oauth2"
}
}Then, go into the actualbudget docker container and run
I went back into my Actual-Budget instance, logged out and logged back in, selecting the OpenID option. This triggered the request to Authelia and assigned my user as owner for the budget. Then I added a second user based on this ie, Logged in via Authelia with said user successfully. Seems to be working as intended! |
Can we have it documented somewhere? I had to create a discord user, click many "accept" "skip" and so on 😕 To everyone that do not want to create a discord user, the solution is to run the following command inside the container: Also: Thank you for the great progress on this feature though! |
|
Hi, I am happy to see the ongoing development of actualbudget and the new addition of SSO using OIDC and OAuth2.0. I have tested the OpenID feature using the WebUI with Authelia. I get the following error: {"status":"error","reason":"openid-grant-failed"}To me, this looks like actual is expecting the Actually authelia supports RFC9207 which basically only implements the It is possible that I interpreted the error wrong, but I think this might be a bug. Authelia oidc client configuration for reference: identity_providers:
oidc:
clients:
- client_id: 'actual'
client_name: 'actual'
client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
require_pkce: true
pkce_challenge_method: 'S256'
authorization_policy: 'two_factor'
redirect_uris:
- 'https://actual.example.com/openid/callback'
scopes:
- 'openid'
- 'profile'
- 'email'
userinfo_signed_response_alg: 'none' |
|
I was able to setup OpenID Auth using Synology DSM SSO Server with their OIDC feature enabled. I can login to Actual, etc. however what doesn't seem to be working is the setting of the "Server Owner" when the first account logs in after OIDC is enabled. I can see my user in User Directory but there is no check mark next to Server Owner. This causes the warning to still appear on the login page about server owner being set to first user and it also is preventing the regular password login from being disabled. Any ideas why the server owner isn't be set automatically to first user to login (me) after OIDC setup is enabled, and is there anyway to force set the server owner now... I tried clearing cookies and restarting the docker container and signing in from scratch, didn't help. |
Can you even disable the regular password? I'm Server Owner but I still have the option to use the password. And I don't see any settings for that either. I would guess that deactivating the password option is not a thing yet. |
Hmm, I was under the impression that once a server owner is set after the first OIDC login happens that it disables regular password based access and goes into multi-user mode only. Maybe I misunderstood, and can't test because my install isn't properly setting server owner by itself anyway and getting rid of the ability to edit OIDC settings before login. So right now, anybody could just edit OIDC settings to their own provider and get in. |
Okay, so. I finally managed to get onto Discord (it was very stubborn today) and there lelemm said that disabling the password is not possible because the API needs it and auto-login is not available yet. |
OK if that is the case, then it seems the only downside to my situation is without a server owner being set, anyone coming upon the login page can now change the OIDC settings to their own provider and then login. Obviously this prevents me from "launching" using this yet, completely not secure. |
|
If you're referring to the link to change the OIDC settings on the login page, that link disappears once you login using openid.... at least it did for me. I too would welcome an option (probably an environment option in the compose file that is easy to change before spinning up a container) to disable the web page password prompt. I do understand not totally locking it out for the API to continue to have access. |
That is exactly what I mean. On my system, I get that prompt, I sign-in, but after I log out, the prompt is still there and I (or anyone else) can still change OIDC settings. And when I do login, under User Directory, my user (or any user) is not checked as "System Owner". Like whatever process that sets the system owner isn't working. Hoping there is an easy quick fix. |
you probably had an error but somehow the flow went until the end so you system owner was never created. I highly suggest you to disable openid and enable again to check for errors and to be sure the system owner is created |
Think you are right. If I disable OIDC and then re-enable and go throw the flow from scratch I get |
I guess the username returned by the provider is empty string. |
|
I have updated my initial bug report with additional information for troubleshooting. I still believe this a bug in the actualbudget oidc client. |
|
hey guys, just a small thing for you => authentik is written with a lowercase "a". Can you change this on the dropdown menu for the openID provider? I'm already on my PR for the documentation of authentik's official page and the guys that are reviewing my PR already told this to me :) goauthentik/authentik#12590 (comment) I mean this part here during the configuration: |
|
I there, just wanted to say thanks! |
|
Configured with Casdoor, works without any issues for me. |
|
Just want to say thank you to all who were involved with developing this, seriously useful now that partner and I can share a single budget. Just to add, due to issues with Entra / Azure AD using the Display Name (rather than the UPN or username), I've configured with Cloudflare Access OIDC as the IDP and it works perfectly! Thanks Again! |
|
Hey, just to add, it works great in my setup using the config workaround with Authelia. However, I tried to disable all but opened using allowedLoginMethods in the config file, but it's not picked/applied. I can still login with either the password or openid. Is that behaviour wanted, at least for the experimental phase? |
|
Not sure if you're aware but it could be something related to the openID/multi-user integration that was introduced caused header auth to be broken in v25.1.0 |
|
This is a great feature! My brother and I have self-hosted individual instances of Actual so that we can each have separate budgets. That's not a huge deal, but it is nice to just have one instance. This feature almost gets us there, but it seems like there is only one SimpleFIN token for the whole instsance, so we couldn't use separate SimpleFIN accounts. Is this correct? Are there any plans to say let each user have their own token? |
|
I have a similar issue as OP. I am using authentik and my account work as intended. I then tried to login as my wife’s account and got {"status":"error","reason":"openid-grant-failed"}. I checked and no user was created for the login. Logs for actual budget server: UPDATE: I solved the issue. I had to create the user in Actual prior to them logging in. Will the open id not create the new user? |
|
On the UX side of the Enable OpenID dialog box I believe we should add a sentence saying that people must export their data before continuing. I am aware that there are no technical reason for this, but it's all about 1) making people feel safe; 2) reducing the number of potential support request on the variant of I enabled OpenID - now my data is lost. 
|
OpenID at this time does not create the user accounts within actual so they need to be created manually |
on that thought, why wouldn't we have it for every experimental feature? and could even go a step further to create a flow that steps people through backing up their data? |
and others
Thanks to @lelemm, OpenID and multi-user support was added to Actual in #3878 as an experimental feature. This issue is to track feedback/bugs/issues/requests related specifically to that feature.
The text was updated successfully, but these errors were encountered: