OAuth Successful Authentication Not Creating Users

[kcbieng]

Steps to reproduce

1. Configure OAUTH
2. Use "Login with Azure" button on main page
3. Return to redirect URI after successful authentication
4. Receive error "User is not allowed to authenticate with Teampass Application"

Expected behaviour

The documentation indicates that a user will be created for someone on the first authentication.

Actual behaviour

Following the process the user is not created and you receive an error message. If I create a user with that username and email address and follow the oath login flow it is possible to log in (kind of, see other issue #4318 ).

Server configuration

Using the latest DormancyGrace Teampass Docker Image

Operating system:
Alpine Linux v3.18

Web server:

Database:
MariaDB

PHP version:
8.2.7

Teampass version:
3.1.2

Teampass configuration file:

<?php
global $SETTINGS;
$SETTINGS = array (
    'max_latest_items' => '10',
    'enable_favourites' => '1',
    'show_last_items' => '1',
    'enable_pf_feature' => '1',
    'log_connections' => '1',
    'log_accessed' => '1',
    'time_format' => 'H:i:s',
    'date_format' => 'm/d/Y',
    'duplicate_folder' => '1',
    'item_duplicate_in_same_folder' => '1',
    'duplicate_item' => '1',
    'number_of_used_pw' => '3',
    'manager_edit' => '1',
    'cpassman_dir' => '/var/www/html',
    'cpassman_url' => 'https://teampass***',
    'favicon' => 'https://teampass.***/favicon.ico',
    'path_to_upload_folder' => '/var/www/html/upload',
    'path_to_files_folder' => '/var/www/html/files',
    'url_to_files_folder' => 'http://teampass.***/files',
    'activate_expiration' => '0',
    'pw_life_duration' => '0',
    'maintenance_mode' => '0',
    'enable_sts' => '0',
    'encryptClientServer' => '1',
    'teampass_version' => '3.1.2',
    'ldap_mode' => '0',
    'ldap_type' => '0',
    'ldap_user_attribute' => '0',
    'ldap_ssl' => '0',
    'ldap_tls' => '0',
    'ldap_port' => '389',
    'richtext' => '0',
    'allow_print' => '0',
    'roles_allowed_to_print' => '0',
    'show_description' => '1',
    'anyone_can_modify' => '0',
    'anyone_can_modify_bydefault' => '0',
    'nb_bad_authentication' => '0',
    'utf8_enabled' => '1',
    'restricted_to' => '0',
    'restricted_to_roles' => '0',
    'enable_send_email_on_user_login' => '0',
    'enable_user_can_create_folders' => '0',
    'insert_manual_entry_item_history' => '0',
    'enable_kb' => '0',
    'enable_email_notification_on_item_shown' => '0',
    'enable_email_notification_on_user_pw_change' => '0',
    'custom_logo' => '',
    'custom_login_text' => '',
    'default_language' => 'english',
    'send_stats' => '0',
    'send_statistics_items' => 'stat_country;stat_users;stat_items;stat_items_shared;stat_folders;stat_folders_shared;stat_admins;stat_managers;stat_ro;stat_mysqlversion;stat_phpversion;stat_teampassversion;stat_languages;stat_kb;stat_suggestion;stat_customfields;stat_api;stat_2fa;stat_agses;stat_duo;stat_ldap;stat_syslog;stat_stricthttps;stat_fav;stat_pf;',
    'send_stats_time' => '1723580321',
    'get_tp_info' => '1',
    'send_mail_on_user_login' => '0',
    'sending_emails' => '0',
    'nb_items_by_query' => 'auto',
    'enable_delete_after_consultation' => '0',
    'enable_personal_saltkey_cookie' => '0',
    'personal_saltkey_cookie_duration' => '31',
    'email_smtp_server' => '',
    'email_smtp_auth' => '',
    'email_auth_username' => '',
    'email_auth_pwd' => '',
    'email_port' => '',
    'email_security' => '',
    'email_server_url' => '',
    'email_from' => '',
    'email_from_name' => '',
    'pwd_maximum_length' => '40',
    'google_authentication' => '0',
    'delay_item_edition' => '0',
    'allow_import' => '1',
    'proxy_ip' => '',
    'proxy_port' => '',
    'upload_maxfilesize' => '10mb',
    'upload_docext' => 'doc,docx,dotx,xls,xlsx,xltx,rtf,csv,txt,pdf,ppt,pptx,pot,dotx,xltx',
    'upload_imagesext' => 'jpg,jpeg,gif,png',
    'upload_pkgext' => '7z,rar,tar,zip',
    'upload_otherext' => 'sql,xml',
    'upload_imageresize_options' => '1',
    'upload_imageresize_width' => '800',
    'upload_imageresize_height' => '600',
    'upload_imageresize_quality' => '90',
    'use_md5_password_as_salt' => '0',
    'ga_website_name' => 'TeamPass for ChangeMe',
    'api' => '0',
    'subfolder_rights_as_parent' => '0',
    'show_only_accessible_folders' => '0',
    'enable_suggestion' => '0',
    'otv_expiration_period' => '7',
    'default_session_expiration_time' => '60',
    'duo' => '0',
    'enable_server_password_change' => '0',
    'bck_script_path' => '/var/www/html/backups',
    'bck_script_filename' => 'bck_teampass',
    'syslog_enable' => '0',
    'syslog_host' => 'localhost',
    'syslog_port' => '514',
    'manager_move_item' => '0',
    'create_item_without_password' => '1',
    'otv_is_enabled' => '0',
    'agses_authentication_enabled' => '0',
    'item_extra_fields' => '0',
    'saltkey_ante_2127' => 'none',
    'migration_to_2127' => 'done',
    'files_with_defuse' => 'done',
    'timezone' => 'America/Chicago',
    'enable_attachment_encryption' => '1',
    'personal_saltkey_security_level' => '50',
    'ldap_new_user_is_administrated_by' => '0',
    'disable_show_forgot_pwd_link' => '0',
    'offline_key_level' => '0',
    'enable_http_request_login' => '0',
    'ldap_and_local_authentication' => '0',
    'secure_display_image' => '1',
    'upload_zero_byte_file' => '0',
    'upload_all_extensions_file' => '0',
    'bck_script_passkey' => '***',
    'admin_2fa_required' => '1',
    'password_overview_delay' => '4',
    'copy_to_clipboard_small_icons' => '1',
    'duo_ikey' => '',
    'duo_skey' => '',
    'duo_host' => '',
    'duo_failmode' => 'secure',
    'roles_allowed_to_print_select' => '',
    'clipboard_life_duration' => '30',
    'mfa_for_roles' => '',
    'tree_counters' => '0',
    'settings_offline_mode' => '0',
    'settings_tree_counters' => '0',
    'enable_massive_move_delete' => '0',
    'email_debug_level' => '0',
    'ga_reset_by_user' => '',
    'onthefly-backup-key' => '',
    'onthefly-restore-key' => '',
    'ldap_user_dn_attribute' => '',
    'ldap_dn_additional_user_dn' => '',
    'ldap_user_object_filter' => '',
    'ldap_bdn' => '',
    'ldap_hosts' => '',
    'ldap_password' => '',
    'ldap_username' => '',
    'api_token_duration' => '60',
    'last_folder_change' => '',
    'enable_tasks_manager' => '1',
    'task_maximum_run_time' => '300',
    'tasks_manager_refreshing_period' => '20',
    'maximum_number_of_items_to_treat' => '100',
    'ldap_tls_certifacte_check' => 'LDAP_OPT_X_TLS_NEVER',
    'enable_tasks_log' => '0',
    'upgrade_timestamp' => '1726172321',
    'enable_ad_users_with_ad_groups' => '0',
    'enable_ad_user_auto_creation' => '0',
    'ldap_guid_attibute' => 'objectguid',
    'sending_emails_job_frequency' => '2',
    'user_keys_job_frequency' => '1',
    'items_statistics_job_frequency' => '5',
    'users_personal_folder_task' => '',
    'clean_orphan_objects_task' => '',
    'purge_temporary_files_task' => '',
    'rebuild_config_file' => '',
    'reload_cache_table_task' => '',
    'maximum_session_expiration_time' => '60',
    'items_ops_job_frequency' => '1',
    'enable_refresh_task_last_execution' => '1',
    'ldap_group_objectclasses_attibute' => 'top,groupofuniquenames',
    'pwd_default_length' => '14',
    'tasks_log_retention_delay' => '30',
    'oauth2_enabled' => '1',
    'oauth2_client_id' => '***',
    'oauth2_client_secret' => '***',
    'oauth2_client_endpoint' => 'https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize',
    'oauth2_client_token' => 'https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token',
    'oauth2_client_scopes' => 'openid,profile,email',
    'oauth2_client_appname' => 'Login with Microsoft',
    'show_item_data' => '0',
    'oauth2_tenant_id' => '***',
);

Updated from an older Teampass or fresh install:
Fresh Install

PLEASE attach to this issue the file /includes/config/tp.config.php.

Client configuration

Browser:
Brave (Chromium)

Operating system:
Windows 11

Logs

Web server error log

Insert your webserver log here

Log from the web-browser developer console (CTRL + SHIFT + i)

We have an oauth2 login
index.php:2957 KEY : matching
index.php:2988 Recevied key matching and local key matching
index.php:3029 Get 2FA Methods answer:
index.php:3030 Object
{
    "agses": false,
    "google": false,
    "yubico": false,
    "duo": false
}
index.php:3094 Data submitted to identifyUser:
index.php:3095 Object
{
    "login": "***",
    "pw": "***",
    "duree_session": "60",
    "screenHeight": 641.969,
    "randomstring": "***",
    "TimezoneOffset": 18000,
    "client": "",
    "user_2fa_selection": "",
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
    "businessPhones": [
        "***"
    ],
    "displayName": "***",
    "givenName": "***",
    "jobTitle": "***",
    "mail": "***",
    "mobilePhone": "+***",
    "officeLocation": null,
    "preferredLanguage": null,
    "surname": "***",
    "userPrincipalName": "***",
    "id": "***",
    "groups": [
     Removed for privacy
    ],
    "oauth2TokenUsed": true,
    "oauth2LoginOngoing": true
}
index.php:3143 Identification answer:
index.php:3144 SESSION KEY is: matching
index.php:3145 Object
{
    "error": true,
    "message": "User is not allowed to authenticate with Teampass application"
}

[nilsteampassnet]

@kcbieng
Is user allowed to access the teampass application under entra ad?

[kcbieng]

Yes, If not I would receive an error from Entra and not return to the redirect uri.

[kcbieng]

I'm going to pull a fresh copy with the updates you made to OAuth and see if I have success.

[kcbieng]

@nilsteampassnet I pulled a fresh copy of the latest files and still receive an error when trying to use OAuth. The App Registration is completed and the user is assigned permissions to the application in Azure. Azure is showing that the Auth is successful.

In #4318 you said that the user will be created automatically, but it does not seem to be happening for me. I'm not receiving any error messages in the console or syslog.

Can you point me toward what method is prompting the user creation?

[nilsteampassnet]

@kcbieng some points :

• at this status, do you see en entry in table Users for this new user?
• User creation is performed in function createOauth2User()
• uncomment line 2479 and check result in log
• What error is shown when you write: and still receive an error when trying

I hope this helps to identify the cause

[kcbieng]

No, that's what has seemed weird, it puts a user and password in the login box, but I get that error. When I log in as admin there isn't a user created for the test user. I'll report back, I'm sure that will help me track it down! Get Outlook for iOS<https://aka.ms/o0ukef>

[hitenmandalia]

experiencing the same error "User is not allowed to authenticate with Teampass application".
no user created in database. watching this topic 👍

[manwe]

just upgraded to master and even admin user gets that error

[hitenmandalia]

using latest commit, still not working. after oauth login, getting the same message but this time the login box disappears

[hitenmandalia]

Hi,

Does anyone else have this issue? Running latest version, new DB, new App Registration in Azure. but still getting the error "User is not allowed to authenticate with Teampass application". I have ensured that my account is allowed to access the app. Does anyone have AzureAD auth working that can help share their config (obviously omitting any sensitive data) so that i am able to compare?

Thanks

[nilsteampassnet]

Please see https://documentation.teampass.net/#/features/authentication?id=oauth2-with-microsoft-entra-azure

You have mine configuration at the end.

[hitenmandalia]

hi @nilsteampassnet. Thank you for replying. I have followed your instructions and config to the letter but still get the same issue.

This is my configuration. Maybe you can see something wrong in it: