OAuth Login Not Working without Pressing "Login" after Successful Authentication Token Received

[kcbieng]

Steps to reproduce

1. Set Up OAuth based on instructions
2. Create User with username and email that will match OAuth User
3. Use "Login with Azure" Button

Expected behaviour

User should return to redirect and be immediately logged in

Actual behaviour

User returns to Redirect URI and receives "User must log in with Azure" error with username and password filled into the boxes. Pressing on "Login" will then log the user in to TeamPass. When using this method, groups do not seem to be associated to existing roles either.

Server configuration

Operating system:
Alpine Linux v3.18

Web server:

Database:
MariaDB

PHP version:
8.2.7

Teampass version:
3.1.2.73

Teampass configuration file:

<?php
global $SETTINGS;
$SETTINGS = array (
    'max_latest_items' => '10',
    'enable_favourites' => '1',
    'show_last_items' => '1',
    'enable_pf_feature' => '1',
    'log_connections' => '1',
    'log_accessed' => '1',
    'time_format' => 'H:i:s',
    'date_format' => 'm/d/Y',
    'duplicate_folder' => '1',
    'item_duplicate_in_same_folder' => '1',
    'duplicate_item' => '1',
    'number_of_used_pw' => '3',
    'manager_edit' => '1',
    'cpassman_dir' => '/var/www/html',
    'cpassman_url' => 'https://teampass***',
    'favicon' => 'https://teampass.***/favicon.ico',
    'path_to_upload_folder' => '/var/www/html/upload',
    'path_to_files_folder' => '/var/www/html/files',
    'url_to_files_folder' => 'http://teampass.***/files',
    'activate_expiration' => '0',
    'pw_life_duration' => '0',
    'maintenance_mode' => '0',
    'enable_sts' => '0',
    'encryptClientServer' => '1',
    'teampass_version' => '3.1.2',
    'ldap_mode' => '0',
    'ldap_type' => '0',
    'ldap_user_attribute' => '0',
    'ldap_ssl' => '0',
    'ldap_tls' => '0',
    'ldap_port' => '389',
    'richtext' => '0',
    'allow_print' => '0',
    'roles_allowed_to_print' => '0',
    'show_description' => '1',
    'anyone_can_modify' => '0',
    'anyone_can_modify_bydefault' => '0',
    'nb_bad_authentication' => '0',
    'utf8_enabled' => '1',
    'restricted_to' => '0',
    'restricted_to_roles' => '0',
    'enable_send_email_on_user_login' => '0',
    'enable_user_can_create_folders' => '0',
    'insert_manual_entry_item_history' => '0',
    'enable_kb' => '0',
    'enable_email_notification_on_item_shown' => '0',
    'enable_email_notification_on_user_pw_change' => '0',
    'custom_logo' => '',
    'custom_login_text' => '',
    'default_language' => 'english',
    'send_stats' => '0',
    'send_statistics_items' => 'stat_country;stat_users;stat_items;stat_items_shared;stat_folders;stat_folders_shared;stat_admins;stat_managers;stat_ro;stat_mysqlversion;stat_phpversion;stat_teampassversion;stat_languages;stat_kb;stat_suggestion;stat_customfields;stat_api;stat_2fa;stat_agses;stat_duo;stat_ldap;stat_syslog;stat_stricthttps;stat_fav;stat_pf;',
    'send_stats_time' => '1723580321',
    'get_tp_info' => '1',
    'send_mail_on_user_login' => '0',
    'sending_emails' => '0',
    'nb_items_by_query' => 'auto',
    'enable_delete_after_consultation' => '0',
    'enable_personal_saltkey_cookie' => '0',
    'personal_saltkey_cookie_duration' => '31',
    'email_smtp_server' => '',
    'email_smtp_auth' => '',
    'email_auth_username' => '',
    'email_auth_pwd' => '',
    'email_port' => '',
    'email_security' => '',
    'email_server_url' => '',
    'email_from' => '',
    'email_from_name' => '',
    'pwd_maximum_length' => '40',
    'google_authentication' => '0',
    'delay_item_edition' => '0',
    'allow_import' => '1',
    'proxy_ip' => '',
    'proxy_port' => '',
    'upload_maxfilesize' => '10mb',
    'upload_docext' => 'doc,docx,dotx,xls,xlsx,xltx,rtf,csv,txt,pdf,ppt,pptx,pot,dotx,xltx',
    'upload_imagesext' => 'jpg,jpeg,gif,png',
    'upload_pkgext' => '7z,rar,tar,zip',
    'upload_otherext' => 'sql,xml',
    'upload_imageresize_options' => '1',
    'upload_imageresize_width' => '800',
    'upload_imageresize_height' => '600',
    'upload_imageresize_quality' => '90',
    'use_md5_password_as_salt' => '0',
    'ga_website_name' => 'TeamPass for ChangeMe',
    'api' => '0',
    'subfolder_rights_as_parent' => '0',
    'show_only_accessible_folders' => '0',
    'enable_suggestion' => '0',
    'otv_expiration_period' => '7',
    'default_session_expiration_time' => '60',
    'duo' => '0',
    'enable_server_password_change' => '0',
    'bck_script_path' => '/var/www/html/backups',
    'bck_script_filename' => 'bck_teampass',
    'syslog_enable' => '0',
    'syslog_host' => 'localhost',
    'syslog_port' => '514',
    'manager_move_item' => '0',
    'create_item_without_password' => '1',
    'otv_is_enabled' => '0',
    'agses_authentication_enabled' => '0',
    'item_extra_fields' => '0',
    'saltkey_ante_2127' => 'none',
    'migration_to_2127' => 'done',
    'files_with_defuse' => 'done',
    'timezone' => 'America/Chicago',
    'enable_attachment_encryption' => '1',
    'personal_saltkey_security_level' => '50',
    'ldap_new_user_is_administrated_by' => '0',
    'disable_show_forgot_pwd_link' => '0',
    'offline_key_level' => '0',
    'enable_http_request_login' => '0',
    'ldap_and_local_authentication' => '0',
    'secure_display_image' => '1',
    'upload_zero_byte_file' => '0',
    'upload_all_extensions_file' => '0',
    'bck_script_passkey' => '***',
    'admin_2fa_required' => '1',
    'password_overview_delay' => '4',
    'copy_to_clipboard_small_icons' => '1',
    'duo_ikey' => '',
    'duo_skey' => '',
    'duo_host' => '',
    'duo_failmode' => 'secure',
    'roles_allowed_to_print_select' => '',
    'clipboard_life_duration' => '30',
    'mfa_for_roles' => '',
    'tree_counters' => '0',
    'settings_offline_mode' => '0',
    'settings_tree_counters' => '0',
    'enable_massive_move_delete' => '0',
    'email_debug_level' => '0',
    'ga_reset_by_user' => '',
    'onthefly-backup-key' => '',
    'onthefly-restore-key' => '',
    'ldap_user_dn_attribute' => '',
    'ldap_dn_additional_user_dn' => '',
    'ldap_user_object_filter' => '',
    'ldap_bdn' => '',
    'ldap_hosts' => '',
    'ldap_password' => '',
    'ldap_username' => '',
    'api_token_duration' => '60',
    'last_folder_change' => '',
    'enable_tasks_manager' => '1',
    'task_maximum_run_time' => '300',
    'tasks_manager_refreshing_period' => '20',
    'maximum_number_of_items_to_treat' => '100',
    'ldap_tls_certifacte_check' => 'LDAP_OPT_X_TLS_NEVER',
    'enable_tasks_log' => '0',
    'upgrade_timestamp' => '1726172321',
    'enable_ad_users_with_ad_groups' => '0',
    'enable_ad_user_auto_creation' => '0',
    'ldap_guid_attibute' => 'objectguid',
    'sending_emails_job_frequency' => '2',
    'user_keys_job_frequency' => '1',
    'items_statistics_job_frequency' => '5',
    'users_personal_folder_task' => '',
    'clean_orphan_objects_task' => '',
    'purge_temporary_files_task' => '',
    'rebuild_config_file' => '',
    'reload_cache_table_task' => '',
    'maximum_session_expiration_time' => '60',
    'items_ops_job_frequency' => '1',
    'enable_refresh_task_last_execution' => '1',
    'ldap_group_objectclasses_attibute' => 'top,groupofuniquenames',
    'pwd_default_length' => '14',
    'tasks_log_retention_delay' => '30',
    'oauth2_enabled' => '1',
    'oauth2_client_id' => '***',
    'oauth2_client_secret' => '***',
    'oauth2_client_endpoint' => 'https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize',
    'oauth2_client_token' => 'https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token',
    'oauth2_client_scopes' => 'openid,profile,email',
    'oauth2_client_appname' => 'Login with Microsoft',
    'show_item_data' => '0',
    'oauth2_tenant_id' => '***',
);

Updated from an older Teampass or fresh install:
Fresh Install

Client configuration

Browser:

Operating system:

Logs

Web server error log

Insert your webserver log here

Log from the web-browser developer console (CTRL + SHIFT + i)

We have an oauth2 login
index.php:2957 KEY : Matches
index.php:2988 Recevied key Matches and local keyMatches
index.php:3029 Get 2FA Methods answer:
index.php:3030 Object
{
    "agses": false,
    "google": false,
    "yubico": false,
    "duo": false
}
index.php:3094 Data submitted to identifyUser:
index.php:3095 Object
{
    "login": "***Matches created user name***",
    "pw": "***is a password that works after pressing the "Login" button***",
    "duree_session": "60",
    "screenHeight": 641.969,
    "randomstring": "***",
    "TimezoneOffset": 18000,
    "client": "",
    "user_2fa_selection": "",
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
    "businessPhones": [
        "***"
    ],
    "displayName": "***",
    "givenName": "***",
    "jobTitle": "***",
    "mail": "***",
    "mobilePhone": "+***",
    "officeLocation": null,
    "preferredLanguage": null,
    "surname": "***",
    "userPrincipalName": "***",
    "id": "***",
    "groups": [
        Removed for Privacy
    ],
    "oauth2TokenUsed": true,
    "oauth2LoginOngoing": true
}
index.php:3143 Identification answer:
index.php:3144 SESSION KEY is: Matches
index.php:3145 Object
{
    "error": true,
    "message": "User has to authenticate using Entra/Azure AD"
}

[nilsteampassnet]

@kcbieng
You don't have to create the user in teampass.
It will be created at first login.
Just click on login with Azure, fill in the sso credentials, wait and you are connected

[kcbieng]

Understood, and after browsing the code it looks like there may be a database field denoting a user as an OAuth user. In that case, I think there may be a larger problem, as a non-OAuth user should not be able login with the password provided in the OAuth token. Further, I had to set the app registration as "Multitennant" to make it work (tell me if you had to as well) which is also a concern. IF you can log in using OAuth to a previously created user, and the Entra Application Registration specifies multi-tenant, then since your using the username field to identify the user and not something containing an domain qualifier, another tenant could create a user with the same username in their tenant and would be able to log in as an existing user of the other tenant. This hinges on the App being set to multi-tenant, which is the only way I got it to work.

[nilsteampassnet]

Thank you for your feedback.
Yes it has to be multitenant to work.
And you are right, I have to store the tenant related to the user.
And a non OAuth user will not be able to get auth in teampass without the OAuth token. The OAuth user password is not known by teampass.

[kcbieng]

In that case, when I attempted to log in with OAuth to a created username that is not an OAuth user the actual team pass password for the user was being exposed in the console after the OAuth login failed.

[nilsteampassnet]

I provided an improvement regarding multi-tenant.
It is now possible to use the option "My organization only" which makes sens regarding the usage arround Teampass.

[nilsteampassnet]

In that case, when I attempted to log in with OAuth to a created username that is not an OAuth user the actual team pass password for the user was being exposed in the console after the OAuth login failed.

You have enabled debug to have this info in the console.
In this case, it expose a password as a user you already know.

[kcbieng]

Rgr, sounds like this issue is moot. Closing and leaving the other issue open.