Authentik OIDC SSO - A) Can't Bypass Meshcentral Login Screen, B) Existing Users Ignored and New Ones Created

[pr0927]

Hi all, I recently migrated my entire self-hosted server platform from TrueNAS and Truecharts apps with a Traefik reverse proxy to Proxmox, Debian VMs, Docker containers, and an NPMplus reverse proxy.

One of the things I had been in the midst of implementing was SSO via Authentik for as many apps as possible. Meshcentral seems to have very robust OIDC support (and other SSO support) so I was excited to get it going. However, I seem to have run into two issues:

1. Ideally I'd like to bypass the Meshcentral login page and just have Authentik's login page appear instead, and upon login, kick the user right into Meshcentral - right now I just see the OIDC button at the bottom of the Meshcentral login screen.

2. After a LOT of trial and error and effort, OIDC login works - if I have "newAccounts" set to true in my config.json - if it's false, it just fails and says no existing account was found. However, I was hoping to have the login pass through and check for existing accounts and log into something tied by e-mail address or username (to an Authentik user). Frankly, I'm a bit of a noob on this, so I'm not surprised if I did this wrong. But it seems to create a new user, with the same e-mail address an existing one - though the list of users does show a little OIDC badge/icon on it, and the username seems to have some leading "oidc://" part to it.

I'm hoping I've just done something stupid and obvious to the more experienced folks here, and it's an easy fix (for both issues).

Please bear with me as I share a bunch of configs and screenshots, would mega-appreciate any guidance!

Here is my current Docker compose for Meshcentral:

version: "3.9"
services:
    meshcentral:
        restart: unless-stopped
        container_name: meshcentral
        image: typhonragewind/meshcentral:latest
        ports:
            - 8086:443  #MeshCentral will moan and try everything not to use port 80, but you can also use it if you so desire, just change the config.json according to your needs
        environment:
            - TZ=America/Los_Angeles
            - HOSTNAME=rmm.mydomain.tld    #your hostname
            - REVERSE_PROXY=192.168.0.84     #set to your reverse proxy IP if you want to put meshcentral behind a reverse proxy
            - REVERSE_PROXY_TLS_PORT=443
            - IFRAME=false    #set to true if you wish to enable iframe support
            - ALLOW_NEW_ACCOUNTS=false    #set to false if you want disable self-service creation of new accounts besides the first (admin)
            - WEBRTC=true  #set to true to enable WebRTC - per documentation it is not officially released with meshcentral, but is solid enough to work with. Use with caution
            - BACKUPS_PW=LXj69ZfrX^sjmh #password for the autobackup function
            - BACKUP_INTERVAL=24 # Interval in hours for the autobackup function
            - BACKUP_KEEP_DAYS=10 #number of days of backups the function keeps
        volumes:
            - /data/meshcentral/data:/opt/meshcentral/meshcentral-data    #config.json and other important files live here. A must for data persistence
            - /data/meshcentral/user_files:/opt/meshcentral/meshcentral-files    #where file uploads for users live
            - /data/meshcentral/backups:/opt/meshcentral/meshcentral-backups     #Backups location

Here is my Meshcentral config.json:

{
  "$schema": "http://info.meshcentral.com/downloads/meshcentral-config-schema.json",
  "settings": {
    "debug": "web,amt,mps",
    "cert": "rmm.mydomain.tld",
    "_WANonly": true,
    "_LANonly": true,
    "sessionKey": "[redacted]",
    "port": 443,
    "aliasPort": 8086,
    "_redirPort": 8087,
    "_redirAliasPort": 80,
    "BrowserPong": 30,
    "AgentPong": 30,
    "AgentPing": 30,
    "TLSOffload": "127.0.0.1",
    "_ignoreAgentHashCheck": true,
    "SelfUpdate": false,
    "AllowFraming": false,
    "WebRTC": true,
    "AutoBackup": {
      "backupPath": "/opt/meshcentral/meshcentral-backups",
      "backupInvervalHours": 24,
      "keepLastDaysBackup": "10",
      "zippassword": "LXj69ZfrX^sjmh"
    }
  },
  "domains": {
      "": {
          "title": "RMM",
          "title2": "[redacted]",
          "authStrategies": {
              "oidc": {
                  "issuer": {
                      "issuer": "https://auth.mydomain.tld/application/o/meshcentral/",
                      "authorization_endpoint": "https://auth.mydomain.tld/application/o/authorize/",
                      "token_endpoint": "https://auth.mydomain.tld/application/o/token/",
                      "end_session_endpoint": "https://auth.mydomain.tld/application/o/meshcentral/end-session/",
                      "jwks_uri": "https://auth.mydomain.tld/application/o/meshcentral/jwks/"
                  },
                  "client": {
                      "client_id": "[redacted]",
                      "client_secret": "[redacted]",
                      "redirect_uri": "https://rmm.mydomain.tld/auth-oidc-callback",
                      "post_logout_redirect_uri": "https://rmm.mydomain.tld/login"
                  },
                  "custom": {
                      "scope": [ "openid", "profile", "email" ]
                  },
                  "logouturl": "https://auth.mydomain.tld/application/o/meshcentral/end-session/?r=https://rmm.mydomain.tld/login",
                  "newAccounts": false
              }
          },
          "_minify": true,
          "allowedOrigin": true,
          "newAccounts": false,
          "userNameIsEmail": true,
          "certUrl": "https://rmm.mydomain.tld",
          "nightMode": 1
        }
  },
  "_letsencrypt": {
    "__comment__": "Requires NodeJS 8.x or better, Go to https://letsdebug.net/ first before>",
    "_email": "[email protected]",
    "_names": "myserver.mydomain.com",
        "production": false
  }
}

Here's the Authentik provider setup:

Here's my Authentik app setup for Meshcentral:

And lastly, here's how my NPMplus is setup:

Here's the NPMplus advanced tab (seems smarter to just paste the code):

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header Host $http_host;

[si458]

you can use "unknownUserRootRedirect": "auth-oidc" inside your "domains"
basically setting unknownUserRootRedirect to any url will tell meshcentral, if the user isnt logged in where should we redirect them
and in this case it will redirect them to the login oidc page in meshcentral which will then call your oidc login
also note: if you use unknownUserRootRedirect you can still redirect users to /login to get the original login page

you can also set "showPasswordLogin": false and this hide the user/pass login fields and only shows the OIDC login button

as for setting "newAccounts": false, sadly it needs to be true when using an external provider
this is because meshcentral has no control over users, its up to the external provider to provide the login and groups etc,
so if a new user logs in, meshcentral needs to then create the user and it creates the id with the format of
user//~oidc:COMPLETERANDOMIDPROVIDEDBYYOUREXTERNALPROVIDER

also meshcentral doesnt know what COMPLETERANDOMIDPROVIDEDBYYOUREXTERNALPROVIDER would be,
until the user logs in and its provided by the oidc provider so its impossible to create it before hand!

in theory according to the source, meshcentral used the .sub from your provider but no idea what that actually is

[pr0927]

Oh interesting, O.K., So I suppose I wasn't far off from getting as close to my intended end result as hoped.

For Meshcentral then, it seems that it's not possible to have the existing user detected as such, from what it seems you're saying?

In which case, best practice would be just to create a "local" root account, then an OIDC account for myself to use with lesser permissions, I think.

Appreciate your quick and helpful response!

[si458]

Yes that's one way to do it!
But with the oidc, u have control over the groups and permissions
So create ur admin user in oidc then create a group in ur oidc
Then add user to group
Then within config.json u can set the siteadmin group name, and sync feature
Then when the user logs in, meshcentral downloads all the groups and if that user is in the siteadmin group they become a full admin!
Checks docs here for info! https://ylianst.github.io/MeshCentral/meshcentral/openidConnectStrategy/

[pr0927]

Sorry for my belated response - I did briefly see that but got (mildly) scared of groups stuff for some reason, haha. Your explanation makes it sound more logical suddenly. Thank you, will definitely give that a go!