OAUTH: email/contact_email not populated

daudo · July 14, 2024, 11:20am

Hi,

I am currently migrating authentication from local to OAUTH (authentik) and while it generally works, some pieces are missing when logging in via OAUTH.

Most notably, contact_email doesn’t get populated at all and email gets populated with the xxxx@auth.local address.

Without a valid email address, for example sharing via email doesn’t work obviously.

Here’s the relevant piece of my seahub_settings.py:

ENABLE_OAUTH = True
OAUTH_CREATE_UNKNOWN_USER = True
OAUTH_ACTIVATE_USER_AFTER_CREATION = True
OAUTH_ENABLE_INSECURE_TRANSPORT = True
OAUTH_CLIENT_ID = "xxx"
OAUTH_CLIENT_SECRET = "yyyy"
OAUTH_REDIRECT_URL = 'https://seafile.example.com/oauth/callback/'
OAUTH_PROVIDER = 'authentik-auth.example.com'
OAUTH_AUTHORIZATION_URL = 'https://auth.example.com/application/o/authorize/'
OAUTH_TOKEN_URL = 'https://auth.example.com/application/o/token/'
OAUTH_USER_INFO_URL = 'https://auth.example.com/application/o/userinfo/'
OAUTH_SCOPE = [ "openid", "profile", "email",]
OAUTH_ATTRIBUTE_MAP = {
    "name": (True, "name"),
    "email": (True, "contact_email"),
    "email": (True, "email"),
    "email": (True, "uid"), 
}

As you can see, I tried hard to make seafile accept the email sent by authentik.

authentik sends something like this:

{'sub': 'XXXX', 'email': 'foobar@example.com', 'email_verified': True, 'name': 'Foo Bar', 'given_name': 'Foo Bar', 'preferred_username': 'foobar', 'nickname': 'foobar', 'groups': ['foobar foobars']

So the email field is clearly there, but it never shows in any of the database tables

MariaDB [ccnet_db]> select id,email from EmailUser;
+----+---------------------------------------------+
| id | email                                       |
+----+---------------------------------------------+
| 17 | 283b8855f97e42e4afe2a4d9e81a1c24@auth.local |

MariaDB [seahub_db]> select id,username,uid from social_auth_usersocialauth;
+----+---------------------------------------------+------------------+
| id | username                                    | uid              |
+----+---------------------------------------------+------------------+
|  7 | 283b8855f97e42e4afe2a4d9e81a1c24@auth.local | foobar@example.com |

So how do I convince seafile to populate email/contact_email with the fitting OAUTH properties?

r350178982 · July 15, 2024, 1:59am

Hi
Since Seafile v11.0， we have chenged the display of unique id in Seafile database. As you show the email or username is a email-like virtual id. As for the email, it will be saved in the contact_email field in profile_profile table. Aboutmore information of OAUTH intergragation please refer to OAuth Authentication - Seafile Admin Manual

daudo · July 15, 2024, 9:27am

Thank you,

I wasn’t aware of profile_profile.contact_email indeed. However, I initially followed the docs, but to no avail.

For example:

This OAUTH_ATTRIBUTE_MAP allows me to login via authentik, but the contact_email is not populated with the email from authentik:

OAUTH_ATTRIBUTE_MAP = {
    "email": (True, "email"),  # Please keep the 'email' option unchanged to be compatible with the login of users of version 11.0 and earlier.
    "name": (False, "name"),
}

This isn’t unexpected, because contact_email isn’t included in the map.

MariaDB [seahub_db]> select id,user,contact_email from profile_profile;
+----+---------------------------------------------+---------------+
| id | user                                        | contact_email |
+----+---------------------------------------------+---------------+
| 19 | 75530937239d4f31ada5f929ff57634f@auth.local | NULL          |

So if I now add the contact_email like this:

OAUTH_ATTRIBUTE_MAP = {
    "email": (True, "email"),  # Please keep the 'email' option unchanged to be compatible with the login of users of version 11.0 and earlier.
    "name": (False, "name"),
    "email": (False, "contact_email"),
}

I cannot log in using authentik, seafile shows a red message “Error, please contact administrator” in the browser and seahub.log contains this:

2024-07-15 11:20:06,329 [ERROR] seahub.oauth.views:171 oauth_callback oauth user uid and email not found.
2024-07-15 11:20:06,329 [ERROR] seahub.oauth.views:172 oauth_callback user_info_json: `{'sub': 'XXXX', 'email': 'foobar@example.com', 'email_verified': 
True, 'name': 'Foo Bar', 'given_name': 'Foo Bar', 'preferred_username': 
'foobar', 'nickname': 'foobar', 'groups': ['foobar foobars']}`

So how does OAUTH_ATTRIBUTE_MAP have to look like so that it correctly stores the user’s email address profile_profile.contact_address?

daudo · July 15, 2024, 9:36am

update: I just solved it myself. In order to contact_email to be properly populated, OAUTH_ATTRIBUTE_MAP has to look like this when authenticating against authentik:

OAUTH_ATTRIBUTE_MAP = {
    "sub": (True, "uid"),
    "name": (False, "name"),
    "email": (True, "contact_email"),
}

Given the fact, that authentik is quite popular these days and that there are a number of conflicting/unclear posts here in the forum, I think it would be nice to see this added to the official Server Admin documentation.