Failed create rule constraint: Only admins can create new accounts with OAuth2

[Buco7854]

Hello,
I setup OIDC with Authentik.
When I try to login with OIDC for the first time (did not try with already existing user)
I get the following log.

{
  "id": "rfkjzux469uhxje",
  "created": "2024-11-19 10:09:16.665Z",
  "updated": "2024-11-19 10:09:16.665Z",
  "data": {
    "auth": "guest",
    "details": "Failed create rule constraint: Only admins can create new accounts with OAuth2",
    "error": "Failed to authenticate.",
    "execTime": 709.867505,
    "method": "POST",
    "referer": "https://beszel.example.com/settings/general",
    "remoteIp": "192.168.1.61",
    "status": 400,
    "type": "request",
    "url": "/api/collections/users/auth-with-oauth2",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0",
    "userIp": "77.236.98.186"
  },
  "message": "POST /api/collections/users/auth-with-oauth2",
  "level": 8
}

[henrygd]

By default it does not allow automatic registration. The users have to be created ahead of time either by REST API or manually adding them through PocketBase.

I will add an env var in the future to allow automatic registration via OAuth2.

If you need to do this now, toggle off this switch on /_/#/settings

Then edit the users collection:

In "API Rules" change the "Create rule" to @request.context = "oauth2"

Then go back to /_/#/settings and toggle the switch back on.

[Buco7854]

Thanks a lot. Will there be a way to auto provision roles based on oidc claims?

[henrygd]

I'll look into it. For now every new registration should get the user role. If you need to set someone to admin or readonly, you can do so in the PocketBase users table.

Note that PocketBase admin accounts are separate from Beszel user accounts, so if you want someone to be able to log into PocketBase, you need to create an admin account for them at /_/#/settings/admins.

[Buco7854]

I'll look into it. For now every new registration should get the user role. If you need to set someone to admin or readonly, you can do so in the PocketBase users table.

Note that PocketBase admin accounts are separate from Beszel user accounts, so if you want someone to be able to log into PocketBase, you need to create an admin account for them at /_/#/settings/admins.

Yes I did that, thanks, just wanted to know if it was planned. Pocketbase does not support oidc enrollment for admin sadly but it's fine.

Thanks for your time 😁.

[MarkusGnigler]

Would it be possible to create some form of a docs/wiki page? I think this is a good first page.

I kindly ask for additional information on how the user identifier is mapped or whether it is configurable.
Maybe its also possible to assign groups instead of users to servers?

thanks

[henrygd]

@MarkusGnigler I'm working on a docs site for the next release here: https://preview.beszel.dev

The OAuth functionality is native to PocketBase, so I don't know every detail on how it's implemented. But the accounts should be linked with a unique ID originating from the OAuth account (see screenshot). Are you having an issue with this?

I agree that user groups would be a nice time-saving feature if you have many users or systems. It's something I'd like to add in the future.

For now, perhaps using the REST API would be the most efficient way to assign users to systems. Here's an example using the PocketBase JS SDK with Bun:

import PocketBase from 'pocketbase'

const pb = new PocketBase('http://localhost:8090')

const systemNames = ['localhost', 'kagemusha']
const userEmails = ['[email protected]', '[email protected]']

// authenticate as admin
await pb.admins.authWithPassword(process.env.EMAIL, process.env.PASSWORD)

// get user ids
const userIds = await pb
	.collection('users')
	.getFullList({
		fields: 'id',
		filter: `email='${userEmails.join(`'||email='`)}'`,
	})
	.then((records) => records.map(({ id }) => id))

// get id and current users for systems
const systemsData = await pb.collection('systems').getFullList({
	fields: 'id,users',
	filter: `name='${systemNames.join(`'||name='`)}'`,
})

// loop through systems and add users to them
for (const system of systemsData) {
	const updatedUsers = Array.from(new Set([...system.users, ...userIds]))
	await pb.collection('systems').update(system.id, { users: updatedUsers })
}

[MarkusGnigler]

Sorry for being late, had a complete server crash this weekend,

Thanks for pointing me to the documentation page.
Maybe I will find time to investigate the user mapping behavior of PocketBase. If I do, I'll report back.

Thanks for the snippet, and also for your friendly, open-minded personality for accepting all kinds of ideas!