Unable to log in using oAuth

[DaveWebb2]

Page on which it happened

index.php

Steps to reproduce

1. Configure oAuth using this guide: https://documentation.teampass.net/#/features/authentication?id=oauth2-with-microsoft-entra-azure
2. Try to log in as a user

Expected behaviour

User should log in to TeamPass

Actual behaviour

User enters credentials for Entra ID then gets back to the TeamPass login screen. The address in the address bar contains this:

"The application asked for scope openid profile email User.Read Group.Read.All that doesn't exist on the resource"

I have double-checked that the permissions in the App registration are correct as per the documentation, and my user account has access to the application.

Server configuration

Operating system: Linux mytp_c263afeadb 5.15.164.1-1.cm2 #1 SMP Sun Aug 18 19:16:21 UTC 2024 x86_64

Web server: nginx/1.26.1

Database: 8.0.39-azure

PHP version: 8.3.9

Teampass version: 3.1.3.10

Teampass configuration variables:

'activate_expiration' => '0'
'admin_2fa_required' => '1'
'agses_authentication_enabled' => '0'
'allow_import' => '0'
'allow_print' => '0'
'anyone_can_modify' => '0'
'anyone_can_modify_bydefault' => '0'
'api' => '0'
'api_token_duration' => '60'
'bck_script_filename' => 'bck_teampass'
'bck_script_passkey' => '<removed>'
'bck_script_path' => '/home/site/wwwroot/backups'
'clean_orphan_objects_task' => ''
'clipboard_life_duration' => '30'
'copy_to_clipboard_small_icons' => '1'
'cpassman_dir' => '/home/site/wwwroot'
'cpassman_url' => 'https://<anonym_url>'
'create_item_without_password' => '0'
'custom_login_text' => ''
'custom_logo' => ''
'date_format' => 'd/m/Y'
'default_language' => 'english'
'default_session_expiration_time' => '60'
'delay_item_edition' => '0'
'disable_show_forgot_pwd_link' => '0'
'duo' => '0'
'duo_failmode' => 'secure'
'duo_host' => '<removed>'
'duo_ikey' => '<removed>'
'duo_skey' => '<removed>'
'duplicate_folder' => '0'
'duplicate_item' => '0'
'email_auth_pwd' => '<removed>'
'email_auth_username' => '<removed>'
'email_debug_level' => '0'
'email_from' => '<removed>'
'email_from_name' => ''
'email_port' => ''
'email_security' => ''
'email_server_url' => ''
'email_smtp_auth' => ''
'email_smtp_server' => '<removed>'
'enable_ad_user_auto_creation' => '0'
'enable_ad_users_with_ad_groups' => '0'
'enable_attachment_encryption' => '1'
'enable_delete_after_consultation' => '0'
'enable_email_notification_on_item_shown' => '0'
'enable_email_notification_on_user_pw_change' => '0'
'enable_favourites' => '1'
'enable_http_request_login' => '0'
'enable_kb' => '0'
'enable_massive_move_delete' => '0'
'enable_personal_saltkey_cookie' => '0'
'enable_pf_feature' => '1'
'enable_refresh_task_last_execution' => '1'
'enable_send_email_on_user_login' => '0'
'enable_server_password_change' => '0'
'enable_sts' => '0'
'enable_suggestion' => '0'
'enable_tasks_log' => '0'
'enable_tasks_manager' => '1'
'enable_user_can_create_folders' => '0'
'encryptClientServer' => '1'
'favicon' => 'https://<anonym_url>/favicon.ico'
'files_with_defuse' => 'done'
'ga_reset_by_user' => ''
'ga_website_name' => 'TeamPass for ChangeMe'
'get_tp_info' => '1'
'google_authentication' => '0'
'highlight_favorites' => '0'
'highlight_selected' => '0'
'insert_manual_entry_item_history' => '0'
'item_duplicate_in_same_folder' => '0'
'item_extra_fields' => '0'
'items_ops_job_frequency' => '1'
'items_statistics_job_frequency' => '5'
'ldap_and_local_authentication' => '1'
'ldap_bdn' => ''
'ldap_dn_additional_user_dn' => ''
'ldap_group_objectclasses_attibute' => ''
'ldap_guid_attibute' => ''
'ldap_hosts' => '<removed>'
'ldap_mode' => '1'
'ldap_new_user_is_administrated_by' => '0'
'ldap_password' => '<removed>'
'ldap_port' => ''
'ldap_ssl' => '1'
'ldap_tls' => '0'
'ldap_tls_certifacte_check' => 'LDAP_OPT_X_TLS_NEVER'
'ldap_type' => 'ActiveDirectory'
'ldap_user_attribute' => ''
'ldap_user_dn_attribute' => ''
'ldap_user_object_filter' => ''
'ldap_username' => ''
'limited_search_default' => '0'
'log_accessed' => '1'
'log_connections' => '1'
'maintenance_mode' => '0'
'manager_edit' => '1'
'manager_move_item' => '0'
'max_latest_items' => '10'
'maximum_number_of_items_to_treat' => '100'
'maximum_session_expiration_time' => '60'
'mfa_for_roles' => ''
'migration_to_2127' => 'done'
'nb_bad_authentication' => '0'
'nb_items_by_query' => 'auto'
'number_of_used_pw' => '3'
'number_users_build_cache_tree' => '10'
'oauth2_client_appname' => 'Login with Microsoft Entra ID'
'oauth2_client_endpoint' => '<removed>'
'oauth2_client_id' => '<removed>'
'oauth2_client_scopes' => 'openid,profile,email,User.Read,Group.Read.All'
'oauth2_client_secret' => '<removed>'
'oauth2_client_token' => '<removed>'
'oauth2_client_urlResourceOwnerDetails' => 'https://graph.microsoft.com/v1.0/me'
'oauth2_enabled' => '1'
'oauth2_tenant_id' => '<removed>'
'offline_key_level' => '0'
'onthefly-backup-key' => '<removed>'
'onthefly-restore-key' => '<removed>'
'otv_expiration_period' => '7'
'otv_is_enabled' => '0'
'password_overview_delay' => '4'
'path_to_files_folder' => '/home/site/wwwroot/files'
'path_to_upload_folder' => '/home/site/wwwroot/upload'
'personal_saltkey_cookie_duration' => '31'
'personal_saltkey_security_level' => '50'
'proxy_ip' => '<removed>'
'proxy_port' => ''
'purge_temporary_files_task' => ''
'pw_life_duration' => '0'
'pwd_default_length' => '14'
'pwd_maximum_length' => '40'
'rebuild_config_file' => ''
'reload_cache_table_task' => ''
'restricted_to' => '0'
'restricted_to_roles' => '0'
'richtext' => '0'
'roles_allowed_to_print' => '0'
'roles_allowed_to_print_select' => ''
'saltkey_ante_2127' => 'none'
'secure_display_image' => '1'
'send_mail_on_user_login' => '0'
'send_statistics_items' => 'stat_country;stat_users;stat_items;stat_items_shared;stat_folders;stat_folders_shared;stat_admins;stat_managers;stat_ro;stat_mysqlversion;stat_phpversion;stat_teampassversion;stat_languages;stat_kb;stat_suggestion;stat_customfields;stat_api;stat_2fa;stat_agses;stat_duo;stat_ldap;stat_syslog;stat_stricthttps;stat_fav;stat_pf;'
'send_stats' => '0'
'send_stats_time' => '1735317028'
'sending_emails_job_frequency' => '2'
'settings_offline_mode' => '0'
'settings_tree_counters' => '0'
'show_description' => '1'
'show_item_data' => '0'
'show_last_items' => '1'
'show_only_accessible_folders' => '0'
'subfolder_rights_as_parent' => '0'
'syslog_enable' => '0'
'syslog_host' => '<removed>'
'syslog_port' => '514'
'task_maximum_run_time' => '300'
'tasks_log_retention_delay' => '30'
'tasks_manager_refreshing_period' => '20'
'teampass_version' => '3.1.3'
'time_format' => 'H:i:s'
'timestamp' => '1737989408'
'timezone' => 'UTC'
'tree_counters' => '1'
'upgrade_timestamp' => '1737909028'
'upload_all_extensions_file' => '0'
'upload_docext' => 'doc,docx,dotx,xls,xlsx,xltx,rtf,csv,txt,pdf,ppt,pptx,pot,dotx,xltx'
'upload_imageresize_height' => '600'
'upload_imageresize_options' => '1'
'upload_imageresize_quality' => '90'
'upload_imageresize_width' => '800'
'upload_imagesext' => 'jpg,jpeg,gif,png'
'upload_maxfilesize' => '10mb'
'upload_otherext' => 'sql,xml'
'upload_pkgext' => '7z,rar,tar,zip'
'upload_zero_byte_file' => '0'
'url_to_files_folder' => 'https://teampassv3.corp.mydomain.com/files'
'use_md5_password_as_salt' => '0'
'user_keys_job_frequency' => '1'
'users_personal_folder_task' => ''
'utf8_enabled' => '1'

Updated from an older Teampass or fresh install:

Client configuration

Browser: Chrome - 132.0.0.0

Operating system: Windows - 64bits

Logs

Web server error log

 -  ()

Teampass 10 last system errors

Log from the web-browser developer console (CTRL + SHIFT + i)

Insert the log here and especially the answer of the query that failed.

[nilsteampassnet]

@DaveWebb2
Must be something related to this part

There must be something missed.
Here is a screenshot from my App called Teampass in EntraAD

[DaveWebb2]

@nilsteampassnet thanks for the reply. I don't have the second permission called "Teampass (1)" at the bottom. How did you add that in? I don't seem to be able to find it when adding a permission. Other than that, everything else matches yours.

[nilsteampassnet]

@DaveWebb2
From your teampass application in Azure, select API permissions, then Add a permission, select tab APIs my organization uses.
In the liste you should see your Teampass application, select it and select read.all.

[DaveWebb2]

@nilsteampassnet thanks for getting back to me. That wasn't an option, so I had to go into the App Registrations -> TeamPassv3 -> Expose an API -> Add a scope within Entra ID, and then I could select it. Unfortunately, oAuth still fails with the error "User is not allowed to authenticate with Teampass application"

Should I manually create the user in TeamPass first? If so, should it use the email address as the username?

[DaveWebb2]

@nilsteampassnet ignore the previous comment - I have managed to log in using oAuth! I had to create the user with a username to match the SAMAccountName rather than the email address. However, each user that now logs in using oAuth gets prompted with this message:

"For the first SSO connection, please provide your previous password"

No matter what is entered for the previous password, it reject it with this message:

"Login credentials do not correspond"

We can get passed this by clicking close, but it appears again at every logon.

Also, once logged in, no passwords can be seen - click in the eye symbol returns the message "Item has no password" but it was created with a password.

Finally, the users all see a little ringing bell icon that shows this message when hovered over: "It seems your password has changed and Teampass requires it to encrypt your master private key". Choosing the "Generate new keys" option doesn't seem to do anything.

[DaveWebb2]

@nilsteampassnet for the users I have tried to generate new OTP codes, and then when I try to log in, after it has completed "Account in construction", I enter the code and it always says Bad Code. What's the secret to getting this to work? I have also tried to use the 'Generate new keys' option as the user but that doesn't work either.