mirror of
https://github.com/actualbudget/actual.git
synced 2026-07-11 11:13:11 -05:00
[Bug]: OIDC With Entra Not Authenticating Additional Users #2592
Open
opened 2026-02-28 20:20:30 -06:00 by GiteaMirror
·
7 comments
No Branch/Tag Specified
master
enforce-append-only-migrations-ci
delay-initial-sync-until-loaded
jfdoming/mobile-app-build
claude/error-codes-worker-boundary-26i5uu
jfdoming/api-tokens-part-1
jfdoming/api-tokens-part-2
jfdoming/api-tokens-part-3
jfdoming/mobile-app-updates
ai/simplify-categories-get-api
api-browser-custom-data-dir
claude/budget-version-migration-compat-151jlr
claude/worker-error-serialization-9iqtl7
claude/react-table-library-research-afx83z
claude/issue-8401-regression-test-9nw9l3
jfdoming/mobile-app-foundation-part-1
jfdoming/mobile-app-scaffold
release
ai-fix-cleanup-def-8290
claude/relaxed-shannon-jusywa
claude/fervent-keller-s6f2fq
claude/determined-feynman-st1y9z
claude/wizardly-einstein-vi2wce
claude/sweet-albattani-7nseio
feat/bank-sync-per-budget-file
claude/affectionate-cannon-y0kc82
claude/dependabot-findings-m9pgmb
claude/mac-app-ios-publish-zjs1lz
claude/vigilant-tesla-aiiyos
depot-migrate-secrets-1781296330308
claude/quirky-cerf-v5qck7
claude/animation-removal-alternative-2etfh1
claude/netlify-preview-comments-consolidate-9XPYa
osc/7391-error-boundaries-reports
claude/pensive-dijkstra-7DYui
claude/server-app-version-mismatch-HTCGv
claude/pr-8027-review-feedback-mELuO
claude/zealous-wozniak-e5pO0
claude/intelligent-heisenberg-BSHJq
claude/translation-download-refactor-jFRsO
claude/mobile-performance-ideas-G9PAO
claude/github-issue-7988-5A5ly
blacksmith-migration-ff70d2d
claude/great-mayer-KRvOk
claude/react-native-ios-compilation-fcJh5
claude/serene-goldberg-58xv0
claude/kind-euler-LVG3K
release-automation/edge-nightly
7710-bundle-migrations
claude/fix-docker-build-error-WMfed
claude/llm-compatible-release-notes-t20Nr
7710-tests-tdd
cursor/transaction-table-rewrite-f077
claude/plan-ci-secure-context-OtEe1
claude/fix-issue-7667-DPXi3
cursor/resolve-pr-7449-ee11
claude/fix-typescript-build-error-JPtZ5
copilot/add-repository-configs-to-packages
worktree-compressed-drifting-ritchie
claude/api-consumer-verification-kfz1K
pr-7454
claude/fix-issue-7410-LLLQ4
revert-7281-generate-icons
react-query-useSchedules
copilot/sub-pr-6140
package-upgrades
v26.7.0
v26.6.0
v26.5.2
v26.5.1
v26.5.0
v26.4.0
v26.3.0
v26.2.1
v26.2.0
v26.1.0
v25.12.0
v25.11.0
v25.10.0
v25.9.0
v25.8.0
v25.7.1
v25.7.0
v25.6.1
v25.6.0
v25.5.0
v25.4.0
v25.3.1
v25.3.0
v25.2.1
v25.2.0
v25.1.0
v24.12.0
v24.11.0
v24.10.1
v24.10.0
v24.9.0
v24.8.0
v24.7.0
v24.6.0
v24.5.0
v24.4.0
v24.3.0
v24.2.0
v24.1.0
v23.12.0
v23.11.0
v23.10.0
v23.9.0
v23.8.1
v23.8.0
v23.7.2
v23.7.1
v23.7.0
v23.6.0
v23.5.0
v23.4.2
v23.4.1
v23.4.0
v23.3.2
v23.3.0
v23.2.9
v23.2.5
v23.1.12
v22.12.9
Labels
Clear labels
AI generated
API
bank sync
budgeting
bug
can’t replicate
dependencies
docker
documentation
electron
experimental feature
feature
feedback
goal templates
good first issue
help wanted
importers
maintenance
needs info
needs testing
needs triage
needs votes
openid
payees
pull-request
regression
reports
responsive
rules
schedules
server
✨ merged
split transactions
tech debt
tech-support
theme
transaction import
transaction reconciliation
transactions
translations
upstream
user interface
✅ approved
wontfix
Mirrored from GitHub Pull Request
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/actual#2592
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @n-tropy247 on GitHub (Nov 4, 2025).
Verified issue does not already exist?
What happened?
I have configured OIDC with an app registration in Entra and it is working fine to authenticate the account set as server owner. Whenever I authentication a second user (already added under User Directory) it throws "openid-grant-failed". The journal is linked below for review, most relevant line reads OAuth2 Authorization code was already redeemed, please retry with a new valid code or use an existing refresh token. The sign-in logs Entra-side show successful authentication. I also noticed that when I authenticated my account with OIDC, it set my username in User Directory as some sort of guid:
Log: https://pastebin.com/YeWFFVUJ
How can we reproduce the issue?
Actual is being hosted on a home server running Debian 12. Entra is set up as IdP using an App Registration.
Where are you hosting Actual?
Locally via Yarn
What browsers are you seeing the problem on?
Chrome
Operating System
Windows 11
@coderabbitai[bot] commented on GitHub (Nov 4, 2025):
A summary of the changes CodeRabbit can apply:
@n-tropy247 commented on GitHub (Nov 5, 2025):
After redoing the entire OpenID configuration, I was able to get my own username to display correctly:
But the other user is still seeing a failure despite existing in the User Directory:
Additionally, the server is not logging a reused authorization code anymore, now its just throwing a 400 error:
I configured OpenID through the GUI again, but here's the entry from the auth table (with redactions):
@tabedzki commented on GitHub (Nov 11, 2025):
I believe that the email address associated with it has to already exist for the authentication to work. I can access it via "Server Online" in the top right -> User Directory -> Add new user.
Try that
@altwohill commented on GitHub (Dec 15, 2025):
I'm also seeing this issue. I have added the additional user into the directory, but they cannot log in - they get "openid-grant-failed"
@AnthIste commented on GitHub (Jan 5, 2026):
I ran into a similar issue. You can override the default behaviour to automatically provision new users when they sign in (you will of course need to restrict access at the auth provider).
To enable automatic provisioning of users, set
ACTUAL_USER_CREATION_MODE=login.Example
docker-compose.yml:I also struggled to find the user management page. To access the user directory, click on the "Server Online" status to open the settings dropdown:
References:
@Itay1787 commented on GitHub (Jan 10, 2026):
Hi, I also have a similar problem.
I get
{"status":"error","reason":"openid-grant-failed"}And in the logs, I get
It passes the auth from Authentik, and I get the error from Actual, and I don't know how to proceed from here…
@DraviaVemal commented on GitHub (Jan 24, 2026):
I faced a similar issue and, after several combination tests, observed that the system appears to persist and reference the user OpenID/UUID as the primary identifier.
Observations
When I manually added the OpenID/UUID of a second user, login worked as expected.
When I added the actual email address, it did not match and resulted in an authentication error.
There is no documented environment configuration to control which claim/property is used for email matching.
Based on behavior, it seems the automatic property being mapped to id is the OpenID/UUID, not the email.
Workaround
Disabling pre-created users and enabling auto user creation on login resolves the issue.
Access is instead restricted on the Azure side.
ACTUAL_USER_CREATION_MODE=loginThanks @AnthIste for pointing this outQuestion
Is there a supported configuration to explicitly define which claim (email vs OpenID/UUID) is used for user matching?