Nextcloud OpenID Connect exception: Object of type UUID is not JSON serializable about authentik HOT 4 CLOSED

What's the expression in the Nextcloud Profile mapping? At first it would seem that this is caused by setting the subject mode to user UUID but that does not raise an error like this. Also I would recommend including the openid scope both in authentik and Nextcloud as it's part of the OIDC spec and required to be fully compatible

from authentik.

Thanks for the quick reply @BeryJu .

The expression for the mapping is the exact same found in the docs

# Extract all groups the user is a member of
groups = [group.name for group in user.ak_groups.all()]

# Nextcloud admins must be members of a group called "admin".
# This is static and cannot be changed.
# We append a fictional "admin" group to the user's groups if they are an admin in authentik.
# This group would only be visible in Nextcloud and does not exist in authentik.
if user.is_superuser and "admin" not in groups:
    groups.append("admin")

return {
    "name": request.user.name,
    "groups": groups,
    # To set a quota set the "nextcloud_quota" property in the user's attributes
    "quota": user.group_attributes().get("nextcloud_quota", None),
    # To connect an already existing user, set the "nextcloud_user_id" property in the
    # user's attributes to the username of the corresponding user on Nextcloud.
    "user_id": user.attributes.get("nextcloud_user_id", user.uuid),
}

I've actually fixed part of the issue after your reply by messing around it more, but I'd like to fix it properly and update the docs for anyone else in the same situation.

For good measure, i added openid to the scope, but this did not seem to cause any changes other than being proper :-)

I can provision new accounts and login (The scenario which failed) if i:

• Change "User ID mapping" in Nextcloud from user_id to sub (The default)
  • Docs: "User ID mapping: sub (or user_id if you need to connect to an already existing Nextcloud user)"
• Use either the custom profile or Authentiks built-in.

Now this works for provisioning users, but it does not allow for a mix of existing users and provisioned users since the only real difference is the Nextcloud mapping of the user id. My guess is the lack of this property for provisioned users, is why the serialization fails, but still allowed myself to login since my account already existed in Nextcloud.

Therefore i cannot currently have it both ways, since if i change to sub instead of user_id, the existing Nextcloud accounts do not work, and with my own Authentik login, it just provisions a new account.

Do you know how i could configure this to allow for both ways? I'd like to find a permanent fix so that anyone replicating doesn't need to migrate all their existing users if they wish to centralize user management in Authentik in the future.

Thanks for a great product btw. I really do like Authentik and how feature rich it is.

from authentik.

The issue comes from the line "user_id": user.attributes.get("nextcloud_user_id", user.uuid),, as you're falling back to using the UUID, you'll have to convert it to a string with either str(user.uuid) or user.uuid.hex

(Or rather the docs should be fixed, but this is where the issue is coming from)

from authentik.

I see. I added the modification of converting it to a string, and can confirm that both scenarios now work as expected. I saw your PR for the docs, so i am just closing this issue. Thanks for the help.

from authentik.