Comments (4)
What's the expression in the Nextcloud Profile mapping? At first it would seem that this is caused by setting the subject mode to user UUID but that does not raise an error like this. Also I would recommend including the openid
scope both in authentik and Nextcloud as it's part of the OIDC spec and required to be fully compatible
from authentik.
Thanks for the quick reply @BeryJu .
The expression for the mapping is the exact same found in the docs
# Extract all groups the user is a member of
groups = [group.name for group in user.ak_groups.all()]
# Nextcloud admins must be members of a group called "admin".
# This is static and cannot be changed.
# We append a fictional "admin" group to the user's groups if they are an admin in authentik.
# This group would only be visible in Nextcloud and does not exist in authentik.
if user.is_superuser and "admin" not in groups:
groups.append("admin")
return {
"name": request.user.name,
"groups": groups,
# To set a quota set the "nextcloud_quota" property in the user's attributes
"quota": user.group_attributes().get("nextcloud_quota", None),
# To connect an already existing user, set the "nextcloud_user_id" property in the
# user's attributes to the username of the corresponding user on Nextcloud.
"user_id": user.attributes.get("nextcloud_user_id", user.uuid),
}
I've actually fixed part of the issue after your reply by messing around it more, but I'd like to fix it properly and update the docs for anyone else in the same situation.
For good measure, i added openid
to the scope, but this did not seem to cause any changes other than being proper :-)
I can provision new accounts and login (The scenario which failed) if i:
- Change "User ID mapping" in Nextcloud from
user_id
tosub
(The default)- Docs: "User ID mapping: sub (or user_id if you need to connect to an already existing Nextcloud user)"
- Use either the custom profile or Authentiks built-in.
Now this works for provisioning users, but it does not allow for a mix of existing users and provisioned users since the only real difference is the Nextcloud mapping of the user id. My guess is the lack of this property for provisioned users, is why the serialization fails, but still allowed myself to login since my account already existed in Nextcloud.
Therefore i cannot currently have it both ways, since if i change to sub
instead of user_id
, the existing Nextcloud accounts do not work, and with my own Authentik login, it just provisions a new account.
Do you know how i could configure this to allow for both ways? I'd like to find a permanent fix so that anyone replicating doesn't need to migrate all their existing users if they wish to centralize user management in Authentik in the future.
Thanks for a great product btw. I really do like Authentik and how feature rich it is.
from authentik.
The issue comes from the line "user_id": user.attributes.get("nextcloud_user_id", user.uuid),
, as you're falling back to using the UUID, you'll have to convert it to a string with either str(user.uuid)
or user.uuid.hex
(Or rather the docs should be fixed, but this is where the issue is coming from)
from authentik.
I see. I added the modification of converting it to a string, and can confirm that both scenarios now work as expected. I saw your PR for the docs, so i am just closing this issue. Thanks for the help.
from authentik.
Related Issues (20)
- LDAP source: internal password is written after password change (without "update internal password on login")
- Provider not showing Proxy Setup
- LDAP Outpost: Custom `gidNumber` attribute is ignored in virtual-group-object if it is not a string, but the user-object accepts also a integer
- Event Matcher Policy Action Type = "Custom Prefix" not working as expected HOT 1
- Authentik Api key access
- website: AUTHENTIK_SECRET_KEY has a newline character HOT 2
- OpenShift Support
- prowlarr with authentik my other *arr can't contact the indexers
- Now it generates the code, but still not working. HOT 1
- ak_user_has_authenticator result does not change while logged in
- Outpost Controller task (and thus respective pods) not starting when Authentik is started with helm chart HOT 1
- Static token OTP Gui overflow
- Authorization flow / Failed to fetch objects: undefined / proxy HOT 3
- smtp transport self signed certificate error: NotificationTransportError: [SSL: CERTIFICATE_VERIFY_FAILED]
- Initial setup link not working HOT 5
- Support systemd notify
- ID token issued by a different provider - Error 404
- Application policy binding with group for new applications issue
- Q: Using Postgres V16 in docker-compose instead of V12 HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authentik.