Division by permisions for ui? about headscale-webui HOT 6 OPEN

Right now, I'm working on a significant refactor of the code base (mentioned in #73), so it could be addressed from the client (headscale-webui) side as well later next month.

from headscale-webui.

It should be possible by using the groups in the OIDC provider. It could be done either on the provider side or the client. For example, the Nextcloud OIDC provider plugin has the option to constrain given OIDC clients to a specific group:

from headscale-webui.

@MarekPikula great work! would love to have the OIDC group limitation on client side (perhaps just as an env variable?) Keycloak is sometimes abit complicated for this limitation :)

from headscale-webui.

Yup, that's the plan. First, I must finish the refactor, which takes much longer than expected. I hope to finish it by the end of the week. Once it's merged, I can work on group limitations from OIDC.

from headscale-webui.

@MarekPikula great work! would love to have the OIDC group limitation on client side (perhaps just as an env variable?) Keycloak is sometimes abit complicated for this limitation :)

Apologize for my disturbance. Would like to know if you have found out how to configure Keycloak to limit permission by groups. If so, could you please explain it briefly? Thanks a lot!

p.s. I have set the following policy and applied it with setting a permission with it. But it just didn't work. Any user is able to
login and access headscale-webui even though the user is not in the group.

from headscale-webui.

btw, found something strange

evaluating the user shows that the user should be denied, however, actually the user can still log in and has access to headscale-webui.

from headscale-webui.