Improve documentation of group provisioning about user_oidc HOT 11 OPEN

Nextcloud group provisioning works very straight forward - based on the OIDC claim it adds/removes the user from the groups (and auto-creates NC groups if needed).

Mapping the group can be done easily, hardest part is on Authentik side. here my setup using custom claim "roles"

in Authentik create custom property mapping (my code is little more complex as I want the groups in Authentik to have application related prefix "dev-nc_" in this case but don't want to see this prefix in NC so I remove the in the mapping)

in provider > advanced settings add the custom mapping

in application > preview verify the "roles" claim was added:

in NC user_oidc settings map the claim and enable group provisioning

review the process with more details here: https://24xsiempre.com/en/kasten-k10-authentik/

from user_oidc.

@isdnfan thanks! This worked wonderfully

In my case, this is what I did:

nc_groups = [
  (i.name if i.name != "Nextcloud Admins" else "admin") for i in request.user.ak_groups.all()
]

return {
  "nc_groups": nc_groups
}

then enabled the mapping for the Nextcloud provider, and on the NC side I enabled group provisioning and added the nc_groups mapping as the source attribute.

This way all groups are automatically provisioned on Nextcloud with the same name as appear on Authentik, except for the "Nextcloud Admins" group which is mapped to "admin" (a hardcoded group name on Nextcloud for admin users).

One question: is there any way to have groups "sync" earlier than the next token expiration/sign in?

from user_oidc.

Funny enough, I've made the exact same journey as you and ended up where you're currently at. Did you ever figure this out?

from user_oidc.

No. I ended up re-creating the necessary Authentik groups locally in Nextcloud (for my small setup). However, this is not really an elegant solution...

from user_oidc.

Figured to do just as much. Obviously this would be a pain in any kind of large/enterprise installation. For my own personal use it "works" I guess...

from user_oidc.

It would be really great if this IMHO very basic setup would get some more end-user documentation. I can't really image that we two are the only ones wanting to use the OIDC provider's group setup in die OIDC-enabled application ;-) .

from user_oidc.

BTW, has anybody a mapping to use Authentik avatars in Nextcloud?

from user_oidc.

Unfortunately, I don't get any of the versions above to work. As soon as I enable group provisioning, the user gets thrown out of any group on the next login. E.g. for the example of @TheManchineel

Nextcloud user_openidc:

Authentik:

Am I misunderstanding something? If I try the property mapping with the test icon in the property mapping section, it seems to work as expected. I don't have "Application>Preview" button?!

from user_oidc.

How to set this programmatically? there is no --mapping-groups= in the occ user_oidc:provider command

from user_oidc.

@Ra72xx did you ever resolve this? I am having the same problem. Everytime my users log in they are thrown out of the groups that I assigned them.

from user_oidc.

No, I did not further attempts to solve this issue.

from user_oidc.