Comments (11)
Nextcloud group provisioning works very straight forward - based on the OIDC claim it adds/removes the user from the groups (and auto-creates NC groups if needed).
Mapping the group can be done easily, hardest part is on Authentik side. here my setup using custom claim "roles"
in Authentik create custom property mapping (my code is little more complex as I want the groups in Authentik to have application related prefix "dev-nc_" in this case but don't want to see this prefix in NC so I remove the in the mapping)
in provider > advanced settings add the custom mapping
in application > preview verify the "roles" claim was added:
in NC user_oidc settings map the claim and enable group provisioning
review the process with more details here: https://24xsiempre.com/en/kasten-k10-authentik/
from user_oidc.
@isdnfan thanks! This worked wonderfully
In my case, this is what I did:
nc_groups = [
(i.name if i.name != "Nextcloud Admins" else "admin") for i in request.user.ak_groups.all()
]
return {
"nc_groups": nc_groups
}
then enabled the mapping for the Nextcloud provider, and on the NC side I enabled group provisioning and added the nc_groups
mapping as the source attribute.
This way all groups are automatically provisioned on Nextcloud with the same name as appear on Authentik, except for the "Nextcloud Admins" group which is mapped to "admin" (a hardcoded group name on Nextcloud for admin users).
One question: is there any way to have groups "sync" earlier than the next token expiration/sign in?
from user_oidc.
Funny enough, I've made the exact same journey as you and ended up where you're currently at. Did you ever figure this out?
from user_oidc.
No. I ended up re-creating the necessary Authentik groups locally in Nextcloud (for my small setup). However, this is not really an elegant solution...
from user_oidc.
Figured to do just as much. Obviously this would be a pain in any kind of large/enterprise installation. For my own personal use it "works" I guess...
from user_oidc.
It would be really great if this IMHO very basic setup would get some more end-user documentation. I can't really image that we two are the only ones wanting to use the OIDC provider's group setup in die OIDC-enabled application ;-) .
from user_oidc.
BTW, has anybody a mapping to use Authentik avatars in Nextcloud?
from user_oidc.
Unfortunately, I don't get any of the versions above to work. As soon as I enable group provisioning, the user gets thrown out of any group on the next login. E.g. for the example of @TheManchineel
Am I misunderstanding something? If I try the property mapping with the test icon in the property mapping section, it seems to work as expected. I don't have "Application>Preview" button?!
from user_oidc.
How to set this programmatically? there is no --mapping-groups=
in the occ user_oidc:provider
command
from user_oidc.
@Ra72xx did you ever resolve this? I am having the same problem. Everytime my users log in they are thrown out of the groups that I assigned them.
from user_oidc.
No, I did not further attempts to solve this issue.
from user_oidc.
Related Issues (20)
- Does the user_oidc application support notes and other non-OCS API endpoints?
- OIDC with Citrix Netscaler
- Displayname not updated anymore HOT 2
- Errors in logs regarding undefined array key 'end_session_endpoint' HOT 1
- redirected to the log-in interface even after succesfully identified via OpenID
- Audience claim verification check with Bearer token HOT 6
- Perform "Update Provider" function via occ command HOT 3
- Custom display text on login page HOT 1
- Trying regular login still redirects me to OIDC provider HOT 2
- Group provisioning: delete only groups created by the plugin
- Restrict login to users matching a certain group
- unable to disable 'auto_provision' HOT 1
- Unable to mapper phone_number
- Using Biography mapping causes internal server error HOT 4
- Bug: package.json version and appinfo version differ
- Hard provisioned user can not be looked up in oidc backend in some cases
- Unable to create app password
- Hard provisioning: de-provisioning should be supported
- Failed to provision user HOT 1
- unable to login if no avatar is provided HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from user_oidc.