-
Notifications
You must be signed in to change notification settings - Fork 221
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: OIDC support for admin #34
Comments
Hey, thanks for the interest! I'm glad you mostly got it up and running quickly 😃 I like the approach for this feature that you've come up with. The tricky part is having a solution that'll work easily for different OIDC providers and different protocols entirely (i.e. an LDAP or SAML claim). Can you share what the UserInfo response structure looks like for you with keycloak? |
Also, do you happen to use any other service that's a good example for this use-case? |
not so far
Then i shoved in a few custom ones
Looks like with keycloak you have a lot of flexibility, but I certainly don't know whats right. |
Nextcloud takes in groups directly, you can make a group in the nextcloud ui, admin Jellyfin I did a ldap query to see if a user was in the jellyfin group |
Jenkins also has its own config for groups and permissions. I'm mostly playing around for fun so I could just add a list of uids or something but not very portable or maintainable |
yeah, that's the hard part and why i've left this feature out so far. An OIDC token can have any custom claims you like, yours looks fine to me. I'm not 100% sure the best way to support this though. What you can do today is set |
Ooooh. For me I can do the sub thing but I'm super curious about longer term learning |
I've seen systems to a "role mapping" thing. Here's an example from elastic search: https://www.elastic.co/guide/en/elasticsearch/reference/current/oidc-role-mapping.html |
maybe shove the entire raw json payload into the object, then apply https://github.com/caibirdme/yql to it?
I kinda like that and gives a lot of flexibility |
I made an attempt :) |
@halkeye let me know if the changes in the latest 0.2.0-rc7 work for you so i can cut the 0.2.0 release. |
I'll get it installed today sorry |
First off, I'm loving this. I was able to get wireguard working in k8s super quickly, with just a few helm file tweaks, which I've submitted as PR.
I'm using keycloak for auth, using the oidc setup, but now I want to get admin access working. I see for htaccess you setup
user.Claims.Add("admin", "true")
which shouldn't be that hard to reproduce for oidc, I just don't know enough about it for oidc to do it in a standard way.I can get keycloak to return a list of client id scoped roles, or system wide roles, or groups for a user. All i'm pretty sure are keycloak specific options. I can get it returning in any field I want.
I don't mind writing the code, I just need suggestions/feedback on what is needed.
I'm thinking maybe the config needs another 2 fields.
claimsField
which field the oidc returns the claims inadminClaim
which value constitutes being an admin?So for me I could do:
Does that make sense?
The text was updated successfully, but these errors were encountered: