Feature Request: OIDC support for admin

[halkeye]

First off, I'm loving this. I was able to get wireguard working in k8s super quickly, with just a few helm file tweaks, which I've submitted as PR.

I'm using keycloak for auth, using the oidc setup, but now I want to get admin access working. I see for htaccess you setup user.Claims.Add("admin", "true") which shouldn't be that hard to reproduce for oidc, I just don't know enough about it for oidc to do it in a standard way.

I can get keycloak to return a list of client id scoped roles, or system wide roles, or groups for a user. All i'm pretty sure are keycloak specific options. I can get it returning in any field I want.

I don't mind writing the code, I just need suggestions/feedback on what is needed.

I'm thinking maybe the config needs another 2 fields.
claimsField which field the oidc returns the claims in
adminClaim which value constitutes being an admin?

So for me I could do:

claimsField: "groups"
adminClaim: "wireguard-admin"

Does that make sense?

[Place1]

Hey, thanks for the interest! I'm glad you mostly got it up and running quickly 😃

I like the approach for this feature that you've come up with. The tricky part is having a solution that'll work easily for different OIDC providers and different protocols entirely (i.e. an LDAP or SAML claim).

Can you share what the UserInfo response structure looks like for you with keycloak?

[Place1]

Also, do you happen to use any other service that's a good example for this use-case?

[halkeye]

Also, do you happen to use any other service that's a good example for this use-case?

not so far

Can you share what the UserInfo response structure looks like for you with keycloak?

{"sub":"[redacted]","email_verified":true,"name":"Gavin Mogan","preferred_username":"halkeye","given_name":"Gavin","family_name":"Mogan","email":"[redacted]"}

Then i shoved in a few custom ones

"group_membership":["JellyfinAdministrator","NextcloudAdmins","NextcloudUsers"],

"global_roles":["create-realm","offline_access","admin","uma_authorization"]

Looks like with keycloak you have a lot of flexibility, but I certainly don't know whats right.

[halkeye]

"group_membership":["JellyfinAdministrator","NextcloudAdmins","NextcloudUsers"],

Nextcloud takes in groups directly, you can make a group in the nextcloud ui, admin

Jellyfin I did a ldap query to see if a user was in the jellyfin group

[halkeye]

Jenkins also has its own config for groups and permissions.

I'm mostly playing around for fun so I could just add a list of uids or something but not very portable or maintainable

[Place1]

Looks like with keycloak you have a lot of flexibility, but I certainly don't know whats right.

yeah, that's the hard part and why i've left this feature out so far. An OIDC token can have any custom claims you like, yours looks fine to me. I'm not 100% sure the best way to support this though.

What you can do today is set adminUsername and adminPassword to have an admin account via basic auth. Or you can set adminUsername to the value of your sub field and that user will be an admin.

[halkeye]

Ooooh. For me I can do the sub thing but I'm super curious about longer term learning

[Place1]

I've seen systems to a "role mapping" thing. Here's an example from elastic search: https://www.elastic.co/guide/en/elasticsearch/reference/current/oidc-role-mapping.html

[halkeye]

maybe shove the entire raw json payload into the object, then apply https://github.com/caibirdme/yql to it?

name='halkeye' and group_membership in ("WireguardAdmins")

I kinda like that and gives a lot of flexibility

[halkeye]

https://github.com/Knetic/govaluate

[halkeye]

I made an attempt :)

[Place1]

@halkeye let me know if the changes in the latest 0.2.0-rc7 work for you so i can cut the 0.2.0 release.

[halkeye]

I'll get it installed today sorry