Add configuration for group representation in OIDC #1769
Replies: 3 comments 2 replies
-
The UUID-name part is up to the RP, looks like at least one issue and a PR has been logged in the |
Beta Was this translation helpful? Give feedback.
-
I'm not sure about limiting the groups, surely this'd be made neater once the group-name thing is cleaned up on the RP end? |
Beta Was this translation helpful? Give feedback.
-
The reason for the uuids is to make sure there is a static never changing ID. This is more important for usernames IMO since they are more likely to need to change. I think for groups though, we could list both uuid and spn so that the consumer has both options. |
Beta Was this translation helpful? Give feedback.
-
I'm testing Kanidm for a smaller organization and it looks good so far.
Although I found the way of sharing group membership with resource providers to be inflexible, as just every groups UUID gets listed.
On Forgejo (fork of Gitea) OIDC is natively supported. One can map groups supplied by the identity provider to organization and team memberships. In this case one can just use the UUIDs that are needed and ignore all others.
On Nextcloud, I couldn't find a better way than using the Nextcloud app
user_oidc
, which supports adding users to the Nextcloud's groups based on thegroups
claim. But this app is missing the mapping feature. As thegroups
claim is just a list of UUIDs, those are used as group names. Additionally evenidm_all_accounts
and other groups that are not needed on the cloud instance are included and Nextcloud's OICD app adds them as user groups, so one ends up with 20 groups with nonsensical names (the UUIDs) for every user of which 5 are actually needed. This makes managing group permissions like group folder access unpleasant or even impossible for non-admins that cannot correlate UUIDs and group names using Kanidm's CLI.I thought about options to switch an OAuth2 system to either share the groups names or their UUIDs, much like the
prefer-short-username
andprefer-spn-username
options.Maybe there could be a filter or mapping option to just expose certain groups to resource providers or even name them differently if needed.
As I don't have the deep understanding of Kanidm, I put this here to collect some ideas before filing an issue.
Beta Was this translation helpful? Give feedback.
All reactions