How to use GitHub
- Please use the 👍 reaction to show that you are interested into the same feature.
- Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
- Subscribe to receive notifications on status change and new comments.
Feature request
Which Nextcloud Version are you currently using:
33.0.3
Is your feature request related to a problem? Please describe.
I'm using Keycloak to login existing Nextcloud and Keycloak Users into the Nextcloud. The Existing Users already have a User-ID in my Nextcloud, where "keycloak-" is prepended to the UserID of the Keycloak User, so I have to use the Option "Anbieterkennung als Präfix für IDs verwenden", to keep the Users that are already in the Nextcloud and in Keycloak. (otherwise Nextcloud would create a new User and the User would lose his/her Files).
I'm also using the Option "Gruppenbereitstellung verwenden", to create Groups I'm using in the Nextcloud from Groups in the Keycloak. My goal is, to match the Keycloak Group nextcloud_admin to the admin Group in the Nextcloud.
This is neccessary, because I'm also using other Clients with my Keycloak, and I don't want the users of other Clients to be admin, when they are admin in the Nextcloud.
Therefore I use:
- the oidc_groups_mapping App, to map keycloak Group Names to new Nextcloud Group Names.
- the Whitelist of user_oidc to fit the Groups I'm using in the Nextcloud.
I also activated the Option "Preserve existing group display names" in the other app. This produces the following Problem:
A group called nextcloud_user gets mapped to the group allewesen in the Nextcloud, which is in the Group Whitelist of user_oidc, but then, because of the Option "Anbieterkennung als Präfix für IDs verwenden" from user_oidc App the "keycloak-" Präfix is added to the Groupname. This would also happen with the admin Group, which is bad, because nextcloud_admin Group members in Keycloak shoud match to admin Group in Nextcloud, and not to the "keycloak-admin" Group.
If I leave out the Option "Preserve existing group display names" from the other App (oidc_groups_mapping) the following happens, as far as I see it:
Then there are two groups called "allewesen" in the Nextcloud, from which one is the original Group, already existing in my Nextcloud Setup and the other one is the new one, having the Name "keycloak-allewesen" and the DisplayName "allewesen". This is also bad.
Describe the solution you'd like
That is the Problem, my Feature Request is now: Please divide the Option "Anbieterkennung als Präfix für IDs verwenden" into two Options: "Anbeierkennung als Präfix für die UserID verwenden" and "Anbieterkennung als Präfix für GruppenIDs verwenden". This would solve my Problem, as I could then select the UserID Option and deselect the GroupIDs Option.
Describe alternatives you've considered
I tried to cofigure Keycloak to add a "keycloak-" Prefix in front of the UserID, but I didn't find a smart Solution for it.
Additional context
I'm migrating my Nextcloud and Keycloak Setup from the sociallogin Nextcloud App to the user_oidc Nextcloud App, because the user_oidc App supports a better Logout from the Services than the sociallogin App. But in sociallogin the Group Mapping was supported by default.
How to use GitHub
Feature request
Which Nextcloud Version are you currently using:
33.0.3
Is your feature request related to a problem? Please describe.
I'm using Keycloak to login existing Nextcloud and Keycloak Users into the Nextcloud. The Existing Users already have a User-ID in my Nextcloud, where "keycloak-" is prepended to the UserID of the Keycloak User, so I have to use the Option "Anbieterkennung als Präfix für IDs verwenden", to keep the Users that are already in the Nextcloud and in Keycloak. (otherwise Nextcloud would create a new User and the User would lose his/her Files).
I'm also using the Option "Gruppenbereitstellung verwenden", to create Groups I'm using in the Nextcloud from Groups in the Keycloak. My goal is, to match the Keycloak Group nextcloud_admin to the admin Group in the Nextcloud.
This is neccessary, because I'm also using other Clients with my Keycloak, and I don't want the users of other Clients to be admin, when they are admin in the Nextcloud.
Therefore I use:
I also activated the Option "Preserve existing group display names" in the other app. This produces the following Problem:
A group called nextcloud_user gets mapped to the group allewesen in the Nextcloud, which is in the Group Whitelist of user_oidc, but then, because of the Option "Anbieterkennung als Präfix für IDs verwenden" from user_oidc App the "keycloak-" Präfix is added to the Groupname. This would also happen with the admin Group, which is bad, because nextcloud_admin Group members in Keycloak shoud match to admin Group in Nextcloud, and not to the "keycloak-admin" Group.
If I leave out the Option "Preserve existing group display names" from the other App (oidc_groups_mapping) the following happens, as far as I see it:
Then there are two groups called "allewesen" in the Nextcloud, from which one is the original Group, already existing in my Nextcloud Setup and the other one is the new one, having the Name "keycloak-allewesen" and the DisplayName "allewesen". This is also bad.
Describe the solution you'd like
That is the Problem, my Feature Request is now: Please divide the Option "Anbieterkennung als Präfix für IDs verwenden" into two Options: "Anbeierkennung als Präfix für die UserID verwenden" and "Anbieterkennung als Präfix für GruppenIDs verwenden". This would solve my Problem, as I could then select the UserID Option and deselect the GroupIDs Option.
Describe alternatives you've considered
I tried to cofigure Keycloak to add a "keycloak-" Prefix in front of the UserID, but I didn't find a smart Solution for it.
Additional context
I'm migrating my Nextcloud and Keycloak Setup from the sociallogin Nextcloud App to the user_oidc Nextcloud App, because the user_oidc App supports a better Logout from the Services than the sociallogin App. But in sociallogin the Group Mapping was supported by default.