Map groups from Identity Provider

[pmarini-nc]

Is it possible to map the user groups from the Identity Provider?

In the graphical wizard I see:

• User ID
• Display Name
• Email
• Quota

OpenID Connect User backend version: 1.0.0
Nextcloud version: 22.1.0

Thanks!

[juliushaertl]

Group mapping is currently not implemented

[blizzz]

Heads up: if it will be implemented, it should be able to deal with group names > 64 characters.

[ncgisudo]

In addition to group mapping it'd be great to make a given group be required to use it (i.e. so that the set of your NextCloud users may be a subset of users in your user pool)

[schewara]

➕ 1️⃣ from my end for this feature as well.
This would save us a lot of work when on-boarding new users or updating existing ones, when they switch departments.

By adding Mappers or additional Client Scopes for Groups (at least in Keycloak) this can be added quite easily.

example access token:

{
  "exp": 1234,
  "iat": 4567,
  "jti": "xxxx",
  "iss": "https://keycloak.my.tld/realms/testrealm",
  "sub": "xxxx",
  "typ": "Bearer",
  "azp": "nc-localdev-oidc-user-backend",
  "session_state": "xxxx",
  "acr": "1",
  "allowed-origins": [
    "http://vagrant-localdev:8082"
  ],
  "scope": "openid groups email profile",
  "sid": "xxx",
  "email_verified": true,
  "name": "Dummy User",
  "groups": [
    "Employee",
    "Testteam"
  ],
  "preferred_username": "dummy-test-user",
  "given_name": "Dummy",
  "family_name": "User",
  "email": "dummy@my.tld"
}

[kronn]

It seems like this is fixed by #502. As far as I can tell, the requirement of handling group-names > 64 chars is covered by the PR as well.

[SmylerMC]

Looks like this can be closed now 😃 .