[Enhancement]: OIDC: Add possibility to spcecify names of group claims

[v3DJG6GL]

Describe the feature/enhancement

With #2769 we do now have the possiblity to specify Group Claims for the groups admin, user and guest. While I really appreciate that feature, It would be nice to also specify the names of these groups, rather than relying on these hardcoded names admin, user and guest. I do have a setup with Authelia and LLDAP and I do have a lot of different user groups specified which are allowed to use specific services. As an example, I do have a nextcloud_users group for all users that are allowed to use Nextcloud and a jellyfin_users group for all users that are allowed to use Jellyfin. The same goes for admin groups, although that's less relevant in my case. I'd love to see a similar option for ABS :)

[advplyr]

You should be able to use whatever group names you want and just add a custom property mapping. I haven't used Authelia but I used Authentik to successfully map some groups I setup with different names. I followed @Sapd's guide in this PR https://github.com/advplyr/audiobookshelf/pull/2769

[Sapd]

It was in the original concept (see https://github.com/advplyr/audiobookshelf/issues/2523 ) but left out because identity providers usually provide the ability of attribute mappings. Not sure about Authelia, but KeyCloak and Authentik can do that.

[v3DJG6GL]

hmh, would it be something like this? https://github.com/authelia/authelia/issues/2868

That's not (yet) implemented in Authelia.

All other OIDC-claim capable apps I use have the possibility to specify the names for group claims so I wasn't even aware that there's an option to map custom properties. But yeah, it doesn't seem to be supported by Authelia...

[Sapd]

hmh, would it be something like this? authelia/authelia#2868

Yeah in fact that would be it. I also just remembered another (severe) limitation of Authelia, it does not support restricting access for OpenID Connect: https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#why-doesnt-the-access-control-configuration-work-with-openid-connect-10 which makes the combination with this issue a bit worse

[advplyr]

@v3DJG6GL What are some other self-hosted apps that support OIDC have that feature? I'd like to see how they implemented it.

I'm not sure if it is worth adding more complexity to our OIDC implementation if 2 out of 3 major providers support this already.

[advplyr]

From your OP I can guess nextcloud and the jellyfin SSO plugin.

[v3DJG6GL]

@v3DJG6GL What are some other self-hosted apps supported OIDC that have that feature? I'd like to see how they implemented it.

• Jellyfin (via SSO plugin) (https://github.com/9p4/jellyfin-plugin-sso)
• Nextcloud (via Nextcloud OIDC plugin) (https://github.com/pulsejet/nextcloud-oidc-login)
• MinIO (https://github.com/minio/minio)

[CEbbinghaus]

Just wanted to add my support for this. kanidm/kanidm does not allow custom group names and instead provides the group names either as their unique guid or as their unique specifier group_name@host.tld which makes it completely incompatible with audiobookshelf.

Ideally there would be a UI to map group names provided as strings to the groups within audiobookshelf so the user could specify the groups.

I had a little stab at implementing it myself but I'm not overly fond nor adept at vuejs frontend dev. Will see if I can get it looking halfway decent though and submit a patch.