Open exu-g opened 6 months ago
advplyr
commented
6 months ago Is this a duplicate of https://github.com/advplyr/audiobookshelf/issues/2878?
With Authentik and KeyCloak you can name the groups however you want and setup a mapping. Maybe you are using Authelia?
exu-g
commented
6 months ago No, this is about having different scope and claim names. I am using Authentik with a custom mapping to change my group names into the ones specified by Audiobookshelf.
From my understanding, scopes are some kind of container for one or mutliple claims.
Something like this
Simplified, I have this mapping.
I can change the mapping to this and it works. Here both the scope and claim are called "audiobookshelf" and I set the same value in the Audiobookshelf OIDC settings "Group Claim" field.
But scopes can also contain multiple claims. As an example, the openid scope contains these claims:
{
"iss": "http://my-domain.auth0.com",
"sub": "auth0|123456",
"aud": "my_client_id",
"exp": 1311281970,
"iat": 1311280970,
"name": "Jane Doe",
"given_name": "Jane",
"family_name": "Doe",
"gender": "female",
"birthdate": "0000-10-31",
"email": "janedoe@example.com",
"picture": "http://example.com/janedoe/me.jpg"
}from https://auth0.com/docs/secure/tokens/id-tokens/id-token-structure
This can also be done for custom mappings like this. Here I'm setting the Group Claim and Advanced Permission Claim within the same scope.
Visually represented something like this
With the current implementation I have to name one claim the same as the scope.
If we could specify the scope separately, the previous graphic would work.
After typing all this out, this is a very tiny issue most users won't ever encounter.
But it does feel more correct to separate scopes and claims.
I guess adding a note that claim == scope name in the documentation would suffice, so others don't have to spend time wondering why the heck stuff doesn't work.
Sapd
commented
6 months ago I guess adding a note that claim == scope name in the documentation would suffice, so others don't have to spend time wondering why the heck stuff doesn't work.
Yeah I thought (when I developed that feature) to show the claims as greyed-out box which would update with the name of the group claims etc., which would make claim == scope then clear.
But you also got a point that it makes sense to add a box and to allow to add claims to allow configurations as you showed. There then just must be a warning to the user that he also has to put in the name of the scope which contains the claim explicitly in the additional claims field.
PS: I know you just made example pictures, but to prevent you a debugging session, keep in mind that in "abspermissions" in Authentik you have to write the booleans als true python booleans like this. Otherwise they won't be provided as JSON boolean types:
abspermissions = {
"abspermissions": {
"canDownload": False, # Upper case without "
"canUpload": True
....
}
}
igbjnI05bF
commented
1 week ago I'm very confused here, most of this is above my head. I'm unable to get the group claim to work at all with keycloak. I've done this successfully with other apps such as Nextcloud, Jellyfin, and Grafana, but cannot get it to work with Audiobookshelf.
In my Audiobookshelf client in Keycloak I went to client scopes, audiobookshelf-dedicated, and added a client roles scope. I named the token claim name "absroles". I then went to the roles tab of audiobookshelf and created "admin", "guest", and "user" roles. I added my user to the audiobookshelf/admin role.
I cannot sign into Audiobookshelf, it says "Error in callback". The webtools show "Invalid scopes: openid profile email absroles". I don't really get it, openid, profile, and email are global realm scopes. absroles isn't (and shouldn't) be a realm scope, it's a client scope.
Am I missing something here? How do I get Audiobookshelf to see this client scope I made and respect the client roles my users are in?
Type of Enhancement
Server Backend
Describe the Feature/Enhancement
Please add a setting to request specific scopes in addition to the 3 basic ones.
Something similar to this, as offered by the OpenID Connect addon for Nextcloud.
Why would this be helpful?
In practice, it's possible to have different names for the scope and its contained claim.
I usually use the application name for the scope and have a different name for the actual claim for consistency on the application side.
Scope:
Claim:
With the current settings this does not work, either I set the correct claim and the scope won't be sent at all, or I use the working scope, but can't find any groups within.
Future Implementation (Screenshot)
A simple field titled "additional scopes" would be fine.
Audiobookshelf Server Version
v2.9.0
Current Implementation (Screenshot)
Settings > Authentication > OpenID Connect Authentication