Group membership synchronization

[sbernhard]

As there are groups available in piwigo, there should be something like a group membership sync be done in the OpenId Connect plugin.

What this be possible?

[jasperweyne]

Unfortunately, the OpenID Connect protocol doesn't have a built-in solution to indicate group membership for users. An OIDC provider may choose to indicate group membership through one or more claims (see the OpenID Connect Core specification), but there is no universal standard for this. Therefore, a solution that would utilize custom claims would need to be highly flexible. Furthermore, since OIDC is a user-centered protocol, groups synchronization would be custom as well.

Given these shortcomings in the protocol, I'd argue a custom plugin for your specific problem would be preferable over integrating a solution in this plugin. However, I'd be happy to discuss any suggestions.

[sbernhard]

I suggest to do it similar to https://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Authenticator/#HGroupsynchronization

[sbernhard]

What is your thought about group membership association similar to the xwiki implementation?

[jasperweyne]

Hi, my apologies for the lack of response, I must have missed your messages. This might be a feasible solution, I'll investigate further as soon as possible. However, I also feel it's important to note that I don't have much time to develop new features for this plugin, so whether I'll be able to develop it myself will be dependent upon the complexity. I'll let you know how this pans out!

[ashemsay]

Hey, I made a pr (#13) regarding this and it's working fine with my keycloak configured to send the user's groups list in the oidc token.