[ocis] [FR] Import also groups from Keycloak

[ChrisEdS]

Is your feature request related to a problem? Please describe.

If a Keycloak IdP is used for authentication, the groups from Keycloak could also be used for ownCloud.

Describe the solution you'd like

At the moment only the users from Keycloak are used in ownCloud, without LDAP/AD integration the groups have to be created manually in ownCloud, also the assignment of the users to the groups has to be done within ownCloud.

The solution would also be to import the groups from Keycloak and also respect the assignment of the users to the groups from Keycloak.

[michaelstingl]

SCIM? (RFC 7644)

Related:

• https://openid.net/specs/openid-connect-scim-profile-1_0.html
• https://github.com/owncloud/ocis/search?q=scim&type=issues
• Sadly: https://github.com/keycloak/keycloak/issues/13484

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 10 days if no further activity occurs. Thank you for your contributions.

[micbar]

This is already possible when you setup LDAP federation.

[ChrisEdS]

Yeah, well, my idea was to use only Keycloak for Groups und User Management

[micbar]

oCIS uses LDAP all the time. In the default it uses the built-in libreIDM. Maybe we could federate that?

[rhafer]

I think was this request is referring to is to autoprovision group memberships similar to how we autoprovision users (and role assignments) upon first login when (for users PROXY_AUTOPROVISION_ACCOUNTS=true is needed). Keycloak (and other IDPs) is able to sent group the memberships via claims in the tokens/userinfo.

Adding support for this makes perfect sense IMO. We already discussed this before. Though we should probably first fix the remaining issues the user auto provisoning (like e.g. renames)

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 10 days if no further activity occurs. Thank you for your contributions.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 10 days if no further activity occurs. Thank you for your contributions.

[tbsbdr]

PB1

• @nicholas-wilson-au could you please ask the customer which protocol should be used in that case? (SCIM is not supported by keycloak)

[dragotin]

Offering for SCIM for keycloak: https://scim-for-keycloak.de/

[tbsbdr]

Acceptance Criteria

via oidc:

• Provision groups
• Assign group memberships
• implement / consider https://github.com/owncloud/ocis/pull/9115

note

• what @rhafer said https://github.com/owncloud/ocis/issues/5538#issuecomment-1507336945