Open mwinters-stuff opened 2 months ago
@mwinters-stuff Thanks for your report.
This is interesting because for me it is not clear what your expectations are.
Authelia has currently no "roles" claim. Some people from our team tried to use the "groups" claim (@kulmann and @TheOneRing ) After creating a new role mapping config https://owncloud.dev/services/proxy/#automatic-role-assignments it starts working for the Web Client. On the desktop client, we debugged that authelia has currently no way to assign default scopes to a client. So the "groups" claim is always empty when the desktop client tries to login. That needs to be clarified with upstream authelia a) if this is possible b) or on the roadmap?
Manage the role assignment in the oCIS Admin UI.
To do that, you need to set PROXY_ROLE_ASSIGNMENT_DRIVER=default
.
Ok, yes using Authelia as the user source, and using the comment from the 6.1.0 release
Enhancement - Autoprovision group memberships: #9458
When PROXY_AUTOPROVISION_ACCOUNTS is enabled it is now possible to automatically
maintain the group memberships of users via a configurable OIDC claim
Then I was under the assumption that the OIDC groups would work for the roles, this appears to be limited in some manner by authelia still.
I will see if the role assignment using OCIS is possible.
Ok fantastic, I can log-in with Authelia.. thats a big change from before...
Now, though I am not able to become the admin user - even though OCIS_ADMIN_USER_ID=mathew
and my username is "mathew'
I have re-enabled idp
but no admin user? Any tips? Would like to be able to create Spaces.
You do not need the idp service.
the admin user can be defined with the variable you use but you need to use the uuid from the ocis user. That can be seen in the browser network tab when the webUI fetches information from graph/user
Excellent, got it working! Thanks. I will try to create a "working" example somewhere.
Re-Opened. Have got to trying the web client and android client, both fail to login. The URL becomes.
http://127.0.0.1:41385/?error=invalid_request&error_description=The+request+is+missing+a+required+parameter%2C+includes+an+invalid+parameter+value%2C+includes+a+parameter+more+than+once%2C+or+is+otherwise+malformed.+Used+unknown+value+%27%5Bselect_account+consent%5D%27+for+prompt+parameter&iss=https%3A%2F%2Fauth.example.org.nz&state=yrFE6W--X-HEHd4FIb1YPSKjrDGJ_dGdR-ZdL6lk1m0%3D
Which decoded by the browser, has the parameters
error: invalid_request
error_description: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Used unknown value '[select_account consent]' for prompt parameter
iss: https://auth.example.org.nz
state: yrFE6W--X-HEHd4FIb1YPSKjrDGJ_dGdR-ZdL6lk1m0=
Any more ideas? Thanks.
Hm, the owncloud client does currently always sents prompt=select_account consent
query parameter with the authorization request. Authelia does not have support for the select_account
value and therefor rejects the request.
AFAIK the ownclient client master already has some support for evaluationg the prompt_values_supported
setting returned by the authelia IDP (https://github.com/owncloud/client/pull/11729). But I don't know, when that will be baked into a release.
It might be possible to add some clever rewriting rules to the traefik proxy to remove the prompt
parameter from the request as a workaround.
Describe the bug
Authelia 4.38.9 Configured with the following:
OICS, configured via Kubernetes, using a docker container I had to create for 6.1:
deployment.yaml
config.yaml
result
Expected behavior
I expect to be able to login.
Actual behavior
I can not login.
Setup
Please describe how you started the server and provide a list of relevant environment variables or configuration files.
Additional context
I am currently using keycloak, but only having 1 service on keycloak and everything else under authelia and reading what is now available I should be able to use authelia to authenticate.