[FR] Autoprovision groups based on userinfo

[bcskda]

Hello

Currently autoprovisioning adds new users to a configuration-defined set of groups:

'auto-provision' => [
  'groups': ['employees']
]

Would you be interested in managing user's groups based on a userinfo claim? E.g., add a configuration option 'auto-provision' => [ 'groups-claim': 'groups' ] Then, if configured,

• treat the userinfo claim as a list of gid's
• add the user to specified groups that exist
• remove the user from extra ones

For current 'groups' => ['employees'] configurations, keep the same logic "add during user creation"

Both scenarios would be available and interchangeable:

• groups -> groups-claim transition would require administrators to configure their IdP and update existing user profiles on IdP side
• groups-claim -> groups transition would disable groups synchronization for existing profiles and work as expected for new profiles

The groups and groups-claim should probably be mutually exclusive

Are there any concerns with LDAP integration or any other source of group membership?

In case this is ok, I am willing to implement

[bcskda]

Anyway, this seems to work in our environment. Feel free to apply

https://gitlab.com/fpmi/owncloud-openidconnect/-/compare/8160194b3115717520dd695d89813c32234cc018...master?from_project_id=47930992&straight=false

[alex-metcalfe-358]

Is this implemented in the current release?