search

pulsejet / nextcloud-oidc-login

Nextcloud login via a single OpenID Connect 1.0 provider
https://apps.nextcloud.com/apps/oidc_login
GNU Affero General Public License v3.0
233 stars 63 forks source link

Admin user removed from admin group when logging #204

Closed xyko0 closed 1 year ago

xyko0 commented 1 year ago

Hello,

I have an issue after successfull logging with my admin user via Authelia, I'm no longer part of the admin group.

Can someone help me understanding what I did wrong ?

Here's what I added in the config.php (I replaced my domain with example.com) :

  'allow_user_to_change_display_name' => false,
  'lost_password_link' => 'disabled',
  'oidc_login_provider_url' => 'https://auth.example.com',
  'oidc_login_client_id' => 'nextcloud',
  'oidc_login_client_secret' => 'nextcloud_client_secret',
  'oidc_login_auto_redirect' => false,
  'oidc_login_end_session_redirect' => false,
  'oidc_login_button_text' => 'Log in with Authelia',
  'oidc_login_hide_password_form' => false,
  'oidc_login_use_id_token' => true,
  'oidc_login_attributes' => array (
      'id' => 'preferred_username',
      'name' => 'name',
      'mail' => 'email',
      'groups' => 'groups',
  ),
  'oidc_login_default_group' => 'oidc',
  'oidc_login_use_external_storage' => false,
  'oidc_login_scope' => 'openid profile email groups',
  'oidc_login_proxy_ldap' => false,
  'oidc_login_disable_registration' => true,
  'oidc_login_redir_fallback' => false,
  'oidc_login_alt_login_page' => 'assets/login.php',
  'oidc_login_tls_verify' => true,
  'oidc_create_groups' => false,
  'oidc_login_webdav_enabled' => false,
  'oidc_login_password_authentication' => false,
  'oidc_login_public_key_caching_time' => 86400,
  'oidc_login_min_time_between_jwks_requests' => 10,
  'oidc_login_well_known_caching_time' => 86400,
  'oidc_login_update_avatar' => false,

And here the authelia's conf if it helps : 

- id: nextcloud
        description: NextCloud
        secret: '$plaintext$nextcloud_client_secret'
        public: false
        authorization_policy: one_factor
        redirect_uris:
          - https://nextcloud.example.com/apps/oidc_login/oidc
        scopes:
          - openid
          - profile
          - email
          - groups
        userinfo_signing_algorithm: none

Server: Docker, latest version Client: Current version Reverse proxy: Traefikv2 OIDC provider: Authelia

pulsejet commented 1 year ago

Well you're using groups from the OIDC provider. My guess is Authelia doesn't return the admin group for admin? Then the user will be removed from the group.

xyko0 commented 1 year ago

@pulsejet I tried to create a group "admin" in my LDAP in the same OU than the other groups and added my user to it. It still doesn't work =/

xyko0 commented 1 year ago

Nvm, maybe some cache staying... It now works perfectly ! Thanks for the idea @pulsejet 😃