Cannot get is_admin to function correctly

pulsejet / nextcloud-oidc-login

Nextcloud login via a single OpenID Connect 1.0 provider

https://apps.nextcloud.com/apps/oidc_login

GNU Affero General Public License v3.0

219 stars 59 forks source link

Cannot get is_admin to function correctly #237

Closed Reinitialized closed 1 year ago

Reinitialized commented 1 year ago

I am in the process of setting up Nextcloud with Authentik using this application. I have gotten the login_filters working as expected, however I cannot get is_admin to work at all! I have even attempted having it return "true" or "false" as string vs boolean to see if it was format issue, but no dice ...

Below is how it is configured:

    'oidc_login_attributes' => array (
        'id' => 'sub',
        'name' => 'name',
        'mail' => 'email',
        'login_filter' => 'groups',
        'is_admin' => 'isCloudAdministrator',
    ),
    'oidc_login_scope' => 'email profile isCloudAdministrator',

This is how I have it configured in Authentik:
I have confirmed Nextcloud is requesting the appropriate scope along with verified isCloudAdministrator is returning True/False as expected:

Reinitialized commented 1 year ago

I ran my OAuth queries through a debugger and noted it seems, despite the scope being there, isCloudAdministrator is not being returned in the results. As a stop gap, I have gotten this working for now using the flattened groups_NameOfClaimGroups method.

As it usually goes when you open a "ticket/issue" for support, this is looking to be a case of user error (oops!) since I am rather new to OIDC, but regardless I will leave this open for now so I can post an update on what resolved the original issue in the long run for for all the time travelers :)

Reinitialized commented 1 year ago

Confirmed to be user error! In case anyone who is using Authentik comes across this issue, you will need to setup your Scope Mapping Expression to return a dictionary like so:

claims = {
  "isCloudAdministrator": False
}
if request.user.ak_groups.filter(name="Global Administrator").exists():
  claims["isCloudAdministrator"]= True
if request.user.ak_groups.filter(name="Cloud Administrator").exists():
  claims["isCloudAdministrator"]= True

return claims

Apologizes for the issue, but hope it helps the time travelers!

willyp713 commented 7 months ago

As an alternative, you can set this up by creating a "groups" scope, which I discovered during Jellyfin configuration.

Use the expression: return [group.name for group in user.ak_groups.all()]

then in your nextcloud config.php make sure your login attributes array is pulling this new groups scope, and the name of your relevant admin group from authentik:

'oidc_login_attributes' => array (
      'id' => 'sub',
      'name' => 'name',
      'mail' => 'email',
      'groups' => 'groups',
      'is_admin' => 'groups_nextcloudAdmins',
),

Thanks to @cyl3x in #221 for the idea.