Plugin behavior questions

[paco-coutaud]

Hi !

First, I would like to thank you a lot for this great plugin ! I'm using keycloak as my idP and I've some questions that I can't find an answer:

• Did your plugin handles only the authentication process or as well the authorization process ? Let me explain, login is working fine (very nice :)) but if an user is not allowed for the nextcloud client on Keycloak, login isn't denied and the user can login still, very strange.

• Is it possible to map other nextcloud attributes like user profile picture, work address or these kinds of things ?

Thanks in advance ! Paco

[pulsejet]

Hi!

The plugin primarily allows authentication with OIDC, not sure what authorization would be in this context. Keycloak should actually be not allowing the OIDC process to complete in this case, so not sure what is happening here.

Attribute mapping can be done for the fields listed in the readme as of now. PRs are welcome if you can expand this :)

[paco-coutaud]

Thanks for your answer ! :)

Yes I don't understand too, I will try to debug more, but I assume that the response from Keycloak failed because when I evaluate for the user its permission it's marked as DENY. I don't know if some other people have the similar issue.

For attributes mapping, it's not mandatory, I was just asking it because it could be a nice to have :)

[quenenni]

Hello,

I also would like to thank you for this excellent app.

But I spend lots of time with the same problem as Paco. I configured the authorization of the client nextcloud and test several scenarii. If I use the "Evaluate" process in keycloak, it tells me access denied for a specific user (that's what I wanted), but despite everything, that user can log in Nextcloud.

My authorization setting is quite simple. All have access except if the username is xxx.

Any idea why?

[quenenni]

And for the attribute mapping, it's going to be important for us. Where do I find the nextcloud field names that will be mapped? Do I have to check the table fields in the DB?

[paco-coutaud]

Hi !

I went deeper into my searchs and as I understand, clients (so nextcloud in our case) should check if the user login in is well granted for a specified ressource (protected ressource). As Nextcloud doesn't support natively OIDC, perhaps the plugin should do this job too...

Keycloak on its side implement a way to protect the ressources (via the authorization tab under client) but if the client isn't checking that after the login flow succeed then the user will be allowed for all ressources on the server.

Be aware that It's not part of the login flow, that's why users are still able to login even with a DENY response from idP !

For Keycloak, it seems to exist an extension that implement this mechanism even if it's not idP role. You can find it on : https://www.keycloak.org/extensions.html (Client Authorization) The project is on Github and the introduction is very interesting : https://github.com/cloudtrust/keycloak-authorization)

I didn't test it for now and it stays in my opinion just a workaround as in a perfect world clients should handle this task.

[quenenni]

@paco-coutaud

Very nice. Thanks for sharing.

This extension looked very promising, unfortunately, it's not working for the current version of keycloak, and not sure it will be update any time soon. Check this recent ticket: https://github.com/cloudtrust/keycloak-authorization/issues/9 That's sad. It would have been very useful for all the clients that don't manage OIDC.

[paco-coutaud]

Hi !

I will see in the few weeks/month with my team if we can have a look at the keycloak client authorization plugin and at nextcloud open id plugin. Perhaps we could bring improvements on this side. It will depend on our priorities as we are currently at the beginning of our SSO investigation tasks.

From our side we tested in a lab three plugins:

• Nextcloud Open ID plugin (this one)
• Nextcloud social plugin (with custom open id provider)
• SSO & SAML

All of these plugins have their strength and weaknesses. None of them bring us entirely satisfaction for now, so we are investigating what we can do. :)

[quenenni]

@paco-coutaud That is already a very good news.

Can I ask you, when you tried the social plugin, configured with a keycloak server and not one of the listed social IDP, did you test that you can't access the Nextcloud is the IDP refuse access (as explained in this ticket)?

If yes, that means Nextcloud can refuse access based on the token. And that should mean this plugin can be enhanced to act correctly based on the token too.

SSO & SAML, I didn't test because I read before testing that, despite SAML be able to manage Nextcoud groups (an improvement compared to OIDC), there was problems elsewhere (ie, the nextcloud client won't workas mentioned in the comments here: https://stackoverflow.com/questions/48400812/sso-with-saml-keycloak-and-nextcloud). But now I tried OIDC and have re-read this SAML config, maybe it's possible to make the client works.

Did you test the SAML way up to that point?

[paco-coutaud]

Hi !

When we tried the nextcloud social plugin we weren't able to use the authorization process as explained in this ticket (via the keycloak authorization tab) BUT you can add a mapper for the client roles and deny access to users that are not in a specific role. You can also map a role to the admin nextcloud internal one for easier users management. But, for us there is another issue with this plugin. As we are using a LDAP backend and we have existing users, it's very important that we can map the LDAP ID unique attribute (ObjectGUID attribute from AD) to the nextcloud id attribute one. And for all the tests we did, it's prefix by the idP name, something like that: keycloak-social-UID instead of UID like we would want. So for now, not a solution for us.

For SSO & SAML plugin, we tested it but in a general way with no deeper investigation as we prefer to use OIDC for several reasons. I didn't test authentication with the nextcloud client. But as I can remember we were able to map roles but not denying access based on them. Perhaps I'm wrong but I'm pretty sure that this was the behavior we had.

[paco-coutaud]

Hi !

Short update... We finally did the migration on our side with the Social Plugin for Nextcloud to have the capability to reject users that are not included in specific groups and map keycloak groups to admin and standard Nextcloud groups. Only this one provided for now such features. It works pretty well and all our requirements are meet. As the UID of the accounts changed, we just transfer files ownership from old accounts (LDAP based) to the new ones (SSO based). Our Nextcloud instance is now fully connected with keycloak IdP.

But, we have lot of clients to migrate to SSO authentication and after a first investigation it seems that lot of them don't implement keycloak authorization flow. So we decided to have a look at the Keycloak Authorization plugin to handle this task directly in IdP even if it shouldn't be in its scope in a perfect world. We created a ticket in our Jira and have our first meeting about it today. Aim is to open a PR if we success to update the keycloak plugin to match the latest keycloak version. Let's see...

[jonathanmmm]

@paco-coutaud I did it, that this plugin gets the user from LDAP and is not allowed to register new users. In LDAP I created a manual filter rule to exclude people in a specific LDAP group. That way they can't login.