oidc icon indicating copy to clipboard operation
oidc copied to clipboard
verified publisher icon H2CK

Expose teams as role/groups claims

Open Alikont opened this issue 8 months ago • 2 comments

Hello

I was testing out this extension and it works great except for support of hierarchical roles/groups.

Currently if I want to give access to some service or give a role, I need to manually add it to every person. And nextcloud groups don't support hierarchy (like Azure AD or LDAP), so it makes managing it a hassle.

Maybe it would make sense to expose all team memberships (including transitive) as claims too?

Alikont avatar Apr 21 '25 17:04 Alikont

Currently the oidc app only uses the Nextcloud groups. Nevertheless the LDAP groups (even those that are not mapped to a Nextcloud group) can be found in the accounts section in the column groups. I will try to investigate how to also make use of such groups in the oidc app.

H2CK avatar Apr 22 '25 07:04 H2CK

What I mean by "LDAP-like groups" is ability to expose hierarchical structure.

I think Teams concept is the closest to what I want, as I can pack teams into teams and use different teams in hierarchy for different access levels inside my app.

Again, this is not something that blocks me in any way, it's already working great as it is, it's just that manually assigning groups is a bit tedious, but it's also a nextcloud group limitation (no group hierarchy).

Alikont avatar Apr 22 '25 08:04 Alikont

During the last weeks I did some further investigation on this topic. The oidc app strictly relies on the API provided by Nextcloud to access the groups. Nevertheless if you are using an LDAP as user backend and the LDAP integration is correctly configured your groups will be automatically available in Nextcloud and can also be used directly within the oidc app settings dialog (since the LDAP groups are also provided via the API). Therefore there should be no need to additionally assign groups in Nextcloud to users.

If there is a need for a hierarchical group structure please address this feature request to the Nextcloud server team. Once the Nextcloud API, which is used by apps to access the groups, is extended the oidc app could make use of this new functionality. But there will be no functionality integrated into the oidc app to define/retrieve other groups than provided via the Nextcloud API.

H2CK avatar May 06 '25 08:05 H2CK