oidc icon indicating copy to clipboard operation
oidc copied to clipboard
verified publisher icon H2CK

Groups are exposed as GID, while displayed as displayName

Open Alikont opened this issue 8 months ago • 3 comments

So this caused a lot of confusion for me and I'm not sure if it's me, is it an issue or should be configurable.

When groups are displayed in Nextcloud UI they are displayed as their DisplayName, but in token claims they are exposed as GID, which causes confusion when you rename a group, as it's being exposed in the token as it's old name.

Alikont avatar Apr 22 '25 08:04 Alikont

You are right that the GID is provided in the groups or roles claim. This is because the GID is the only unique identifier of a group. You can even rename groups that they have all the same display name. Then it will no longer be possible to distinguish the groups in the ID token. But if the display name should be used in the claims, we could add an application setting to also used those strings within claim.

H2CK avatar Apr 27 '25 15:04 H2CK

I think at least clarification of this in the readme in the scopes docs would solve this for me, as it's really confusing behavior.

Alikont avatar Apr 27 '25 15:04 Alikont

I will add in the next days some more information about this to the documentation.

H2CK avatar Apr 27 '25 18:04 H2CK

With version 1.7.0 (released soon) there will be the option to switch the behavior. Based on the application configuration the groupID or the display name will be used.

H2CK avatar May 03 '25 15:05 H2CK

Release 1.7.0 is now available which adds the possibility to use the display name instead of the group ID. For details have a look at the documentation.

H2CK avatar May 06 '25 08:05 H2CK