Can't get groups from keycloak

[verovd]

We can't get groups using keycloak and candid. Could you implement function that get groups? https://github.com/canonical/candid/blob/master/idp/openid/openid-connect.go#L219

If I'm not wrong it is the same function that uses in usso https://github.com/canonical/candid/blob/master/idp/usso/usso.go#L306

There is also openid as I know

[verovd]

@mhilton Hi! Can I help to solve this problem? What I need to know to help?

[mhilton]

Hi @verovd,

Groups aren't a standard part of OpenID Connect, so they need custom support for each identity provider. The usso provider (which uses an older version of the OpenID protocol) relies on https://launchpad.net to provide the group information, for example.

For keycloak one would have to look at the keycloak API to find how to retrieve group information for a user and then add that functionality into the keycloak provider. That might mean either providing candid credentials such that it can read the group information for any user, or possibly storing the OAuth tokens that are returned in the OpenID Connect login process to use to retrieve group information.

The keycloak identity provider was a community addition to candid, within Canonical we don't have any experience with using it as an identity provider. It is hard to say exactly what adding group support will require in this case.