audiobookshelf icon indicating copy to clipboard operation
audiobookshelf copied to clipboard

Published 20 hours ago verified publisher icon advplyr

[Enhancement]: OIDC: Add possibility to spcecify names of group claims

Open v3DJG6GL opened this issue 1 year ago • 7 comments

Describe the feature/enhancement

With #2769 we do now have the possiblity to specify Group Claims for the groups admin, user and guest. While I really appreciate that feature, It would be nice to also specify the names of these groups, rather than relying on these hardcoded names admin, user and guest. I do have a setup with Authelia and LLDAP and I do have a lot of different user groups specified which are allowed to use specific services. As an example, I do have a nextcloud_users group for all users that are allowed to use Nextcloud and a jellyfin_users group for all users that are allowed to use Jellyfin. The same goes for admin groups, although that's less relevant in my case. I'd love to see a similar option for ABS :)

v3DJG6GL avatar Apr 24 '24 12:04 v3DJG6GL

You should be able to use whatever group names you want and just add a custom property mapping. I haven't used Authelia but I used Authentik to successfully map some groups I setup with different names. I followed @Sapd's guide in this PR https://github.com/advplyr/audiobookshelf/pull/2769

advplyr avatar Apr 24 '24 14:04 advplyr

It was in the original concept (see https://github.com/advplyr/audiobookshelf/issues/2523 ) but left out because identity providers usually provide the ability of attribute mappings. Not sure about Authelia, but KeyCloak and Authentik can do that.

Sapd avatar Apr 24 '24 14:04 Sapd

hmh, would it be something like this? https://github.com/authelia/authelia/issues/2868

That's not (yet) implemented in Authelia.

All other OIDC-claim capable apps I use have the possibility to specify the names for group claims so I wasn't even aware that there's an option to map custom properties. But yeah, it doesn't seem to be supported by Authelia...

v3DJG6GL avatar Apr 24 '24 14:04 v3DJG6GL

hmh, would it be something like this? authelia/authelia#2868

Yeah in fact that would be it. I also just remembered another (severe) limitation of Authelia, it does not support restricting access for OpenID Connect: https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#why-doesnt-the-access-control-configuration-work-with-openid-connect-10 which makes the combination with this issue a bit worse

Sapd avatar Apr 24 '24 14:04 Sapd

@v3DJG6GL What are some other self-hosted apps that support OIDC have that feature? I'd like to see how they implemented it.

I'm not sure if it is worth adding more complexity to our OIDC implementation if 2 out of 3 major providers support this already.

advplyr avatar Apr 24 '24 14:04 advplyr

From your OP I can guess nextcloud and the jellyfin SSO plugin.

advplyr avatar Apr 24 '24 14:04 advplyr

@v3DJG6GL What are some other self-hosted apps supported OIDC that have that feature? I'd like to see how they implemented it.

  • Jellyfin (via SSO plugin) (https://github.com/9p4/jellyfin-plugin-sso)
  • Nextcloud (via Nextcloud OIDC plugin) (https://github.com/pulsejet/nextcloud-oidc-login)
  • MinIO (https://github.com/minio/minio)

v3DJG6GL avatar Apr 24 '24 14:04 v3DJG6GL