user_oidc icon indicating copy to clipboard operation
user_oidc copied to clipboard

Published 20 hours ago verified publisher icon nextcloud

Improve documentation of group provisioning

Open Ra72xx opened this issue 1 year ago • 11 comments

I like to get groups in Nextcloud from my Authentik instance and - being not a specialist in authentification methods - the provided information does not really help me.

First step: User management worked quite easy following this guide: https://blog.cubieserver.de/2022/complete-guide-to-nextcloud-oidc-authentication-with-authentik/ Second step: For groups there is no coherent documentation to be found, not even with the --help command line option. I had to rely on the hints found in [PR]https://github.com/nextcloud/user_oidc/pull/502(url), especially

occ config:app:set user_oidc provider-1-groupProvisioning --value=1
occ user_oidc:provider "Authentik" --scope="openid email profile groups"

However, I seem to have a misconfiguration of Authentik as no groups are provided. On the contrary, users provided by Authentik get thrown out of local Nextcloud groups (i.e. the "admin" group).

As there is no real doc yet for the group provisioning in user_oidc documentation (and, to be sure, Authentik documentation seems quite exhaustive, but is in many cases unusable for non-specialists, too). I don't know how to properly set up group provisioning while keeping at least the local admin group.

Ra72xx avatar Jul 18 '23 18:07 Ra72xx

Funny enough, I've made the exact same journey as you and ended up where you're currently at. Did you ever figure this out?

TheManchineel avatar Aug 05 '23 15:08 TheManchineel

No. I ended up re-creating the necessary Authentik groups locally in Nextcloud (for my small setup). However, this is not really an elegant solution...

Ra72xx avatar Aug 05 '23 16:08 Ra72xx

Figured to do just as much. Obviously this would be a pain in any kind of large/enterprise installation. For my own personal use it "works" I guess...

TheManchineel avatar Aug 05 '23 16:08 TheManchineel

It would be really great if this IMHO very basic setup would get some more end-user documentation. I can't really image that we two are the only ones wanting to use the OIDC provider's group setup in die OIDC-enabled application ;-) .

Ra72xx avatar Aug 05 '23 16:08 Ra72xx

Nextcloud group provisioning works very straight forward - based on the OIDC claim it adds/removes the user from the groups (and auto-creates NC groups if needed).

Mapping the group can be done easily, hardest part is on Authentik side. here my setup using custom claim "roles"

in Authentik create custom property mapping (my code is little more complex as I want the groups in Authentik to have application related prefix "dev-nc_" in this case but don't want to see this prefix in NC so I remove the in the mapping)

image

in provider > advanced settings add the custom mapping

image

in application > preview verify the "roles" claim was added:

image

in NC user_oidc settings map the claim and enable group provisioning

image

review the process with more details here: https://24xsiempre.com/en/kasten-k10-authentik/

isdnfan avatar Aug 23 '23 09:08 isdnfan

@isdnfan thanks! This worked wonderfully

In my case, this is what I did:

nc_groups = [
  (i.name if i.name != "Nextcloud Admins" else "admin") for i in request.user.ak_groups.all()
]

return {
  "nc_groups": nc_groups
}

then enabled the mapping for the Nextcloud provider, and on the NC side I enabled group provisioning and added the nc_groups mapping as the source attribute.

This way all groups are automatically provisioned on Nextcloud with the same name as appear on Authentik, except for the "Nextcloud Admins" group which is mapped to "admin" (a hardcoded group name on Nextcloud for admin users).

One question: is there any way to have groups "sync" earlier than the next token expiration/sign in?

TheManchineel avatar Aug 23 '23 10:08 TheManchineel

BTW, has anybody a mapping to use Authentik avatars in Nextcloud?

Ra72xx avatar Aug 30 '23 03:08 Ra72xx

Unfortunately, I don't get any of the versions above to work. As soon as I enable group provisioning, the user gets thrown out of any group on the next login. E.g. for the example of @TheManchineel

Nextcloud user_openidc: Eingefügtes Bild

Authentik: Eingefügtes Bild 1 Eingefügtes Bild 2

Am I misunderstanding something? If I try the property mapping with the test icon in the property mapping section, it seems to work as expected. I don't have "Application>Preview" button?!

Ra72xx avatar Aug 30 '23 18:08 Ra72xx

How to set this programmatically? there is no --mapping-groups= in the occ user_oidc:provider command

wrenix avatar Dec 30 '23 02:12 wrenix

@Ra72xx did you ever resolve this? I am having the same problem. Everytime my users log in they are thrown out of the groups that I assigned them.

ManfredWisniewski avatar May 13 '24 20:05 ManfredWisniewski

No, I did not further attempts to solve this issue.

Ra72xx avatar May 14 '24 04:05 Ra72xx

Has anyone been able to get this working?

danthonywalker avatar Aug 28 '24 19:08 danthonywalker

It works for me with Authentik. I don't know exactly how I did it, but I somehow simply adapted the official docs to my needs, wasn't that difficult in the end (https://docs.goauthentik.io/integrations/services/nextcloud/).

Ra72xx avatar Aug 29 '24 03:08 Ra72xx

So I should probably close this issue ;-) .

Ra72xx avatar Aug 29 '24 04:08 Ra72xx

Yes it works for me now too. My problem was a simple misunderstanding: users and their info are synced from Authentik to nextcloud - not the other way around. I created and assigned the groups in Authentik and once they log in they have the groups they were assigned in Authentik.

ManfredWisniewski avatar Aug 29 '24 13:08 ManfredWisniewski