Improve documentation of group provisioning #653
Comments
|
Funny enough, I've made the exact same journey as you and ended up where you're currently at. Did you ever figure this out? |
|
No. I ended up re-creating the necessary Authentik groups locally in Nextcloud (for my small setup). However, this is not really an elegant solution... |
|
Figured to do just as much. Obviously this would be a pain in any kind of large/enterprise installation. For my own personal use it "works" I guess... |
|
It would be really great if this IMHO very basic setup would get some more end-user documentation. I can't really image that we two are the only ones wanting to use the OIDC provider's group setup in die OIDC-enabled application ;-) . |
|
Nextcloud group provisioning works very straight forward - based on the OIDC claim it adds/removes the user from the groups (and auto-creates NC groups if needed). Mapping the group can be done easily, hardest part is on Authentik side. here my setup using custom claim "roles" in Authentik create custom property mapping (my code is little more complex as I want the groups in Authentik to have application related prefix "dev-nc_" in this case but don't want to see this prefix in NC so I remove the in the mapping)
in provider > advanced settings add the custom mapping
in application > preview verify the "roles" claim was added:
in NC user_oidc settings map the claim and enable group provisioning
review the process with more details here: https://24xsiempre.com/en/kasten-k10-authentik/ |
|
@isdnfan thanks! This worked wonderfully In my case, this is what I did: nc_groups = [
(i.name if i.name != "Nextcloud Admins" else "admin") for i in request.user.ak_groups.all()
]
return {
"nc_groups": nc_groups
}then enabled the mapping for the Nextcloud provider, and on the NC side I enabled group provisioning and added the This way all groups are automatically provisioned on Nextcloud with the same name as appear on Authentik, except for the "Nextcloud Admins" group which is mapped to "admin" (a hardcoded group name on Nextcloud for admin users). One question: is there any way to have groups "sync" earlier than the next token expiration/sign in? |
|
BTW, has anybody a mapping to use Authentik avatars in Nextcloud? |
|
Unfortunately, I don't get any of the versions above to work. As soon as I enable group provisioning, the user gets thrown out of any group on the next login. E.g. for the example of @TheManchineel Nextcloud user_openidc: Authentik: Am I misunderstanding something? If I try the property mapping with the test icon in the property mapping section, it seems to work as expected. I don't have "Application>Preview" button?! |
|
How to set this programmatically? there is no |
|
@Ra72xx did you ever resolve this? I am having the same problem. Everytime my users log in they are thrown out of the groups that I assigned them. |
|
No, I did not further attempts to solve this issue. |
|
Has anyone been able to get this working? |
|
It works for me with Authentik. I don't know exactly how I did it, but I somehow simply adapted the official docs to my needs, wasn't that difficult in the end (https://docs.goauthentik.io/integrations/services/nextcloud/). |
|
So I should probably close this issue ;-) . |
|
Yes it works for me now too. My problem was a simple misunderstanding: users and their info are synced from Authentik to nextcloud - not the other way around. I created and assigned the groups in Authentik and once they log in they have the groups they were assigned in Authentik. |
I like to get groups in Nextcloud from my Authentik instance and - being not a specialist in authentification methods - the provided information does not really help me.
First step: User management worked quite easy following this guide: https://blog.cubieserver.de/2022/complete-guide-to-nextcloud-oidc-authentication-with-authentik/
Second step: For groups there is no coherent documentation to be found, not even with the --help command line option. I had to rely on the hints found in [PR]#502, especially
However, I seem to have a misconfiguration of Authentik as no groups are provided. On the contrary, users provided by Authentik get thrown out of local Nextcloud groups (i.e. the "admin" group).
As there is no real doc yet for the group provisioning in user_oidc documentation (and, to be sure, Authentik documentation seems quite exhaustive, but is in many cases unusable for non-specialists, too). I don't know how to properly set up group provisioning while keeping at least the local admin group.
The text was updated successfully, but these errors were encountered: