user_oidc icon indicating copy to clipboard operation
user_oidc copied to clipboard
verified publisher icon nextcloud

Unrelated admin group is created instead of adding user to the nextcloud administrators group

Open joaomiranda94 opened this issue 1 year ago • 5 comments

I am currently using Authentik with the OIDC provider backend. I already tried to pass groups as the simple array:

["admin"]

and using the object:

[{"gid": "admin", "displayName": "admin"}]

The payload that sent is:


{
    "name": "some user name",
    "groups": [
        {
            "displayName": "admin",
            "gid": "admin"
        }
    ],
    "quota": "200 GB",
    "user_id": "some user id"
}

My OIDC is configured as follows:

image image

joaomiranda94 avatar Jul 31 '24 21:07 joaomiranda94

I've got the same issue.

Looking at the other OIDC project it seems like they have an is_admin attribute. Maybe it'll be worth looking into how that works and implement a similar functionality? The current method seems kinda hacky

sthyregod avatar Aug 02 '24 15:08 sthyregod

I've found the fix that worked for me. By default the Use unique user ID is enabled. This hashes the user ids and group ids with the provider name. Disabling that was everything I had to do to make it work.

I can see you also have that enabled so I suggest you disable it and see if it works.

For the maintainers, maybe this info can be written in the Readme and/or in the checkbox description unless you'll look at the implementation I mentioned in my previous comment? I'm sure it'll shave some debugging hours off of future admins' installation process.

sthyregod avatar Aug 03 '24 08:08 sthyregod

I've found the fix that worked for me. By default the Use unique user ID is enabled. This hashes the user ids and group ids with the provider name. Disabling that was everything I had to do to make it work.

I can see you also have that enabled so I suggest you disable it and see if it works.

For the maintainers, maybe this info can be written in the Readme and/or in the checkbox description unless you'll look at the implementation I mentioned in my previous comment? I'm sure it'll shave some debugging hours off of future admins' installation process.

Cool! This fixed the issue for me, thanks! But if a user needs more than one provider this might be an issue.

joaomiranda94 avatar Aug 04 '24 23:08 joaomiranda94

For anyone who also come across this, Use provider identifier as prefix for IDs also needs to be unchecked for it to work.

lamyc avatar Mar 29 '25 12:03 lamyc

Hello everyone,

I'm encountering an issue with group names being passed from Keycloak to external applications (such as Nextcloud, Immich, etc.).

Keycloak groups have a forward slash (/) prepended to their name when they are consumed by client applications. For example, a group named sales in Keycloak appears as "/sales" in Nextcloud, Immich, and other apps.

This prevents the correct mapping of groups for authorization. For instance, I cannot assign a user to the admin group in Nextcloud because only the group "/admin" is available.

Has anyone experienced this issue and found a solution? Any guidance on how to configure Keycloak or the client applications to handle this would be greatly appreciated.

Thank you for your help!

nextcloud-aio-nextcloud:/var/www/html# php occ group:list
  - /admin:
    - userX
  - /immich-user:
    - userX
  - /nextcloud-admin:
    - userX
  - /nextcloud-user:
    - userX
  - /private-user:
    - userX
  - /vaultwarden-user:
    - userX
  - TEST:
  - admin:
  - use-nextcloud:

I found the solution. It was because I had "Full group path" checked in my group mapping settings and did not structure my groups in multiple layers.

HolyMacarony avatar Aug 29 '25 08:08 HolyMacarony