nextcloud-oidc-login icon indicating copy to clipboard operation
nextcloud-oidc-login copied to clipboard
verified publisher icon pulsejet

New attribute map for OIDC response

Open marcopalumbo opened this issue 5 years ago • 3 comments

Hi Everybody

I do see that there are 7 available keys for attribute map for OIDC response This Keys are: id, name, mail, quota, home, ldap_uid, groups

It would be really nice to have also another key: enabled

Like the user detail you can get when you issue the command sudo -u www-data php /var/www/nextcloud/occ user:info username

In this way it will be possible to discriminate if a user that must be active on the OIDC provider should or should not access nextcloud. At this moment with the current features I don't see a specific way to do that

Thanks for your attention

marcopalumbo avatar Nov 26 '20 12:11 marcopalumbo

Ideally, you must do this on the OIDC provider side. But I don't mind accepting a PR for this, if it checks -

  • The presence of a key
  • The key value should equal a given value
  • If the value is an array, the array should contain the given value

pulsejet avatar Nov 27 '20 03:11 pulsejet

Hi thanks for your answer

AFAIK and for what I've been told (but I'm going to double check) the OIDC provider (we use KeyCloack) is only validating the user credential that can be "enabled or disabled" at realm level so that all application attached to the same realm benefit of SSO If the credentials are valid, THE OIDC passes a set of info to the application the user is trying to log on. Then the application can use the given info to allow/deny access or set a specific profile/role for the user.

In this case what I'm trying to use is a key/value like "allow_nextcloud_access":"true/false" then use the value as another 'oidc_login_attributes' => array ( 'enabled' => 'allow_nextcloud_access', 'id' => 'sub', 'name' => 'name', 'mail' => 'email', 'quota' => 'ownCloudQuota', 'home' => 'homeDirectory', 'ldap_uid' => 'uid', 'groups' => 'ownCloudGroups',

Said so the plugin should set accordingly the value for the key "enabled". This check should happen at every login like a refresh of the user grant for the platform This will allow Nextcloud to keep out those who even if do have valid credential for the realm are not allowed to access the application.

I beg your pardon if I said anything senseless

marcopalumbo avatar Nov 27 '20 15:11 marcopalumbo

I've no experience with KeyCloak, but there should be some form of RBAC.

Your particular case is covered by the scheme I proposed too, where your key becomes allow_nextcloud_access and value true the string. As I said, I'm open to pull requests.

pulsejet avatar Nov 28 '20 03:11 pulsejet