Selfhosted

42837 readers

778 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz

Custom Attributes in Authentik OIDC (lemmy.ca)

submitted 2 days ago* (last edited 2 days ago) by Lem453@lemmy.ca to c/selfhosted@lemmy.world

9 comments fedilink hide all child comments

I'm trying to setup owncloud with single sign on using Authentik. I have it working for normal users. There is a feature that allows automatic role assignment to users so that admin users from authentik become admin users for owncloud.

This is described here: https://doc.owncloud.com/ocis/next/deployment/services/s-list/proxy.html#automatic-role-assignments.

In this document, they describe having attributes like

- role_name: admin
  claim_value: ocisAdmin

The problem I have is I don't know how to input this information into an Authentik user. As a result, owncloud is giving me this error:

ERR Error mapping role names to role ids error="no roles in user claims" line=github.com/owncloud/ocis/v2/services/proxy/pkg/userroles/oidcroles.go:84 request-id=5a6d0e69-ad1b-4479-b2d9-30d4b4afb8f2 service=proxy userid=05b283cd-606c-424f-ae67-5d0016f2152c

Any authentik experts out there?

I tried putting this under the attributes section of the user profile in authentik:

role_name: admin
claim_value: ocisAdmin

It doesn't work and it won't let me format YAML like the documentation where the claim_value is a child of the role_name.

you are viewing a single comment's thread
view the rest of the comments

[–] zox@lemmy.world 1 points 19 hours ago* (last edited 19 hours ago)

You can do this by replacing an existing scope or creating a new one. In some cases I've needed to replace an existing scope with custom mappings, and add the information needed to it. For example I created a custom scope of 'profile', added the relevant claim needed along with the standard scope information, and then associated that to the provider.

To do that, you add an OAuth scope mapping,. That mapping will then add the desired claim information. These are created with small python scripts. Set them to add the relevant claim when a case is matched (ex. User is in group "Admins"). Name the scope "profile", though it could be a new scope (preferred) if owncloud lets you specify them.

In the provider for owncloud add that new or replacement scope. In the Edit settings that's found under Advanced Protocol Settings. You'd add the named scope that correlates to your recently created Claim.

Then verify everything is working as expected; Go to Preview for that Provider. While it won't show you scope names, it will combine the claims into the JWT preview which is convenient for validating you did everything correctly. It helps reduce the extra variable of Owncloud until you get to that point.