this post was submitted on 22 Feb 2025
11 points (92.3% liked)

Selfhosted

42765 readers
1572 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
11
Custom Attributes in Authentik OIDC (lemmy.ca)
submitted 1 day ago* (last edited 1 day ago) by Lem453@lemmy.ca to c/selfhosted@lemmy.world
8 comments fedilink hide all child comments
 

I'm trying to setup owncloud with single sign on using Authentik. I have it working for normal users. There is a feature that allows automatic role assignment to users so that admin users from authentik become admin users for owncloud.

This is described here: https://doc.owncloud.com/ocis/next/deployment/services/s-list/proxy.html#automatic-role-assignments.

In this document, they describe having attributes like

- role_name: admin
  claim_value: ocisAdmin

The problem I have is I don't know how to input this information into an Authentik user. As a result, owncloud is giving me this error:

ERR Error mapping role names to role ids error="no roles in user claims" line=github.com/owncloud/ocis/v2/services/proxy/pkg/userroles/oidcroles.go:84 request-id=5a6d0e69-ad1b-4479-b2d9-30d4b4afb8f2 service=proxy userid=05b283cd-606c-424f-ae67-5d0016f2152c

Any authentik experts out there?

I tried putting this under the attributes section of the user profile in authentik:

role_name: admin
claim_value: ocisAdmin

It doesn't work and it won't let me format YAML like the documentation where the claim_value is a child of the role_name.

top 8 comments
sorted by: hot top controversial new old
[–] truthfultemporarily@feddit.org 3 points 1 day ago (1 children)

Roles in authentik are for permissions in authentik. You want a group instead. Group memberships are send via OIDC.

[–] Lem453@lemmy.ca 1 points 1 day ago (1 children)

tried this, created a group called ocisAdmin and added the admin user to it, it still gives the same error. Seems like I need to define a proxy.yaml file in owncloud with the roles, I did this and it still doesn't work.

[–] truthfultemporarily@feddit.org 1 points 20 hours ago

In the oidc provider in authentik you have to enable sending the groups. I forgot what its called.

[–] Dunstabzugshaubitze@feddit.org 3 points 1 day ago (1 children)

not an authentik user, but after skimming their docs i think you have to:

  1. create a role "ocisAdmin" via authentiks admin interface
  2. give this role to a group in the admin interface or create one.
  3. assign a user thats supposed to be an owncloud admin to the group

it might be that you also have to define somekind of mapper to include this in the informations owncloud receives from authentik, but as i said i only skimmed the docs and would personally just try it without the mapper.

[–] Lem453@lemmy.ca 1 points 1 day ago (1 children)

tried this and also tried making a role in authentik assigned to the group called ocisAdmin and added the admin user to it, it still gives the same error. Seems like I need to define a proxy.yaml file in owncloud with the roles, I did this and it still doesn't work.

[–] Dunstabzugshaubitze@feddit.org 1 points 20 hours ago

does authentik offer an option to preview a jwt for a given user? might be as simple as that the claim is not named "ocisAdmin" or is not a toplevel entry in the jwt.

[–] brewery@lemmy.world 2 points 1 day ago (1 children)

Reminds me of the group limit attribute in nextcloud. You could try looking at the 'Custom profile scope' section of https://docs.goauthentik.io/integrations/services/nextcloud/ to see if it helps to work out what to do

[–] Lem453@lemmy.ca 1 points 1 day ago

this is great info, thanks. I don't think its the issue right now, I think I need to define the roles in owncloud which I tried to do but it still doesn't work. I'll ask on the owncloud forums but these custom scopes might still be needed at some point. thanks.