feat: assign users to teams via OIDC claims #1393
99
pkg/modules/auth/openid/openid.md
Normal file
|
@ -0,0 +1,99 @@
|
|||
regarding:
|
||||
viehlieb marked this conversation as resolved
Outdated
|
||||
https://kolaente.dev/vikunja/api/pulls/1279
|
||||
viehlieb marked this conversation as resolved
Outdated
konrad
commented
Is this a note doc or a final document for end users (admins)? Is this a note doc or a final document for end users (admins)?
viehlieb
commented
it is supposed to be a final document for admins, with relevant information for admins. it is supposed to be a final document for admins, with relevant information for admins.
konrad
commented
Then please move it to Then please move it to `docs/content/doc/setup` and fix the comments, as stated [below](https://kolaente.dev/vikunja/api/pulls/1393#issuecomment-50339).
|
||||
|
||||
# Assign teams via oidc
|
||||
This PR adds the functionality to assign users to teams via oidc.
|
||||
Read carefully and brief your administrators to use this feature.
|
||||
Tested with oidc provider authentik.
|
||||
viehlieb marked this conversation as resolved
Outdated
konrad
commented
Please replace the whole paragraph with something like this:
Please replace the whole paragraph with something like this:
```
Vikunja is capable of automatically adding users to a team based on a group defined in the oidc provider. If used, Vikunja will sync teams, automatically create new ones and make sure the members are part of the configured teams. Teams which only exist because they are generated from oidc attributes are not configurable in Vikunja.
See below for setup instructions.
To distinguish between teams created in Vikunja and teams generated automatically via oidc, generated teams have an `oidcID` assigned internally.
```
|
||||
To distinguish between groups created in vikunja and groups generated via oidc, there is an attribute neccessary, which is called: *oidcID*
|
||||
viehlieb marked this conversation as resolved
Outdated
konrad
commented
Where is that attribute placed? In the provider or Vikunja? How is it relevant for admins? Where is that attribute placed? In the provider or Vikunja? How is it relevant for admins?
viehlieb
commented
At that location, it is just an information as to what is happening at all. At that location, it is just an information as to what is happening at all.
konrad
commented
Okay, we should just think of fixing it before merging the PR Okay, we should just think of fixing it before merging the PR
viehlieb
commented
What's your suggested change here? What's your suggested change here?
The Data from oidc needs to be in the form, that is described in openid.md
Therefore it is relevant for adminis, that operate authentik, keycloak, etc..
konrad
commented
Okay, so Admins from the external provider need to configure their provider to send an Okay, so Admins from the external provider need to configure their provider to send an `oidcID` to Vikunja? Because that's what I'm interpreting this sentence as but that's not what it says.
|
||||
|
||||
viehlieb marked this conversation as resolved
Outdated
konrad
commented
Replace with
Replace with
```
## Setup for authentik
|
||||
## Setup
|
||||
Edit config.yml to include scope: openid profile email vikunja_scope
|
||||
viehlieb marked this conversation as resolved
Outdated
konrad
commented
Please link to the config option in the config doc. Please link to the config option in the config doc.
|
||||
|
||||
For authentik to use group assignment feature:
|
||||
- go to: .../if/admin/#/core/property-mappings
|
||||
|
||||
- create a new mapping called "vikunja_scope"
|
||||
|
||||
There is a field to enter python expressions that will be delivered with the oidc token.
|
||||
|
||||
- write a small script, for adding group information to vikunja_scope.
|
||||
|
||||
|
||||
```python
|
||||
groupsDict = {"vikunja_groups": []}
|
||||
for group in request.user.ak_groups.all():
|
||||
groupsDict["vikunja_groups"].append({"name": group.name, "oidcID": group.num_pk})
|
||||
return groupsDict
|
||||
|
||||
"""
|
||||
output example:
|
||||
{
|
||||
"vikunja_groups": [
|
||||
{
|
||||
"name": "team 1",
|
||||
"oidcID": 33349
|
||||
},
|
||||
{
|
||||
"name": "team 2",
|
||||
"oidcID": 35933
|
||||
}
|
||||
]
|
||||
}
|
||||
"""
|
||||
```
|
||||
|
||||
Now when you log in via oidc there will be a list of scopes you are claiming from your oidc provider.
|
||||
You should see "the description you entered in the oidc provider's admin area"
|
||||
|
||||
- Log in and go to teams.
|
||||
- You will see "(sso: XXXXX)" written next to each team you were asigned through oidc.
|
||||
viehlieb marked this conversation as resolved
Outdated
konrad
commented
Replace the whole paragraph with something like
Now when you log into Vikunja via oidc there will be a list of scopes you are claiming from your oidc provider.
Replace the whole paragraph with something like
```
To configure automatic team management through authentik, we assume you have already set up Authentik as an oidc provider for authentication with Vikunja.
To use Authentik's group assignment feature, follow these steps:
1. Edit [config.yml](https://kolaente.dev/vikunja/api/src/branch/main/config.yml.sample) to include scope: `openid profile email vikunja_scope`
2. Open `<your authentik url>/if/admin/#/core/property-mappings`
3. Create a new mapping called `vikunja_scope`. There is a field to enter python expressions that will be delivered with the oidc token.
4. Write a small script like this to add group information to `vikunja_scope`:
```python
groupsDict = {"vikunja_groups": []}
for group in request.user.ak_groups.all():
groupsDict["vikunja_groups"].append({"name": group.name, "oidcID": group.num_pk})
return groupsDict
"""
output example:
{
"vikunja_groups": [
{
"name": "team 1",
"oidcID": 33349
},
{
"name": "team 2",
"oidcID": 35933
}
]
}
"""
```
Now when you log into Vikunja via oidc there will be a list of scopes you are claiming from your oidc provider.
You should see the description you entered in the oidc provider's admin area.
5. Log in and go to teams.
6. You should see "(sso: XXXXX)" written next to each team you were asigned through oidc.
```
|
||||
|
||||
|
||||
## IMPORTANT NOTES:
|
||||
viehlieb marked this conversation as resolved
Outdated
konrad
commented
Please make this a list. Please make this a list.
|
||||
**SSO/OIDC teams cannot be edited.**
|
||||
|
||||
**It is crucial to call the element "vikunja_groups" since this is the name vikunja is looking for.**
|
||||
viehlieb marked this conversation as resolved
Outdated
konrad
commented
```
* **It is required to call the custom scope "vikunja_groups" since this is the name vikunja is looking for.**
```
|
||||
|
||||
**Additionally, make sure to deliver an "oidcID" and a "name".**
|
||||
viehlieb marked this conversation as resolved
Outdated
konrad
commented
Can you clarify this a little more? Can you clarify this a little more?
|
||||
|
||||
|
||||
|
||||
|
||||
viehlieb marked this conversation as resolved
Outdated
konrad
commented
Replace with Replace with `---` (Will be expaned when rendered).
|
||||
____________________________________________________________________________
|
||||
|
||||
## BEHAVIOR
|
||||
|
||||
viehlieb marked this conversation as resolved
Outdated
konrad
commented
Replace with
Replace with
```
All examples assume one team called "team 1
|
||||
*(.. examples for "team1" ..)*
|
||||
|
||||
1. *Token delivers team.name +team.oidcId and Vikunja team does not exist:* \
|
||||
New team will be created called "team 1" with attribute oidcId: "33929"
|
||||
|
||||
|
||||
2. *In Vikunja Team with name "team 1" already exists in vikunja, but has no oidcID set:* \
|
||||
new team will be created called "team 1" with attribute oidcId: "33929"
|
||||
|
||||
|
||||
3. *In Vikunja Team with name "team 1" already exists in vikunja, but has different oidcID set:* \
|
||||
new team will be created called "team 1" with attribute oidcId: "33929"
|
||||
|
||||
|
||||
4. *In Vikunja Team with oidcID "33929" already exists in vikunja, but has different name than "team1":* \
|
||||
new team will be created called "team 1" with attribute oidcId: "33929"
|
||||
|
||||
|
||||
5. *Scope vikunja_scope is not set:* \
|
||||
nothing happens
|
||||
|
||||
|
||||
6. *oidcID is not set:* \
|
||||
You'll get error.
|
||||
Custom Scope malformed
|
||||
"The custom scope set by the OIDC provider is malformed. Please make sure the openid provider sets the data correctly for your scope. Check especially to have set an oidcID."
|
||||
|
||||
7. *In Vikunja I am in "team 3" with oidcID "", but the token does not deliver any data for "team 3":* \
|
||||
You will stay in team 3 since it was not set by the oidc provider
|
||||
|
||||
8. *In Vikunja I am in "team 3" with oidcID "12345", but the token does not deliver any data for "team 3"*:\
|
||||
You will be signed out of all teams, which have an oidcID set and are not contained in the token.
|
||||
Especially if you've been the last team member, the team will be deleted.
|
Is this document final?
Should this be a document intended for admins? Or only notes for this PR?
Well actually a note for admins that are interested in using this feature.
Then please place it in the
docs/content/doc/setup
folder. And I think it needs some refinement, will add some comments.