vikunja/vikunja
6
43
Fork 73
Code Issues 150 Pull Requests 20 Packages Releases 32 Activity

feat: assign users to teams via OIDC claims #1393

Merged
konrad merged 93 commits from viehlieb/api:950_reworked_assign_teams_via_oidc into main 2024-03-02 08:47:12 +00:00
Conversation 34 Commits 93 Files Changed 26 +3 -23
1 changed files with 3 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 7f9c48c87a - Show all commits

26
pkg/modules/auth/openid/openid.md
View File

@ -1,14 +1,12 @@
regarding:
https://kolaente.dev/vikunja/api/pulls/1279
# Assign teams via oidc
viehlieb marked this conversation as resolved Outdated
konrad commented 2023-02-13 10:40:37 +00:00
Outdated
Review
Copy Link

Is this document final?

Is this document final?
konrad commented 2023-05-08 20:14:49 +00:00
Outdated
Review
Copy Link

Should this be a document intended for admins? Or only notes for this PR?

Should this be a document intended for admins? Or only notes for this PR?
viehlieb commented 2023-05-09 10:14:34 +00:00
Outdated
Review
Copy Link

Well actually a note for admins that are interested in using this feature.

Well actually a note for admins that are interested in using this feature.
konrad commented 2023-05-09 15:04:29 +00:00
Outdated
Review
Copy Link

Then please place it in the docs/content/doc/setup folder. And I think it needs some refinement, will add some comments.

Then please place it in the `docs/content/doc/setup` folder. And I think it needs some refinement, will add some comments.
This PR adds the functionality to assign users to teams via oidc.
viehlieb marked this conversation as resolved Outdated
konrad commented 2023-04-17 16:26:11 +00:00
Outdated
Review
Copy Link

Is this a note doc or a final document for end users (admins)?

Is this a note doc or a final document for end users (admins)?
viehlieb commented 2023-06-22 09:18:24 +00:00
Outdated
Review
Copy Link

it is supposed to be a final document for admins, with relevant information for admins.

it is supposed to be a final document for admins, with relevant information for admins.
konrad commented 2023-06-22 17:39:42 +00:00
Outdated
Review
Copy Link

Then please move it to docs/content/doc/setup and fix the comments, as stated below.

Then please move it to `docs/content/doc/setup` and fix the comments, as stated [below](https://kolaente.dev/vikunja/api/pulls/1393#issuecomment-50339).
Read carefully and brief your administrators to use this feature.
Tested with oidc provider authentik.
To distinguish between groups created in vikunja and groups generated via oidc, there is an attribute neccessary, which is called: *oidcID*
To distinguish between teams created in vikunja and teams generated via oidc, an attribute for vikunja teams is introduced, which is called: *oidcID*
## Setup
viehlieb marked this conversation as resolved Outdated
konrad commented 2023-05-09 15:09:20 +00:00
Outdated
Review
Copy Link

Please replace the whole paragraph with something like this:

Vikunja is capable of automatically adding users to a team based on a group defined in the oidc provider. If used, Vikunja will sync teams, automatically create new ones and make sure the members are part of the configured teams. Teams which only exist because they are generated from oidc attributes are not configurable in Vikunja.

See below for setup instructions.

To distinguish between teams created in Vikunja and teams generated automatically via oidc, generated teams have an `oidcID` assigned internally.
Please replace the whole paragraph with something like this: ``` Vikunja is capable of automatically adding users to a team based on a group defined in the oidc provider. If used, Vikunja will sync teams, automatically create new ones and make sure the members are part of the configured teams. Teams which only exist because they are generated from oidc attributes are not configurable in Vikunja. See below for setup instructions. To distinguish between teams created in Vikunja and teams generated automatically via oidc, generated teams have an `oidcID` assigned internally. ```
Edit config.yml to include scope: openid profile email vikunja_scope
viehlieb marked this conversation as resolved Outdated
konrad commented 2023-02-13 10:41:20 +00:00
Outdated
Review
Copy Link

Where is that attribute placed? In the provider or Vikunja? How is it relevant for admins?

Where is that attribute placed? In the provider or Vikunja? How is it relevant for admins?
viehlieb commented 2023-02-13 18:54:50 +00:00
Outdated
Review
Copy Link

At that location, it is just an information as to what is happening at all.

At that location, it is just an information as to what is happening at all.
👍 1
konrad commented 2023-02-14 11:35:48 +00:00
Outdated
Review
Copy Link

Okay, we should just think of fixing it before merging the PR

Okay, we should just think of fixing it before merging the PR
viehlieb commented 2023-04-17 12:28:43 +00:00
Outdated
Review
Copy Link

What's your suggested change here?
The Data from oidc needs to be in the form, that is described in openid.md
Therefore it is relevant for adminis, that operate authentik, keycloak, etc..

What's your suggested change here? The Data from oidc needs to be in the form, that is described in openid.md Therefore it is relevant for adminis, that operate authentik, keycloak, etc..
konrad commented 2023-04-17 16:11:27 +00:00
Outdated
Review
Copy Link

Okay, so Admins from the external provider need to configure their provider to send an oidcID to Vikunja? Because that's what I'm interpreting this sentence as but that's not what it says.

Okay, so Admins from the external provider need to configure their provider to send an `oidcID` to Vikunja? Because that's what I'm interpreting this sentence as but that's not what it says.
Edit [config.yml](https://kolaente.dev/vikunja/api/src/branch/main/config.yml.sample) to include scope: openid profile email vikunja_scope
viehlieb marked this conversation as resolved Outdated
konrad commented 2023-05-09 15:10:13 +00:00
Outdated
Review
Copy Link

Replace with

## Setup for authentik
Replace with ``` ## Setup for authentik
For authentik to use group assignment feature:
viehlieb marked this conversation as resolved Outdated
konrad commented 2023-02-13 10:41:39 +00:00
Outdated
Review
Copy Link

Please link to the config option in the config doc.

Please link to the config option in the config doc.
- go to: .../if/admin/#/core/property-mappings
@ -50,24 +48,6 @@ You should see "the description you entered in the oidc provider's admin area"
- You will see "(sso: XXXXX)" written next to each team you were asigned through oidc.
viehlieb marked this conversation as resolved Outdated
konrad commented 2023-05-09 15:13:51 +00:00
Outdated
Review
Copy Link

Replace the whole paragraph with something like

To configure automatic team management through authentik, we assume you have already set up Authentik as an oidc provider for authentication with Vikunja.

To use Authentik's group assignment feature, follow these steps:

1. Edit [config.yml](https://kolaente.dev/vikunja/api/src/branch/main/config.yml.sample) to include scope: `openid profile email vikunja_scope`
2. Open `<your authentik url>/if/admin/#/core/property-mappings`
3. Create a new mapping called `vikunja_scope`. There is a field to enter python expressions that will be delivered with the oidc token.
4. Write a small script like this to add group information to `vikunja_scope`:


```python
groupsDict = {"vikunja_groups": []}
for group in request.user.ak_groups.all():
  groupsDict["vikunja_groups"].append({"name": group.name, "oidcID": group.num_pk})
return groupsDict

"""
output example:
{
    "vikunja_groups": [
        {
            "name": "team 1",
            "oidcID": 33349
        },
        {
            "name": "team 2",
            "oidcID": 35933
        }
    ]
}
"""

Now when you log into Vikunja via oidc there will be a list of scopes you are claiming from your oidc provider.
You should see the description you entered in the oidc provider's admin area.

  1. Log in and go to teams.
  2. You should see "(sso: XXXXX)" written next to each team you were asigned through oidc.
Replace the whole paragraph with something like ``` To configure automatic team management through authentik, we assume you have already set up Authentik as an oidc provider for authentication with Vikunja. To use Authentik's group assignment feature, follow these steps: 1. Edit [config.yml](https://kolaente.dev/vikunja/api/src/branch/main/config.yml.sample) to include scope: `openid profile email vikunja_scope` 2. Open `<your authentik url>/if/admin/#/core/property-mappings` 3. Create a new mapping called `vikunja_scope`. There is a field to enter python expressions that will be delivered with the oidc token. 4. Write a small script like this to add group information to `vikunja_scope`: ```python groupsDict = {"vikunja_groups": []} for group in request.user.ak_groups.all(): groupsDict["vikunja_groups"].append({"name": group.name, "oidcID": group.num_pk}) return groupsDict """ output example: { "vikunja_groups": [ { "name": "team 1", "oidcID": 33349 }, { "name": "team 2", "oidcID": 35933 } ] } """ ``` Now when you log into Vikunja via oidc there will be a list of scopes you are claiming from your oidc provider. You should see the description you entered in the oidc provider's admin area. 5. Log in and go to teams. 6. You should see "(sso: XXXXX)" written next to each team you were asigned through oidc. ```
## IMPORTANT NOTES:
<<<<<<< HEAD
* **SSO/OIDC teams cannot be edited.**
* **It is crucial to call the element "vikunja_groups" since this is the name vikunja is looking for.**
* **Additionally, make sure to deliver an "oidcID" and a "name".**
=======
**SSO/OIDC teams cannot be edited.**
**It is crucial to call the element "vikunja_groups" since this is the name vikunja is looking for.**
**Additionally, make sure to deliver an "oidcID" and a "name".**
>>>>>>> 8d46490d... add openid.md as readme for feature: 950 assigning group through oidc claim
____________________________________________________________________________
## BEHAVIOR
viehlieb marked this conversation as resolved Outdated
konrad commented 2023-02-13 10:42:12 +00:00
Outdated
Review
Copy Link

Please make this a list.

Please make this a list.