feat: assign users to teams via OIDC claims #1393
|
@ -1,14 +1,12 @@
|
|||
regarding:
|
||||
https://kolaente.dev/vikunja/api/pulls/1279
|
||||
|
||||
# Assign teams via oidc
|
||||
viehlieb marked this conversation as resolved
Outdated
|
||||
This PR adds the functionality to assign users to teams via oidc.
|
||||
viehlieb marked this conversation as resolved
Outdated
konrad
commented
Is this a note doc or a final document for end users (admins)? Is this a note doc or a final document for end users (admins)?
viehlieb
commented
it is supposed to be a final document for admins, with relevant information for admins. it is supposed to be a final document for admins, with relevant information for admins.
konrad
commented
Then please move it to Then please move it to `docs/content/doc/setup` and fix the comments, as stated [below](https://kolaente.dev/vikunja/api/pulls/1393#issuecomment-50339).
|
||||
Read carefully and brief your administrators to use this feature.
|
||||
Tested with oidc provider authentik.
|
||||
To distinguish between groups created in vikunja and groups generated via oidc, there is an attribute neccessary, which is called: *oidcID*
|
||||
To distinguish between teams created in vikunja and teams generated via oidc, an attribute for vikunja teams is introduced, which is called: *oidcID*
|
||||
|
||||
## Setup
|
||||
viehlieb marked this conversation as resolved
Outdated
konrad
commented
Please replace the whole paragraph with something like this:
Please replace the whole paragraph with something like this:
```
Vikunja is capable of automatically adding users to a team based on a group defined in the oidc provider. If used, Vikunja will sync teams, automatically create new ones and make sure the members are part of the configured teams. Teams which only exist because they are generated from oidc attributes are not configurable in Vikunja.
See below for setup instructions.
To distinguish between teams created in Vikunja and teams generated automatically via oidc, generated teams have an `oidcID` assigned internally.
```
|
||||
Edit config.yml to include scope: openid profile email vikunja_scope
|
||||
|
||||
viehlieb marked this conversation as resolved
Outdated
konrad
commented
Where is that attribute placed? In the provider or Vikunja? How is it relevant for admins? Where is that attribute placed? In the provider or Vikunja? How is it relevant for admins?
viehlieb
commented
At that location, it is just an information as to what is happening at all. At that location, it is just an information as to what is happening at all.
konrad
commented
Okay, we should just think of fixing it before merging the PR Okay, we should just think of fixing it before merging the PR
viehlieb
commented
What's your suggested change here? What's your suggested change here?
The Data from oidc needs to be in the form, that is described in openid.md
Therefore it is relevant for adminis, that operate authentik, keycloak, etc..
konrad
commented
Okay, so Admins from the external provider need to configure their provider to send an Okay, so Admins from the external provider need to configure their provider to send an `oidcID` to Vikunja? Because that's what I'm interpreting this sentence as but that's not what it says.
|
||||
Edit [config.yml](https://kolaente.dev/vikunja/api/src/branch/main/config.yml.sample) to include scope: openid profile email vikunja_scope
|
||||
viehlieb marked this conversation as resolved
Outdated
konrad
commented
Replace with
Replace with
```
## Setup for authentik
|
||||
|
||||
For authentik to use group assignment feature:
|
||||
viehlieb marked this conversation as resolved
Outdated
konrad
commented
Please link to the config option in the config doc. Please link to the config option in the config doc.
|
||||
- go to: .../if/admin/#/core/property-mappings
|
||||
|
@ -50,24 +48,6 @@ You should see "the description you entered in the oidc provider's admin area"
|
|||
- You will see "(sso: XXXXX)" written next to each team you were asigned through oidc.
|
||||
|
||||
|
||||
viehlieb marked this conversation as resolved
Outdated
konrad
commented
Replace the whole paragraph with something like
Now when you log into Vikunja via oidc there will be a list of scopes you are claiming from your oidc provider.
Replace the whole paragraph with something like
```
To configure automatic team management through authentik, we assume you have already set up Authentik as an oidc provider for authentication with Vikunja.
To use Authentik's group assignment feature, follow these steps:
1. Edit [config.yml](https://kolaente.dev/vikunja/api/src/branch/main/config.yml.sample) to include scope: `openid profile email vikunja_scope`
2. Open `<your authentik url>/if/admin/#/core/property-mappings`
3. Create a new mapping called `vikunja_scope`. There is a field to enter python expressions that will be delivered with the oidc token.
4. Write a small script like this to add group information to `vikunja_scope`:
```python
groupsDict = {"vikunja_groups": []}
for group in request.user.ak_groups.all():
groupsDict["vikunja_groups"].append({"name": group.name, "oidcID": group.num_pk})
return groupsDict
"""
output example:
{
"vikunja_groups": [
{
"name": "team 1",
"oidcID": 33349
},
{
"name": "team 2",
"oidcID": 35933
}
]
}
"""
```
Now when you log into Vikunja via oidc there will be a list of scopes you are claiming from your oidc provider.
You should see the description you entered in the oidc provider's admin area.
5. Log in and go to teams.
6. You should see "(sso: XXXXX)" written next to each team you were asigned through oidc.
```
|
||||
## IMPORTANT NOTES:
|
||||
<<<<<<< HEAD
|
||||
* **SSO/OIDC teams cannot be edited.**
|
||||
|
||||
* **It is crucial to call the element "vikunja_groups" since this is the name vikunja is looking for.**
|
||||
|
||||
* **Additionally, make sure to deliver an "oidcID" and a "name".**
|
||||
=======
|
||||
**SSO/OIDC teams cannot be edited.**
|
||||
|
||||
**It is crucial to call the element "vikunja_groups" since this is the name vikunja is looking for.**
|
||||
|
||||
**Additionally, make sure to deliver an "oidcID" and a "name".**
|
||||
|
||||
>>>>>>> 8d46490d... add openid.md as readme for feature: 950 assigning group through oidc claim
|
||||
|
||||
|
||||
|
||||
____________________________________________________________________________
|
||||
|
||||
## BEHAVIOR
|
||||
viehlieb marked this conversation as resolved
Outdated
konrad
commented
Please make this a list. Please make this a list.
|
||||
|
|
Is this document final?
Should this be a document intended for admins? Or only notes for this PR?
Well actually a note for admins that are interested in using this feature.
Then please place it in the
docs/content/doc/setup
folder. And I think it needs some refinement, will add some comments.