-
Notifications
You must be signed in to change notification settings - Fork 391
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Enhancement]: OpenID Connect add setting for requested scopes #3006
Comments
Is this a duplicate of #2878? With Authentik and KeyCloak you can name the groups however you want and setup a mapping. Maybe you are using Authelia? |
No, this is about having different scope and claim names. I am using Authentik with a custom mapping to change my group names into the ones specified by Audiobookshelf. From my understanding, scopes are some kind of container for one or mutliple claims. Simplified, I have this mapping. I can change the mapping to this and it works. Here both the scope and claim are called "audiobookshelf" and I set the same value in the Audiobookshelf OIDC settings "Group Claim" field. But scopes can also contain multiple claims. As an example, the
from https://auth0.com/docs/secure/tokens/id-tokens/id-token-structure This can also be done for custom mappings like this. Here I'm setting the Group Claim and Advanced Permission Claim within the same scope. Visually represented something like this With the current implementation I have to name one claim the same as the scope. After typing all this out, this is a very tiny issue most users won't ever encounter. I guess adding a note that claim == scope name in the documentation would suffice, so others don't have to spend time wondering why the heck stuff doesn't work. |
Yeah I thought (when I developed that feature) to show the claims as greyed-out box which would update with the name of the group claims etc., which would make claim == scope then clear. But you also got a point that it makes sense to add a box and to allow to add claims to allow configurations as you showed. There then just must be a warning to the user that he also has to put in the name of the scope which contains the claim explicitly in the additional claims field. PS: I know you just made example pictures, but to prevent you a debugging session, keep in mind that in "abspermissions" in Authentik you have to write the booleans als true python booleans like this. Otherwise they won't be provided as JSON boolean types: abspermissions = {
"abspermissions": {
"canDownload": False, # Upper case without "
"canUpload": True
....
}
} |
Type of Enhancement
Server Backend
Describe the Feature/Enhancement
Please add a setting to request specific scopes in addition to the 3 basic ones.
Something similar to this, as offered by the OpenID Connect addon for Nextcloud.
Why would this be helpful?
In practice, it's possible to have different names for the scope and its contained claim.
I usually use the application name for the scope and have a different name for the actual claim for consistency on the application side.
Scope:
Claim:
With the current settings this does not work, either I set the correct claim and the scope won't be sent at all, or I use the working scope, but can't find any groups within.
Future Implementation (Screenshot)
A simple field titled "additional scopes" would be fine.
Audiobookshelf Server Version
v2.9.0
Current Implementation (Screenshot)
Settings > Authentication > OpenID Connect Authentication
The text was updated successfully, but these errors were encountered: