I’m trying to setup owncloud with single sign on using Authentik. I have it working for normal users. There is a feature that allows automatic role assignment to users so that admin users from authentik become admin users for owncloud.

This is described here: https://doc.owncloud.com/ocis/next/deployment/services/s-list/proxy.html#automatic-role-assignments.

In this document, they describe having attributes like

- role_name: admin
  claim_value: ocisAdmin

The problem I have is I don’t know how to input this information into an Authentik user. As a result, owncloud is giving me this error:

ERR Error mapping role names to role ids error="no roles in user claims" line=github.com/owncloud/ocis/v2/services/proxy/pkg/userroles/oidcroles.go:84 request-id=5a6d0e69-ad1b-4479-b2d9-30d4b4afb8f2 service=proxy userid=05b283cd-606c-424f-ae67-5d0016f2152c

Any authentik experts out there?

I tried putting this under the attributes section of the user profile in authentik:

role_name: admin
claim_value: ocisAdmin

It doesn’t work and it won’t let me format YAML like the documentation where the claim_value is a child of the role_name.

  • Dunstabzugshaubitze@feddit.org
    link
    fedilink
    English
    arrow-up
    0
    ·
    21 days ago

    not an authentik user, but after skimming their docs i think you have to:

    1. create a role “ocisAdmin” via authentiks admin interface
    2. give this role to a group in the admin interface or create one.
    3. assign a user thats supposed to be an owncloud admin to the group

    it might be that you also have to define somekind of mapper to include this in the informations owncloud receives from authentik, but as i said i only skimmed the docs and would personally just try it without the mapper.

    • Lem453@lemmy.caOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      20 days ago

      tried this and also tried making a role in authentik assigned to the group called ocisAdmin and added the admin user to it, it still gives the same error. Seems like I need to define a proxy.yaml file in owncloud with the roles, I did this and it still doesn’t work.

    • Lem453@lemmy.caOP
      link
      fedilink
      English
      arrow-up
      0
      ·
      20 days ago

      tried this, created a group called ocisAdmin and added the admin user to it, it still gives the same error. Seems like I need to define a proxy.yaml file in owncloud with the roles, I did this and it still doesn’t work.

  • MessyAdvent@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    0
    ·
    15 days ago

    I had the exact same issue.
    Basically, what I wanted to do, was to have my Authentik user created as an admin, and the others to be created as users (as anyway, I would be able to change the roles of the other users from my user).

    Here’s how I fixed it :
    1 - In left navigation menu, went to “Directory/Groups”, then created a new “group” called “ocisAdmin”.
    2 - In left navigation menu, went to “Directory/Users”, then assigned my user to this new group.
    3 - In left navigation menu, went to “Customization/Property Mappings”, then, created a new “Scope Mapping” (penultimate option on my UI). Gave it a name that speaks to me (“oCIS email scope extended”, if you want to know), “email” as “Scope Name”, and this expression:

    return {
      "roles": "ocisAdmin" if ak_is_group_member(request.user, group_uuid="55bb2a58-2973-4753-a16a-6ebc80bec705") else "ocisUser"
    } # Replace the UUID with your group's one, I found it in the URL when modifying the group in Authentik
    

    4 - In left navigation menu, went to “Applications/Providers”, opened each oCIS provider, clicked “Edit”, opened the sub-menu “Advanced protocol settings”, selected my custom “Property mapping” in the left “Scopes” menu, and clicked on the right pointing arrow to have it selected for those providers.

    Also, make SURE that you have this property set:

    PROXY_ROLE_ASSIGNMENT_DRIVER=oidc
    

    Now, my users are properly populated into oCIS.
    I still need to figure out how to make the applications work, but I have faith I’ll figure it out :)

    Hope that helped !