Fix OIDCClients that need groups claim #49

New Issue

Open

opened 2024-08-26 20:15:27 +00:00 by eaas · 2 comments

eaas commented 2024-08-26 20:15:27 +00:00

Owner

Copy Link

Before, groups we're always included. Now, groups (and allowed_groups) are separate scopes. Reconfigure OIDCClients and applications. Use overrideIncomingScopes, if needed.

Before, groups we're always included. Now, groups (and allowed_groups) are separate scopes. Reconfigure OIDCClients and applications. Use overrideIncomingScopes, if needed.

eaas commented 2024-08-26 20:17:56 +00:00

Author

Owner

Copy Link

Desired OIDCClient for wiki.js (only returns one or many relevant groups for wiki):

---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCClient
metadata:
  name: wiki
spec:
  displayName: Wiki
  uri: https://wiki.k-space.ee
  redirectUris:
    - https://wiki.k-space.ee/login/a4cdccdc-c879-4387-a64a-6584a02a85e9/callback
  allowedGroups:
    - k-space:floor
  grantTypes:
    - authorization_code
    - refresh_token
  responseTypes:
    - code
  availableScopes:
    - openid
    - profile
    - allowed_groups
  overrideIncomingScopes: true
  tokenEndpointAuthMethod: client_secret_post
  pkce: false
  secretRefreshPod:
    apiVersion: v1
    kind: Pod
     ....

@rasmus jfyi, will let you know when passmower updated and wikijs client configured

Desired OIDCClient for wiki.js (only returns one or many relevant groups for wiki): ``` --- apiVersion: codemowers.cloud/v1beta1 kind: OIDCClient metadata: name: wiki spec: displayName: Wiki uri: https://wiki.k-space.ee redirectUris: - https://wiki.k-space.ee/login/a4cdccdc-c879-4387-a64a-6584a02a85e9/callback allowedGroups: - k-space:floor grantTypes: - authorization_code - refresh_token responseTypes: - code availableScopes: - openid - profile - allowed_groups overrideIncomingScopes: true tokenEndpointAuthMethod: client_secret_post pkce: false secretRefreshPod: apiVersion: v1 kind: Pod .... ``` @rasmus jfyi, will let you know when passmower updated and wikijs client configured

👍 1

rasmus commented 2026-01-31 22:24:00 +00:00

Owner

Copy Link

WikiJS groups mapping isn't working, this is probably a problem with wiki.js.

https://github.com/requarks/wiki/discussions/6894

Even when "k-space:floor" group is created in WikiJS, the mapping does nothing. There aren't meaningful debug facilities in WikiJS, apart from compiling your own / running with a debugger.

WikiJS groups mapping isn't working, this is probably a problem with wiki.js. https://github.com/requarks/wiki/discussions/6894 Even when "k-space:floor" group is created in WikiJS, the mapping does nothing. There aren't meaningful debug facilities in WikiJS, apart from compiling your own / running with a debugger.

rasmus added the disposal label 2026-01-31 22:24:17 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

No results found.

Labels

Clear labels

new app

shiny

bounty

10€

probably needs most of a visit dedicated to the task https://wiki.k-space.ee/en/about/task-bounties

bounty

20€

about a whole day or two to the task https://wiki.k-space.ee/en/about/task-bounties

bounty

5€

https://wiki.k-space.ee/en/about/task-bounties

bounty

package

See milestone, bounty for completing all issues.

disposal

Liability in safety, usability, space, or upkeep. It doesn't provide enough meaningful historical value (museum) nor personal interest.

enchancement

Improving the existing

greenlit

The stars have aligned: Orders have arrived, plan has been laid, only hands are needed. Just do it!

upkeep

Subjects of maintenance

No Label disposal

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

akpall arti artur dos4dev eaas erki kkuusk lauri madis plaes rasmus sander savva

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: k-space/kube#49