OIDC Team Assignment - Feedback #2150
Labels
No Label
dependencies
duplicate
help wanted
invalid
kind/bug
kind/feature
needs reproduction
question
security
wontfix
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: vikunja/vikunja#2150
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Description
Dear team,
after PR #1393 has been merged I was able to test this based with Keycloak - first of all, in general it works wonderfully. There's a few details that came up while testing, which we may want to address.
Team Display
Teams created via OIDC currently have the
oidcID
behind them, like this:In our case, Keycloak automatically assigned a UUID4 to client roles, which are unique and not changing across the lifecycle of the client, making them a natural choice for an ID. They do make the UI clunky though.
Suggestion 1: Instead of showing the actual UUID, would it be sufficient to add a label indicating it's created through OIDC instead of having the the entire ID printed? E.g. use
Bereichsleiter (OIDC)
instead ofBereichsleiter (sso: 0d3c3bc7-b806-4d59-9963-8b953e4180f4)
?Team Display when sharing a project
Somehow going into the same direction, it might be useful to also indicate the fact that Team is created via OIDC in different spots, e.g. when sharing a project with Teams. In our case we had local teams with the same name as OIDC names (sure, this can easily be fixed by deleting the local Teams), but that results in something like this:
Suggestion 2: Add the
(OIDC)
indicator mentioned above also in the dropdown and potentially other places?Doc improvements
It would be useful to include in the docs that the
vikunja_groups
claim is expected in the id token, not in the access token. While it does make sense, I believe it might be useful to explicitly highlight this.Also we could extend the OpenID documentation a little bit by describing the
scope
parameter, which is currently only described in the example config.If you agree to these statements I'm more than happy to contribute on the doc side of things, but I'm not too familiar with Go to support with the other two.
Tagging @viehlieb as original author of the PR. Thanks for your work!
Vikunja Version
unstable
Browser and version
No response
Can you reproduce the bug on the Vikunja demo site?
No
Screenshots
No response
Wow, that was fast!
I've added the display changes in
fc4303a778
. Please check with the next unstable build (should be ready in ~45min, when the ci passed). You'll have to log out and log back in again to see the changes.I'd love a PR for the docs.
Can only return this, that was fast! Tested it just now and that looks so much better. Thank you!
Working on a PR for the docs, should come through in the next hour or so.
I've created #2151 to add more details about the OIDC implementation. One request for feedback:
The section in
config.md
currently only defines the entireauth.openid
block, but doesn't describe the individual fields. I'm open to add details there as well, but would like to understand if there's environment variables for those settings and if so, how they're configured. Thanks!@konrad I believe your change above broke the automatic team creation. During login, the code did a check if a team already exists, if not, the team is created. To check for existence, the code so far did compare both the
oidcID
and thename
, which now obviously doesn't match anymore as you're adding the(OIDC)
suffix.IMHO
oidcID
checking should be enough (that's why we have this unique after all), therefore I'm proposing to change this in #2152, which should fix the issue introduced here.Currently, it's not possible to configure this with environment variables. The documentation of the individual variables is configured from the
config.yml.sample
file and the comments it contained. You shouldn't edit the markdown file manually.Yep I realised that after my first commit. The final state of the PR is however generated from
config.yml.sample
usingmage generate-docs
, so should be good from that perspective.Just for completeness, deployed new unstable build to our environment, works wonderfully now. Thanks for the support!