Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provision groups from userinfo/introspection endpoints information #1034

Open
jvllmr opened this issue Jan 28, 2025 · 2 comments · May be fixed by #1041
Open

Provision groups from userinfo/introspection endpoints information #1034

jvllmr opened this issue Jan 28, 2025 · 2 comments · May be fixed by #1041
Labels
enhancement New feature or request feature request fix in progress

Comments

@jvllmr
Copy link

jvllmr commented Jan 28, 2025

How to use GitHub

  • Please use the 👍 reaction to show that you are interested into the same feature.
  • Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
  • Subscribe to receive notifications on status change and new comments.

Feature request

Which Nextcloud Version are you currently using: (see administration page)
30.0.5

Is your feature request related to a problem? Please describe.
Some users in our keycloak instance have a lot of groups/roles and because of that we had issues with too large id tokens.
Therefore we only provide that information via userinfo/introspection endpoints.
We are in the process of migrating multiple of services to keycloak authentication and Nextcloud is one of them.
So far this app is very promising, but we cannot sync our groups because this app does not use userinfo/introspection for that.

Describe the solution you'd like
It would be great if user_oidc could fetch group information from userinfo/introspection endpoints.

Describe alternatives you've considered
One could increase the maximum header size setting in i.e. nginx/nextcloud and try to use id token, but that is not a bullet-proof solution because the id tokens might grow even more in the future.

Additional context
No additional context.
@jvllmr jvllmr added 0. Needs triage enhancement New feature or request labels Jan 28, 2025
@julien-nc julien-nc linked a pull request Feb 5, 2025 that will close this issue
Open
@julien-nc
Copy link
Member

Hey, can you check if #1041 would work in your case? It adds a config switch to use the userinfo endpoint in addition to the ID token data on login.

One could increase the maximum header size setting in i.e. nginx/nextcloud and try to use id token

I'm not sure max header size is the limitation that prevents you to use big ID tokens. The ID token is obtained in the response body of a request to the token_endpoint.
It might rather be something on the IdP side that limits the size of ID tokens.

@jvllmr
Copy link
Author

jvllmr commented Feb 6, 2025

Thanks. I applied the patch locally and it works as expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request feature request fix in progress
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Call userinfo on login to enrich the login ID token nextcloud/user_oidc
2 participants
@julien-nc @jvllmr