chfkch 
ClaimMaps in Kanidm on NixOS fixed.
Now paperless-ngx and wiki-js can read user groups/roles over OIDC.
The trick wad to `_` instead of `-` in thr naming scheme.
Steffokanidm seems to be a cool project
managed to deploy it pretty quickly and without any issues
(and also found out that i never set a pin on my yubikey in the process for firefox reasons)
Stefan 'stelb' Le Breton ๐ช๐บ๐บ๐ฆ๐commands for kanidm + bookstack
kanidm create group bookstack_admin
kanidm system oauth2 create-claim-map bookstack bookstack_roles bookstack_admin admin
kanidm system oauth2 update-scope-map bookstack bookstack_users email groups openid profile bookstack_roles
kanidm group add-members bookstack_admin stelb
Environment for bookstack:
OIDC_USER_TO_GROUPS=true
OIDC_GROUPS_CLAIM=bookstack_roles
OIDC_REMOVE_FROM_GROUPS=true
I did this for bookstack with kanidm
Given the oauth2 app is 'bookstack':
map claims (roles in bookstack, say admin)
to scopes and groups in IAM, e.g. bookstack_roles and bookstack_admin
add the scope to the oauth2 application
assign users to these groups as needed.
configure app which scope to use for roles
Ok, first time I tried to use a custom scope to map oauth2 users to application specific roles.
Followed some sample and I just replaced names.
Working with one role.. adding another. Both roles not working anymore.
Reading more theory about scopes and claims did help to understand (oh well ๐)
It's actually not that complicated ๐ค
Both roles working now. Writing up some docs and adding another 2 roles is planned for tomorrow.
#oauth2 #idm #kanidm
Followed some sample and I just replaced names.
Working with one role.. adding another. Both roles not working anymore.
Reading more theory about scopes and claims did help to understand (oh well ๐)
It's actually not that complicated ๐ค
Both roles working now. Writing up some docs and adding another 2 roles is planned for tomorrow.
#oauth2 #idm #kanidm
Ah, you got to love that sometimes SSO callback URIs have a trailing slash and sometimes they don't. And no, i did absolutely not search for the error 45 minutes straight.
By the way, did anybody set up claimMaps for kanidm in NixOS yet? I am too sleepy right now and i think i am reading it wrong.
https://search.nixos.org/options?channel=25.11&query=services.kanidm&show=services.kanidm.provision.systems.oauth2.<name>.claimMaps.<name>.valuesByGroup
Kanidm PAM authorizations are so nice.
I cannot decide if i want to maintain users on my servers etc. via Nix as i used to or extend it by kanidm.
Rotating keys and granting/revoking authorizations is just so nice with kanidm.
I also found out that - with a client installed on my main machine - i can just login to the remote instance by `kanidm login` and use my yubikey locally and then do admin stuff without sshing to the server. Awesome.
About half a year ago I installed https://github.com/Tricked-dev/kanidm-oauth2-manager
Just to replace my shell script to setup oauth2 for my services with kanidm.
Now I pulled the image again and.. it's
"Kanidm Management Console" ๐
With UI added for users and groups too.
I do prefer automation so I do like full cli management. But sometimes a UI is nice too :)
#kanidm #idm #ui
Just to replace my shell script to setup oauth2 for my services with kanidm.
Now I pulled the image again and.. it's
"Kanidm Management Console" ๐
With UI added for users and groups too.
I do prefer automation so I do like full cli management. But sometimes a UI is nice too :)
#kanidm #idm #ui
Only on some rare occasions i log into Shithub, because some projects are either too big for codeberg (looking at you, NixOS) or too corporate? (kanidm).
I hope this will be the last time this year.
Turned on SSO for vaultwarden.
I forgot, that the passkey for SSO was in vaultwarden only. Shot myself in the foot. Fixable, but I simply fogot that ๐
I have added hw keys too now ;)
#vaultwarden #sso #kanidm #fail
I forgot, that the passkey for SSO was in vaultwarden only. Shot myself in the foot. Fixable, but I simply fogot that ๐
I have added hw keys too now ;)
#vaultwarden #sso #kanidm #fail