Show threadStefan 'stelb' Le Breton πŸ‡ͺπŸ‡ΊπŸ‡ΊπŸ‡¦πŸ’š2d ago

commands for kanidm + bookstack

kanidm create group bookstack_admin

kanidm system oauth2 create-claim-map bookstack bookstack_roles bookstack_admin admin

kanidm system oauth2 update-scope-map bookstack bookstack_users email groups openid profile bookstack_roles

kanidm group add-members bookstack_admin stelb

Environment for bookstack:
OIDC_USER_TO_GROUPS=true
OIDC_GROUPS_CLAIM=bookstack_roles
OIDC_REMOVE_FROM_GROUPS=true

#iam #idm #oauth2 #roles #claim-map #kanidm

Show threadStefan 'stelb' Le Breton πŸ‡ͺπŸ‡ΊπŸ‡ΊπŸ‡¦πŸ’š2d ago

I did this for bookstack with kanidm
Given the oauth2 app is 'bookstack':
map claims (roles in bookstack, say admin)
to scopes and groups in IAM, e.g. bookstack_roles and bookstack_admin

add the scope to the oauth2 application

assign users to these groups as needed.

configure app which scope to use for roles

#iam #idm #oauth2 #roles #claim-map #kanidm

Stefan 'stelb' Le Breton πŸ‡ͺπŸ‡ΊπŸ‡ΊπŸ‡¦πŸ’š3d ago
Ok, first time I tried to use a custom scope to map oauth2 users to application specific roles.
Followed some sample and I just replaced names.
Working with one role.. adding another. Both roles not working anymore.
Reading more theory about scopes and claims did help to understand (oh well πŸ™ˆ)
It's actually not that complicated πŸ€“
Both roles working now. Writing up some docs and adding another 2 roles is planned for tomorrow.
#oauth2 #idm #kanidm
chfkch  3d ago

Ah, you got to love that sometimes SSO callback URIs have a trailing slash and sometimes they don't. And no, i did absolutely not search for the error 45 minutes straight.

By the way, did anybody set up claimMaps for kanidm in NixOS yet? I am too sleepy right now and i think i am reading it wrong.

https://search.nixos.org/options?channel=25.11&query=services.kanidm&show=services.kanidm.provision.systems.oauth2.<name>.claimMaps.<name>.valuesByGroup

#NixOS #KanIDM #PaperlessNGX

NixOS Search

chfkch  3d ago

Kanidm PAM authorizations are so nice.
I cannot decide if i want to maintain users on my servers etc. via Nix as i used to or extend it by kanidm.

Rotating keys and granting/revoking authorizations is just so nice with kanidm.

I also found out that - with a client installed on my main machine - i can just login to the remote instance by `kanidm login` and use my yubikey locally and then do admin stuff without sshing to the server. Awesome.

#kanidm

Stefan 'stelb' Le Breton πŸ‡ͺπŸ‡ΊπŸ‡ΊπŸ‡¦πŸ’š3d ago
About half a year ago I installed https://github.com/Tricked-dev/kanidm-oauth2-manager
Just to replace my shell script to setup oauth2 for my services with kanidm.
Now I pulled the image again and.. it's
"Kanidm Management Console" πŸ˜ƒ
With UI added for users and groups too.
I do prefer automation so I do like full cli management. But sometimes a UI is nice too :)
#kanidm #idm #ui
chfkch  5d ago

Only on some rare occasions i log into Shithub, because some projects are either too big for codeberg (looking at you, NixOS) or too corporate? (kanidm).

I hope this will be the last time this year.

#QuitGithubNow #NixOS #KanIDM

Stefan 'stelb' Le Breton πŸ‡ͺπŸ‡ΊπŸ‡ΊπŸ‡¦πŸ’šFeb 1
Turned on SSO for vaultwarden.
I forgot, that the passkey for SSO was in vaultwarden only. Shot myself in the foot. Fixable, but I simply fogot that πŸ˜…
I have added hw keys too now ;)
#vaultwarden #sso #kanidm #fail
Show threadjcccbJan 26
@Larvitz Thats great to hear! Thanks for sharing this with us. I have still to evaluate #Kanidm. It seems like a lightweight and fresh approach compared to freeIPA to me.
Show threadTanja  πŸ•ŠοΈπŸ•―️Dec 15

@firstyear thank youuuu :3

Yea I wanna look into #kanidm soon;
Currently have #Zitadel deployed.

Once I find time for that, ig