Stefan 'stelb' Le Breton πŸ‡ͺπŸ‡ΊπŸ‡ΊπŸ‡¦πŸ’šMar 14
Ok, first time I tried to use a custom scope to map oauth2 users to application specific roles.
Followed some sample and I just replaced names.
Working with one role.. adding another. Both roles not working anymore.
Reading more theory about scopes and claims did help to understand (oh well πŸ™ˆ)
It's actually not that complicated πŸ€“
Both roles working now. Writing up some docs and adding another 2 roles is planned for tomorrow.
#oauth2 #idm #kanidm
Show threadStefan 'stelb' Le Breton πŸ‡ͺπŸ‡ΊπŸ‡ΊπŸ‡¦πŸ’šMar 15

I did this for bookstack with kanidm
Given the oauth2 app is 'bookstack':
map claims (roles in bookstack, say admin)
to scopes and groups in IAM, e.g. bookstack_roles and bookstack_admin

add the scope to the oauth2 application

assign users to these groups as needed.

configure app which scope to use for roles

#iam #idm #oauth2 #roles #claim-map #kanidm

Show threadStefan 'stelb' Le Breton πŸ‡ͺπŸ‡ΊπŸ‡ΊπŸ‡¦πŸ’š

commands for kanidm + bookstack

kanidm create group bookstack_admin

kanidm system oauth2 create-claim-map bookstack bookstack_roles bookstack_admin admin

kanidm system oauth2 update-scope-map bookstack bookstack_users email groups openid profile bookstack_roles

kanidm group add-members bookstack_admin stelb

Environment for bookstack:
OIDC_USER_TO_GROUPS=true
OIDC_GROUPS_CLAIM=bookstack_roles
OIDC_REMOVE_FROM_GROUPS=true

#iam #idm #oauth2 #roles #claim-map #kanidm

Mar 15 at 4:01pmWeb