Basic implementation of OpenId Connect groups #2202
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi,
This PR is more for a call for comments than anything else. This PR lets you synchronize group membership from an OpenID Connect provider that provides a "groups" claim.
I am curious if other people are interested in something like this. This PR is based on 4.29.0. If other people are interested, then I could create a PR based on the master branch for contributing to the project.
To use it with KeyCloak, you need to add a Mapper to your client definition with the following:
When OIDC is used, this path only gets activated if the passed Token contains a "groups" claim. If it does, then it will look for group names in the "groups" claim named "Group-admin" or "Group-user". So for example, if the Token groups claim contains a group named "Contoso-admin", then, the user will be added to the "Contoso" group as manager. On the other hand, if the groups claim contains a group named "Contoso-user", then the user will be added to the "Contoso" group as a normal member.
Simlarly, if the user belongs in a group and the corresponding "group-user" or "group-admin" is not found in the Token "groups" claim, the user will be removed from the group.
Note that groups must already exist in gitbucket, for this to work. This means that if the "groups" claim contain multiple groups not used by gitbucket, these will be ignored.
This lets you manage users from an external Identity Provider system and control group membership from there. Which makes the tool more suitable for Enterprise users.