Open
Description
I am trying to use Kanidm for OAuth2/OIDC. However, since Opengist does not add the group claim name to the OpenID request, Kanidm does not respond with the claim for groups, so OpenGist errors with the following and does not give admin permission.
{
"level": "error",
"caller": "/opengist/internal/web/handlers/auth/oauth.go:164",
"time": "2025-04-26T12:11:58Z",
"message": "No groups found in user data"
}The relevant code seems to be here:
opengist/internal/auth/oauth/openid.go
Lines 20 to 28 in de144d0
Kanidm Logs
INFO request [ 59.6ms | 6.56% / 100.00% ] method: GET | uri: /ui/oauth2?client_id=opengist&redirect_uri=<REDACTED>&response_type=code&scope=openid+email+profile&state=<REDACTED> | version: HTTP/1.1
DEBUG │ ┕━ check_oauth2_authorisation [ 7.94ms | 13.32% ]
INFO │ ┝━ i [info]: Insecure client configuration - PKCE is not enforced. | event_tag_id: 10 | o2rs.name: "opengist"
DEBUG │ ┝━ 🐛 [debug]: | o2rs.scope_maps: {78863fa7-9b55-4050-a003-8f9d2cc5722c: {"email", "groups", "openid", "profile"}}
DEBUG │ ┕━ 🐛 [debug]: User has previously consented, permitting with scopes: email,openid,profile