Creating custom property mappings for oidc/oauth2 in authentik

An alternative title for this post could be „How to manage wiki.js Groups from within Authentik

This time I wanted to setup SSO for my wiki-js instance and after setting up my Generic OpenID Connect / OAuth2 configuration according to the officla authentik docs I noticed that it also allows you to configure assigned groups from within the SSO configuration.

So my plan was this: I want to create groups in Authentik like „Wiki Administrators“ and „Wiki Guests“, and wiki-js should then receive a custom claim called „wiki-groups“ and this should only contain „Administrators“ or „Guests“. The groups in wiki-js don’t have my „Wiki “ prefix, but I want the prefix in Authentik, because there are multiple groups managing the Admins across multiple services.

wiki-js will not request any custom scopes, its limited to profile and email. So when we create a custom property mapping make sure its scope is also profile!

So in authentik go to Customization -> Property Mappings -> Create -> Scope Mapping

Choose any name, put profile into scope, and choose any description.

Expression can be any python code but lets make sure we return an object because this mapping can return multiple key-value pairs at once! Just returning a value on its own like a string will not result in anything being present in the authentik api call /application/o/userinfo/

return {
  "wiki-groups": [str(g.attributes['wiki_group']) for g in request.user.ak_groups.all() if 'wiki_group' in g.attributes]
}

So what does this python code do? It will search through all groups the user is in, and check if the group has a custom attribute called „wiki_group“. It will collect all the wiki groups together into one array and expose it as „wiki-groups“ to wiki.js.
So go and create an Authentik group called „Wiki Administrators“ and set its „wiki_group“ to „Administrators“ (as spelled in the wiki.js)


Beitrag veröffentlicht

in

von

Schlagwörter:

Kommentare

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert