Group name rewrite based on Provider (for Wiki.js) #12232

akowi-sknobloch · 2024-11-30T10:30:02Z

akowi-sknobloch
Nov 30, 2024

Hello everyone,

we've recently integrated authentik in our Wiki.js instance via OAuth2/OpenID.
The Login and Group syncing works fine.
We disabled the default local login of Wiki.js so there is only the authentik auth flow.
We want to completely manage our users & groups through authentik.

Now we face the problem when we want a user to be an sysadmin for Wiki.js.
Wiki.js does not support giving a custom group full admin access.
We would have to assign the user to a group called "Administrators" in authentik to have the user correctly assigned.
This is a problem as we may want a user to be a admin for Wiki.js but not for other services.

I was hoping that we would be able to rewrite a group name based on the provider.
So we could create a "wiki-admin" group in authentik which would get passed as "Administrators" via the OpenID config.
Is there some way to make this work?
Would be happy to share some experiences about the combination of Wiki.js & authentik.

Answered by zaourzag

Dec 5, 2024

hi! i was cruising trough here and saw your question. this is posible in authentik using a custom scope.

ie:

return {
    # Because authentik only saves the user's full name, and has no concept of first and last names,
    # the full name is used as given name.
    # You can override this behaviour in custom mappings, i.e. `request.user.name.split(" ")`
    "name": request.user.name,
    "given_name": request.user.name,
    "preferred_username": request.user.username,
    "nickname": request.user.username,
    # groups is not part of the official userinfo schema, but is a quasi-standard
    "groups": ["Administrators"] + [group.name for group in request.user.ak_groups.all()] if ak_is_grou…

View full answer

zaourzag · 2024-12-05T07:09:07Z

zaourzag
Dec 5, 2024

hi! i was cruising trough here and saw your question. this is posible in authentik using a custom scope.

ie:

return {
    # Because authentik only saves the user's full name, and has no concept of first and last names,
    # the full name is used as given name.
    # You can override this behaviour in custom mappings, i.e. `request.user.name.split(" ")`
    "name": request.user.name,
    "given_name": request.user.name,
    "preferred_username": request.user.username,
    "nickname": request.user.username,
    # groups is not part of the official userinfo schema, but is a quasi-standard
    "groups": ["Administrators"] + [group.name for group in request.user.ak_groups.all()] if ak_is_group_member(request.user, name="wiki-admin") else [group.name for group in request.user.ak_groups.all()]
}

in my quick test this added said group to the groups mapping. you should be able to set that as a property mapping in authentik on profile and change the openid scope in the provider to id and after that it should work.

1 reply

akowi-sknobloch Dec 5, 2024
Author

Great works like a charm!
Thank you very much! :)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Group name rewrite based on Provider (for Wiki.js) #12232

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

Group name rewrite based on Provider (for Wiki.js) #12232

akowi-sknobloch Nov 30, 2024

Replies: 1 comment · 1 reply

zaourzag Dec 5, 2024

akowi-sknobloch Dec 5, 2024 Author

akowi-sknobloch
Nov 30, 2024

Replies: 1 comment 1 reply

zaourzag
Dec 5, 2024

akowi-sknobloch Dec 5, 2024
Author