So this works for the WEB authentication, however it seems that the desktop client (and therefor I assume the mobile apps too) do not request groups, or any other scope. They are hardcoded for openid offline_access email profile only (lacking groups or any other scope to use for a role provider).
I found a git issue for this: owncloud/ocis/issues/6814
The provided example for Keycloak includes providing scopes that Authelia does not support (Authelia only supports openid, groups, profile, email).
With my limited understanding I am unsure how oCIS gets the roles from Keycloak since it is not requested by the clients, and AFAICT I have setup Authelia to provide the roles (via groups).
I do not understand how roles is assigned or provided, and to be quite frank, I don’t understand the entire example.
But my take away from it seems to be that it leaves me with the following options of:
- build your own clients (not viable, I’m not in a position to build apps)
- not use mobile/desktop clients (not ideal)
- just cant use PROXY_ROLE_ASSIGNMENT_DRIVER: oidc (also not ideal)
Am I just doing something wrong or is it not feasible at the moment?