OCIS + Authelia

So this works for the WEB authentication, however it seems that the desktop client (and therefor I assume the mobile apps too) do not request groups, or any other scope. They are hardcoded for openid offline_access email profile only (lacking groups or any other scope to use for a role provider).
I found a git issue for this: owncloud/ocis/issues/6814
The provided example for Keycloak includes providing scopes that Authelia does not support (Authelia only supports openid, groups, profile, email).
With my limited understanding I am unsure how oCIS gets the roles from Keycloak since it is not requested by the clients, and AFAICT I have setup Authelia to provide the roles (via groups).
I do not understand how roles is assigned or provided, and to be quite frank, I don’t understand the entire example.
But my take away from it seems to be that it leaves me with the following options of:

  • build your own clients (not viable, I’m not in a position to build apps)
  • not use mobile/desktop clients (not ideal)
  • just cant use PROXY_ROLE_ASSIGNMENT_DRIVER: oidc (also not ideal)

Am I just doing something wrong or is it not feasible at the moment?

1 Like

I’ve tried everything to make this work, unfortunately it doesn’t.
The only solution to create an admin and have all 3 clients working (web, desktop, android) was to install ocis without authelia, create the admin user and password same as your authelia user, then add authelia.

After you login with the admin, one can add PROXY_AUTOPROVISION_ACCOUNTS: "true" and future clients can be added in authelia and will be provisioned in ocis (as normal users naturally).

There was a bug in ocis with the admin user id provisioning. We fixed that in ocis 5.0.3. Can you confirm that?