Skip to content

fix: add groups scope to OAuth2 OpenID Connect configuration #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rcdailey wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: add groups scope to OAuth2 OpenID Connect configuration #62

rcdailey wants to merge 1 commit into from

Conversation

@rcdailey
Copy link

@rcdailey rcdailey commented Nov 22, 2025

Summary

Adds the groups scope to the OAuth2 OpenID Connect configuration to enable role-based access control (RBAC) with OIDC providers.

Changes

  • Added groups to oauth2_openid_scope in opencloudApp/src/main/res/values/setup.xml

Context

The groups scope is a de facto standard across major OIDC providers (Authelia, Keycloak, Authentik, Azure AD, Okta). Without it, OIDC providers cannot return group membership claims in the UserInfo response, preventing applications from implementing proper authorization based on user roles.

This change is backward compatible - per the OIDC specification, providers ignore unsupported scopes, so the OAuth flow will continue to work with providers that don't support the groups scope.

@rcdailey
fix: add groups scope to OAuth2 OpenID Connect configuration
1872b6f 
The groups scope is required for proper role-based access control (RBAC)
with OIDC providers like Authelia, Keycloak, and Authentik. Without it,
these providers cannot return group membership claims in the UserInfo
response, preventing applications from implementing proper authorization.

This change adds "groups" to the oauth2_openid_scope string resource,
enabling OIDC providers to return group information when supported.
The change is backward compatible as providers ignore unsupported scopes
per the OIDC specification.
@rcdailey
Copy link
Author

rcdailey commented Nov 22, 2025

Looking at a similar PR for the desktop app: opencloud-eu/desktop#336

It seems that the chances of this being accepted will be very low. @samolego had a valid question there that went unanswered:

why would you expect to get groups while not requesting them? Isn't that broken?

It would be nice to have the answer to that. In the meantime, I'd be happy to explore the solution @butonic recommended in this comment. I assume this would apply to all clients, not just the desktop one.

Eager to get feedback from the maintainers.

@kaivol
Copy link

kaivol commented Nov 29, 2025

per the OIDC specification, providers ignore unsupported scopes

Are you sure about that?
According to 3.1.2.1. Authentication Request, "Scope values used that are not understood by an implementation SHOULD be ignored".

This also seems to be a problem in practice: opencloud-eu/desktop#336 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rcdailey @kaivol