feat: opencloud group provisioning via oidc

Signed-off-by: Bert-Jan Fikse <bert-jan@whatwedo.ch>
2026-03-13 16:43:02 +01:00 · 2026-03-13 16:43:02 +01:00 · aa8baad630
commit aa8baad630
parent 6f4cc2bdb3
5 changed files with 37 additions and 0 deletions
--- a/roles/keycloak/tasks/provisioning.yml
+++ b/roles/keycloak/tasks/provisioning.yml
@ -163,6 +163,7 @@
    direct_access_grants_enabled: "{{ item.direct_access_grants_enabled | default(false) }}"
    protocol: openid-connect
    default_client_scopes: "{{ item.default_client_scopes | default(['openid', 'email', 'profile']) }}"
+    protocol_mappers: "{{ item.protocol_mappers | default(omit) }}"
    state: present
    validate_certs: false
  loop: "{{ keycloak_oidc_clients }}"
--- a/roles/opencloud/defaults/main.yml
+++ b/roles/opencloud/defaults/main.yml
@ -64,6 +64,17 @@ opencloud_ldap_group_schema_groupname: "cn"
 opencloud_ldap_group_schema_member: "member"
 opencloud_ldap_write_enabled: false

+# Role assignment via OIDC (set opencloud_role_assignment_driver to "oidc" to enable)
+opencloud_role_assignment_driver: "default"
+opencloud_role_assignment_oidc_claim: "groups"
+opencloud_role_mapping: []
+# Example mapping LDAP groups to OpenCloud roles:
+# opencloud_role_mapping:
+#   - role_name: admin
+#     claim_value: admins
+#   - role_name: user
+#     claim_value: users
+
 # Draw.io integration (set opencloud_drawio_url to enable)
 opencloud_drawio_url: ""
 opencloud_drawio_theme: "minimal"
--- a/roles/opencloud/tasks/main.yml
+++ b/roles/opencloud/tasks/main.yml
@ -34,6 +34,16 @@
  when: opencloud_csp_extra_connect_src | length > 0 or opencloud_csp_extra_frame_src | length > 0
  notify: restart opencloud

+- name: Create proxy role assignment config
+  template:
+    src: proxy.yaml.j2
+    dest: "{{ opencloud_docker_volume_dir }}/config/proxy.yaml"
+    owner: "1000"
+    group: "1000"
+    mode: '0644'
+  when: opencloud_role_assignment_driver == "oidc" and opencloud_role_mapping | length > 0
+  notify: restart opencloud
+
 - name: Create draw.io extension apps directory
  file:
    path: "{{ opencloud_docker_volume_dir }}/data/web/assets/apps/draw-io"
--- a/roles/opencloud/templates/docker-compose.yml.j2
+++ b/roles/opencloud/templates/docker-compose.yml.j2
@ -35,6 +35,12 @@ services:
      PROXY_CSP_CONFIG_FILE_OVERRIDE_LOCATION: "/etc/opencloud/csp-override.yaml"
 {% endif %}
      IDM_ADMIN_PASSWORD: "{{ opencloud_admin_password }}"
+{% if opencloud_role_assignment_driver == "oidc" %}
+      PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
+      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "{{ opencloud_role_assignment_oidc_claim }}"
+      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
+      SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false"
+{% endif %}
 {% if opencloud_oidc_issuer %}
      OC_OIDC_ISSUER: "{{ opencloud_oidc_issuer }}"
      OC_OIDC_CLIENT_ID: "{{ opencloud_oidc_client_id }}"
--- a/roles/opencloud/templates/proxy.yaml.j2
+++ b/roles/opencloud/templates/proxy.yaml.j2
@ -0,0 +1,9 @@
+role_assignment:
+  driver: oidc
+  oidc_role_mapper:
+    role_claim: {{ opencloud_role_assignment_oidc_claim }}
+    role_mapping:
+{% for mapping in opencloud_role_mapping %}
+      - role_name: {{ mapping.role_name }}
+        claim_value: "{{ mapping.claim_value }}"
+{% endfor %}