Skip to content

fix: add groups scope to OAuth2 OpenID Connect configuration#62

Closed
rcdailey wants to merge 1 commit intoopencloud-eu:mainfrom
rcdailey:fix/oauth2-oidc-groups-scope
Closed

fix: add groups scope to OAuth2 OpenID Connect configuration#62
rcdailey wants to merge 1 commit intoopencloud-eu:mainfrom
rcdailey:fix/oauth2-oidc-groups-scope

Conversation

@rcdailey
Copy link
Contributor

@rcdailey rcdailey commented Nov 22, 2025

Summary

Adds the groups scope to the OAuth2 OpenID Connect configuration to enable role-based access control (RBAC) with OIDC providers.

Changes

  • Added groups to oauth2_openid_scope in opencloudApp/src/main/res/values/setup.xml

Context

The groups scope is a de facto standard across major OIDC providers (Authelia, Keycloak, Authentik, Azure AD, Okta). Without it, OIDC providers cannot return group membership claims in the UserInfo response, preventing applications from implementing proper authorization based on user roles.

This change is backward compatible - per the OIDC specification, providers ignore unsupported scopes, so the OAuth flow will continue to work with providers that don't support the groups scope.

@rcdailey
fix: add groups scope to OAuth2 OpenID Connect configuration
1872b6f 
The groups scope is required for proper role-based access control (RBAC)
with OIDC providers like Authelia, Keycloak, and Authentik. Without it,
these providers cannot return group membership claims in the UserInfo
response, preventing applications from implementing proper authorization.

This change adds "groups" to the oauth2_openid_scope string resource,
enabling OIDC providers to return group information when supported.
The change is backward compatible as providers ignore unsupported scopes
per the OIDC specification.
@rcdailey
Copy link
Contributor Author

rcdailey commented Nov 22, 2025

Looking at a similar PR for the desktop app: opencloud-eu/desktop#336

It seems that the chances of this being accepted will be very low. @samolego had a valid question there that went unanswered:

why would you expect to get groups while not requesting them? Isn't that broken?

It would be nice to have the answer to that. In the meantime, I'd be happy to explore the solution @butonic recommended in this comment. I assume this would apply to all clients, not just the desktop one.

Eager to get feedback from the maintainers.

@kaivol
Copy link

kaivol commented Nov 29, 2025

per the OIDC specification, providers ignore unsupported scopes

Are you sure about that?
According to 3.1.2.1. Authentication Request, "Scope values used that are not understood by an implementation SHOULD be ignored".

This also seems to be a problem in practice: opencloud-eu/desktop#336 (comment)

@guruz
Copy link
Contributor

guruz commented Jan 12, 2026

Added "DO NOT MERGE" label for now as per @butonic 's statement

The OpenID Connect specification doesn't mandate a specific error behavior for unsupported claims or scopes, so the actual behavior varies by IdP implementation: They might silently ignore the claim or return an invalid_scope or [invalid_request error](https://openid.net/specs/openid-connect-core-1_0.html#TokenErrorResponse)

Related: See also opencloud-eu/desktop#246 (comment)

@guruz guruz self-assigned this Jan 12, 2026
guruz
guruz requested changes Jan 12, 2026
View reviewed changes
Copy link
Contributor

@guruz guruz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comment above. Placeholder PR.

@rcdailey rcdailey closed this Jan 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@guruz guruz guruz requested changes

Assignees

@guruz guruz

Labels

DO NOT MERGE

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rcdailey @kaivol @guruz