Does sftpgo OIDC integartion automatically create Users in sftpgo?

[japatel]

Does sftpgo OIDC integartion automatically create Users in sftpgo?

Also, if the OIDC has groups which can be sent as claims. Can OIDC enabled sftpgo map the groups to this newly created account?

While connecting to sftpgo using standard Winscp, or sftp client, can sftpgo be configured to use OIDC for these connetions?

[fostermi]

The Event Manager can be used for this. Create an Action of type "Identity Provider Account Check" and use a template something like this:

{
  "status": 1,
  "username": "{{Name}}",
  "homedir": "",
  "permissions": {
    "/": [
      "*"
    ]
  },
  "groups": [
      {
         "name": "group1",
          "type": 1
      }
   ]
}

Then create and Event Action Rule with Trigger "Identity Provider Logins" and Type "User Login" and use the action created above.

I have not figured out a way to get group mappings from an OIDC "groups" claim though, which is my next stumbling block. I hope someone has figured that out.

[keriati]

Thanks, I got this working.
Is there somewhere a reference about this json structure in any documentation? I just failed to find anything so far.

[fostermi]

So I've figured out how to dynamically add users to groups from an OIDC custom claim of "groups" using a modified script as a "pre-login hook" as described in #1072.

The gist of it is to add a key of "groups": $groups in the SFTPGO_USER_TEMPLATE in the script in that discussion and then add the following lines to extract the list of groups from the json user representation passed to the script:

# Create a list of groups, each with new attribute "type". These will be secondary groups (2).
CURR_USER_GROUPS=$(echo "${SFTPGO_LOGIND_USER}" | jq -r '[.oidc_custom_fields.groups[] | select(.|test("^sftpgo-")) | { "type": 2, "name": . } ] ')

# Create the list of SFTGO group by appending the primary 'sftpgo-users' group (type 1)
SFTPGO_USER_GROUPS=$(echo "${CURR_USER_GROUPS}" | jq  '. + [{ "type": 1, "name": "sftpgo-users" }]')

Finally, adjust the USER_TO_CREATE variable assignment to replace the placeholder groups in the user template with the extracted list of user groups.

--argjson groups "${SFTPGO_USER_GROUPS}" \

In my example, I automatically add every user created to the group sftpgo-users and make that their primary group. All other groups are prefixed by sftpgo- and I assign those groups as secondary groups. These groups need to exist in sftpgo beforehand.

There might be a better way to use jq to do this as a one-liner, but I couldn't figure out how to do that so its two lines to create the correct groups list.

Thanks to the original discussion author "shaltz" and drakkan for doing the majority of the work here. Hope this helps someone else.

[tecosaur]

I think this will likely help me, thanks for sharing!