Use OIDC group information and automatically create user

[iverberk]

Feature Category

• Correctness
• [X ] User Interface / User Experience
• Performance
• Other (please explain)

Describe the problem

We have connected MWDB to Keycloak via OIDC. We currently see two problems with this:

1. We need to enable user registration on the mwdb-core service otherwise a new user that logs in via OIDC cannot access the application. It seems that a new user needs to be created in MWDB manually first? We would like an automatic user creation when the Keycloak login is successful. Currently the user gets a pop-up asking if he/she wants register but we would like to prevent this question and just create the user.
2. Our users are connected to groups in Keycloak and we pass this information in the access/id-token. However, it seems that MWDB does nothing with this information and forces us to do manual user/group management in the MWDB interface. Is it possible to read the groups from the ID token and automatically put users in the correct groups in MWDB?

Describe the solution you'd like

Use the ID token information to automatically create users assigned to the correct groups without user/admin intervention.

Describe alternatives you've considered

None, this is the only external authentication option currently.

[psrok1]

Hi!

We need to enable user registration on the mwdb-core service otherwise a new user that logs in via OIDC cannot access the application.

That sounds like a bug. User registration should be done automatically and shouldn't rely on enabled registration form.

Currently the user gets a pop-up asking if he/she wants register but we would like to prevent this question and just create the user.

Yeah, that pop-up may be unnecessary because you should be asked for consent on the OIDC Identity Provider webpage anyway. This popup was probably made to prevent action done by misclick, but I agree it's redundant in most cases.

Our users are connected to groups in Keycloak and we pass this information in the access/id-token. However, it seems that MWDB does nothing with this information and forces us to do manual user/group management in the MWDB interface. Is it possible to read the groups from the ID token and automatically put users in the correct groups in MWDB?

That's a good feature request. Right now, a special group is created in MWDB for each OIDC provider and all users connected with it are automatically added. Is it enough to add users to the groups on registration or do you want to synchronize them e.g. on each login using OIDC?

[narimantos]

Is it enough to add users to the groups on registration or do you want to synchronize them e.g. on each login using OIDC?

I suppose that automatically adding add users to the groups on registration would be sufficient for now?