Feature Proposal: Map Pelican Roles to OIDC Groups (via Laravel Socialite)

[Mawiguk0]

Summary

Extend Pelican Panel’s authentication and authorization capabilities by allowing Pelican roles to be mapped directly to OpenID Connect (OIDC) group claims obtained through Laravel Socialite. This would enable Pelican to automatically derive user roles from centrally managed identity groups at the Identity Provider (IdP).

Background / Context

Pelican Panel uses Laravel Socialite for OIDC authentication. Socialite already exposes OIDC user attributes and claims (such as group or role information) from providers like Keycloak, Authentik, Azure AD, or Okta.
While authentication is centralized, authorization in Pelican (role assignment) currently remains a local concern.

Current Workaround

In our sxlan.de environment, this gap is currently bridged with a custom integration:

Pelican triggers a webhook on user creation

A small Python container is invoked by this webhook

The container:

Queries the Authentik API for the newly created user

Resolves the user’s group memberships

Assigns the appropriate roles in Pelican via its API

While this approach works reliably, it introduces additional operational complexity, external dependencies, and maintenance overhead. It also tightly couples the solution to a specific IdP (Authentik) and deployment.

Problem Statement

In SSO-based setups, the IdP is typically the single source of truth for both authentication and authorization. Managing Pelican roles separately—or via custom glue code—results in:

Duplicate and fragmented role management

Increased operational and maintenance effort

Risk of authorization drift

Non-portable, deployment-specific solutions

Proposed Solution

Introduce a native role-mapping layer in Pelican built on top of Socialite’s OIDC integration:

Allow administrators to define mappings between:

OIDC group claims retrieved via Socialite (e.g. groups, roles, memberOf)

Pelican internal roles

During login (or user sync), Pelican:

Extracts group claims from the Socialite user object

Resolves and assigns Pelican roles based on configured mappings

Role synchronization is performed on every login to ensure continuous consistency with the IdP

Configuration Concept (Example)

Select which OIDC/Socialite attribute contains group information

Define mappings such as:

oidc:pelican-admins → Pelican:Admin

oidc:pelican-staff → Pelican:Moderator

Optional settings:

Default role for authenticated users without a matching group

“OIDC-managed roles only” mode (no manual overrides)

Hybrid mode (OIDC-derived roles + local roles)

Benefits

Eliminates the need for external glue services or webhooks

Single source of truth for authorization via the IdP

Reduced administrative and operational overhead

Improved security and auditability

Provider-agnostic solution compatible with any Socialite OIDC backend

Better scalability for larger or multi-tenant Pelican installations

Use Cases

Organizations using Pelican with Socialite-based OIDC providers

Automated onboarding/offboarding driven by IdP group changes

Multi-team or enterprise deployments with strict IAM requirements

Conclusion

While external automation (such as the current Python webhook solution) can solve the problem, a generic, first-class role-to-OIDC mapping feature in Pelican would be a significant architectural improvement. Leveraging Laravel Socialite makes this both technically feasible and provider-agnostic, aligning Pelican with modern IAM and SSO best practices while simplifying real-world operations.

[ekkolyth]

I love Pelican, but it's pained me ever since I downlaoded it to see "Authentik" as an option, but...nothing else. This is the only app in my stack that doesn't support my (OIDC) Auth system. I would love to see this!

[davmin]

They've said that pelican panel will never have a generic oidc provider and are not looking to add more. If you need a generic oidc provider there is a plugin in the plugins repo maintained by the same maintainer who's done a bunch of the oidc work in the base panel.

[Mawiguk0]

Because of Pelican Panel using Socialite it is actually quite easy to user other providers.