[feature] Custom Admin OIDC Groups

[dwmunster]

Is your feature request related to a problem ?

Currently, internal/api/client/auth/callbacks.go uses a hardcoded list of groups to determine if the user is an admin (namely "admin" and "admins"). For some IDPs, groups may be returned as more opaque identifiers, rather than human-friendly names. Therefore, such users are unable to be made admins without manual intervention.

Describe the solution you'd like.

The list of group names that are made admins should be configurable.

Describe alternatives you've considered.

None.

Additional context.

If this feature is of interest, I would be glad to contribute code implementing it.

[tsmethurst]

Thanks for opening this :)

We've got a few things open for OIDC at the moment which this fits in to, so I'm gonna link 'em here to help us keep track

#309 #961 #763

[decentral1se]

I think this was solved in #961

gotosocial/internal/api/auth/callback.go

Lines 285 to 296 in 282be6f

	// check if the user is in any recognised admin groups
	adminGroups := config.GetOIDCAdminGroups()
	var admin bool
	LOOP:
	for _, g := range claims.Groups {
	for _, ag := range adminGroups {
	if strings.EqualFold(g, ag) {
	admin = true
	break LOOP
	}
	}
	}

gotosocial/example/config.yaml

Lines 693 to 696 in 282be6f

	# Array of string. If the returned ID token contains a 'groups' claim that matches one of the
	# groups in oidc-admin-groups, then this user will be granted admin rights on the GtS instance
	# Default: []
	oidc-admin-groups: []

[tsmethurst]

Ah yes, thanks! Will close this now then.