Retrieve externalid of a user in OpenID claim

[rdrouche]

Hi,

I'm in the process of migrating our SSO portal from Keycloak to Authentik with SCIM, which allows users and groups to be synchronized quite easily.

I find myself stuck with an application (Nextcloud) in which I was unable to configure the user binding field (preferred_username) and therefore it uses Keycloak sub.

In Authentik in the Federation and Social login section, when we look in the synchronized users, we have an externalID attribute which corresponds to the Keycloak sub.

As it can be retrieved and manipulated to replace the user's unique ID with this one in Nextcloud's OpenID provider.

Romain

[rdrouche]

To continue my reasoning, I ran some tests this morning, and here's where I'm at with a solution I think is good.

I started by creating a script that retrieves all users provisioned by SCIM from the API. Then I loop through the scripts, retrieve the external_id field, and push it to the user attribute section. This way, each user present via SCIM has an external_id attribute.

Then, to establish the connection at the application provider level, I created a new openid mapping property, in which I send external_id as a subscript if present, otherwise I return uid.

`
claims = {}

external_id = request.user.attributes.get("external_id")
if external_id:
claims["external_id"] = external_id
claims["sub"] = external_id # Remplace le sub par external_id
else:
claims["sub"] = str(request.user.uid) # fallback UID

if hasattr(request, "nonce"):
claims["nonce"] = request.nonce

return claims
`

If this can help anyone else