OIDC and Automatic User Creation

[Al Muckart]

When using OIDC and wanting to automatically create users, is it possible to make user creation require the existence of a specific group returned by the OIDC server?

As far as I can tell at the moment the user will be created if authorisation succeeds regardless of group configuration, leaving no way to restrict access to a specific set of users without putting an auth proxy in front of the firewall.

If OPNsense could check for the existence of a group and deny authorisation if the user is not a member of that group it would make OIDC quite a lot easier to use in situations where there are multiple people/teams who require access.

Thanks.

[Moeni]

Yes, I agree that OPNsense should have an internal check as well. Something like "require membership in at least one of the configured groups, otherwise deny" would be much easier to set up than per-client flow overrides, especially when multiple teams need access. It looks like constraint_groups only changes how groups are mapped right now, not whether access is granted, so a real "deny if not a member" option would be nice to have.

Meanwhile, if you're using Keycloak, you can solve this server-side on the IdP: duplicate the browser flow, add a conditional sub-flow with a "Condition — user role" (negated) plus a "Deny Access" execution, and bind that flow to the OPNsense client only (Clients -> Advanced -> Authentication flow overrides). When you gate on a role and map your group to it, people who aren't in your group won't get a token at all, so OPNsense doesn't create them automatically. No auth proxy required.

Cheers,
Marco

[franco]

Sure, this mimics the way LDAP extended queries work.  Just need a feature request.  :)


Thanks,
Franco