mirror of
https://github.com/moghtech/komodo.git
synced 2026-07-16 12:42:11 -05:00
[GH-ISSUE #1251] [Feature request] - OIDC role mapping #16449
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @kabsdk on GitHub (Mar 16, 2026).
Original GitHub issue: https://github.com/moghtech/komodo/issues/1251
Disclaimer: This feature request has been written with the help of AI
Feature request
Please add OIDC role/group mapping so Komodo can automatically authorize users on login based on OIDC claims, similar to Grafana’s OIDC role mapping.
Today, OIDC login works, but OIDC users still need to be manually enabled after first login, and there is no built-in way to map OIDC claims/groups to Komodo authorization such as
adminoruser_groupmembership. Komodo already has a strong authorization model based onadminanduser_group, and the config format already uses repeated TOML blocks like[[user_group]], so this feels like a natural fit for the existing config style.Motivation
This is especially useful for setups using Authentik, Keycloak etc., where roles or groups are already present in the OIDC token/userinfo response.
Without mapping, OIDC is mostly authentication-only, and authorization still has to be handled manually inside Komodo. For larger environments, that becomes hard to manage.
A Grafana-style approach would make Komodo much easier to integrate into existing identity systems while still keeping Komodo’s own permission model. Grafana already supports OIDC role extraction through
role_attribute_path, which is a good reference point for the user experience.Proposed behavior
Allow Komodo to evaluate OIDC claims and map them to:
enabled = true/falseadmin = true/falseuser_groupmembershipThis should happen automatically during OIDC login, so users do not need to be manually enabled or manually added to groups afterward.
Suggested config format
I think the cleanest approach is to keep this Komodo-native and TOML-based.
Option A: role mapping inspired by Grafana
This is close to Grafana conceptually, but instead of introducing a separate Komodo RBAC layer, it maps into Komodo’s existing authorization model.
Option B: direct group mapping
This may be even simpler and may fit Komodo better for many IdPs:
Expected behavior
user_groups.Important detail
I think mappings should reference existing Komodo user group names, not define permissions inline.
That keeps permissions centralized in normal Komodo
[[user_group]]config and avoids duplicating permission logic in the OIDC section.@johnmaguire commented on GitHub (Apr 2, 2026):
I believe this is a dupe of #667, but with more specific details.