Add "Blacklist Groupprovisioning" to prevent creation on certain groups

[gnaex]

How to use GitHub

• Please use the 👍 reaction to show that you are interested into the same feature.
• Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
• Subscribe to receive notifications on status change and new comments.

---

Feature request

Which Nextcloud Version are you currently using: 31.09

Is your feature request related to a problem? Please describe.
We have one group in the Idp which acts as "permitted-nextcloud-user". Every user in that group is allowed to login to Nextcloud. In addition to that group some users have additional groups like "Marketing" or "Engineering" but not all user have to be in an additional group which means I need to whitelist the "permitted-nextcloud-user" as well. Now the problem we face is, that it creates that "permitted-nextcloud-user" group which contains ALL users. This is disastrous and we cannot allow this group to exist in Nextcloud and made availible to be used to share folders/files with. Imagine someone sharing a file with 15000 users by "accident". The user itself is still allowed and provisioned when he is in that group, even if it is the sole group and i no additianl group. The group itself is not created nor assigned (well, there is no such group to assign to then)
My Google search tells me I'm not the only one with that issue.

Describe the solution you'd like
There is no need to change the current Whitelist mechanism. We need an additional field in the configuration - "Blacklist Groupprovisioning" (regexp would be most flexible). Any group that matches this filed is then not provisioned as a group but the rest of the flow is unchanged, user ist still allowed/added. This would allow to not create the All-Users group but we can still use it in the whitelist field to allow a login.

Describe alternatives you've considered
This is NOT as important as the requirement above: as a bonus, that groupblacklist also applies the other way round. It will not delete groups that were added manually to an account in Nextcloud. It is a global "ignore this group"

Additional context
None

EDIT: Typo, clearification of strange sentence and added "bonus" under alternatives.

[julien-nc]

If I understand correctly, you are using a Group whitelist regex that includes

• permitted-nextcloud-user
• Marketing
• Engineering
• ...

And you enabled Restrict login for users that are not in any whitelisted group. So including the permitted-nextcloud-user in the whitelist allows you to control which IdP users are accepted or not when logging in via user_oidc. Correct?

And you don't want the permitted-nextcloud-user group to be created in Nextcloud because it contains all the Nextcloud users and this group does not mean anything to the users. For you it's just an "access-control" group. Right?

An alternative that comes to mind is to create an IdP client that only provides the Nextcloud users. You don't need to use the group for access control anymore, all the users of this client would be allowed to log in NC. You can then remove the permitted-nextcloud-user group from the whitelist.

I understand that is not necessarily easy to achieve with some IdPs.
Just to make sure we are on the same page: The feature you want is to add a group blacklist config value (provider-specific). All groups matching this blacklist regexp would just not be created in NC. Right?
I'm afraid that it makes it too inconsistent with the whitelist when the "group whitelist login restriction" is enabled. Or we could add a "group blacklist login restriction" flag. If enabled, only the users that are NOT in a blacklisted group would be provisioned/created/allowed.

What do you think?

[gnaex]

Thank you for your feedback @julien-nc. It is exactly how you describe it. That group acts as "access-control" and all other groups are required to optionally group users depending on their role.

We are using the existing Keycloak as Idp Provider and I get 3-4 other groups supplied in any case which I cannot prevent. Means I cannot allow all by default.
A blacklist instead of a whitelist is no option either. How do controll who is allowed to login and who not? Keycloak is the "Authentication" authority and Nextcloud should act as "Authorisation" authority. Also I have no guarantee that no new groups appear over time. When using the whitelist these are no problem and I can allow the groups I know of and are relevant for Nextcloud

I probalby oversimplyfiy things but something in public function provisionUserGroups and remove the blacklisted group(s) from $syncGroups. But again, I do not have the complete picture of the code

As a last ressort the keycloak team MIGHT talk about taking up to role for authorisation but they normaly do not do it and call it an anti-pattern.

Other than that I really love this plugin - simple, stable, offers API for preprovision etc