Is it possible to sync groups via the OIDC login support in ODK-Central?
Keycloak allows you to set custom groups and it would be nice if users could automatically join projects in ODK Central that have the same name as those groups.
The reverse that joining a project in ODK Central adds one to a group in Keycloak would be nice as well.
There is not currently any built-in functionality to sync users from an OIDC provider.
Your best bet right now would be to build your own small script or service. For example, you could periodically poll for users in both Central and Keycloak and align the two lists. Alternately, you could use an event-based approach using https://github.com/p2-inc/keycloak-events and ideas from Webhooks in ODK Central - #16 by spwoodcock
If there is an event created in the audit logs for the action you need (audits table), then you could possibly have that trigger a request to the keycloak API to do what you need.
Thanks for the suggestions. That webhook system for Central sounds interesting, but in that combination it seems like it would only allow to push changes from Central to Keycloak, while for my application I would be more interested in the reverse.
I guess a script that interacts with the Central API could work though.
The problem is that it only does very basic login for already existing accounts, and due to it blocking API access I can't easily create users and assign them to projects via an external script either.
Sign up: For the org domain, i can use the CAPIBuilder to make a request to Keycloak, get it validated with the keycloack tenant, and get the credentials and send the request to ODK SSO endpoint.
Need to map the User roles with respect to the organization (e.g., User: ABC, role: Program Manager, Organization: ACME Corporation) shall be a Project Manager in ODK.
Login: In the same way, user enters the login credentials to get validated througn Keycloak and redirects back to CAPIBuilder.