Guide: Setting up SFTPGo admin logins to work with Authentik

[deviantintegral]

It took me a bit to get this sorted, so I figured I'd share how!

First, navigate to Directory -> Groups and create a group called SFTPGo Admins. Add your desired users to the group from the Users tab in the group.

Now, under Customisation -> Property Mappings, create a new "Scope Mapping".

Set the Name to sftpgo, the Scope name to sftpgo, and the expression to the following:

return {
  'sftpgo_role': 'admin' if ak_is_group_member(request.user, name="SFTPGo Admins") else 'user'
}

Now, under Applications -> Providers, create a new OAuth2 provider for sftpgo. Set it up like normal as the OIDC docs say. However, under Advanced protocol settings, add sftpgo to the Scopes:

Finally, in your sftpgo configuration, set the Open ID scopes to include the new scope and the role field. Here's mine from docker-compose.yml:

      - SFTPGO_HTTPD__BINDINGS__0__OIDC__SCOPES=openid,profile,email,sftpgo
      - SFTPGO_HTTPD__BINDINGS__0__OIDC__ROLE_FIELD=sftpgo_role

After restarting sftpgo (remember to do down / up if you're using docker compose!), you should be able to log in to the WebAdmin UI.

The only thing I don't have working is for the same user to be able to log in as a regular user. When I try, I get:

Wrong OpenID role, the logged in user is an SFTPGo admin

That error makes me think this is an intentional design decision, and in my case doesn't matter as I need to create separate users anyways.

[phoenix-limited]

I had this working, then I had to rebuild my server core, and, with what I think is identical to before and folling what you have here, I get this ("Failed to get user associated with OpenID token") as an error, and am told that the account is an admin on the webclient login. I do know that SFTPGo doesn't support dynamic creation/updating of specifically admin users, so I did premake the admin with the same username that is given when oidc creates a client user. Did you have any related trouble?