Enhancing Social Login in Frappe: Auto-Assign User Roles Based on External Group Claims

Frappe Framework
, , ,
1

Dear Frappe Community,

I’m currently working on integrating Office 365 Social Login along with other identity providers such as Keycloak, in combination with Frappe and ERPNext.

After exploring the current options—reviewing the Frappe GUI, settings, and previous forum posts—I couldn’t find a straightforward way to:

  • Extract additional properties/claims from the social login token (e.g., a user’s group membership)
  • Use those properties to automatically assign roles to users upon login

This kind of functionality (auto-role assignment based on group claims or custom token attributes) is quite common in other platforms and identity providers like AWS Cognito, Keycloak, or Google Cloud IAM. Typically, they support sending additional user attributes or group parameters on authentication, which can then be mapped to application roles.

My questions are:

  • Is there currently a recommended way or best practice within Frappe/ERPNext to achieve automatic role assignment during social login?
  • If not, would the community be open to a feature enhancement that allows extending the Social Login flow to read custom claims from OAuth/OpenID tokens, and assign user roles accordingly?

Example Proposed GUI Structure for Role Mapping (Concept)

To help illustrate the idea, here is a simple example GUI proposal for an “OAuth Role Mapping” feature inside Frappe:

LDAP/Social Login Provider User Group / Claim (e.g., ‘groups’ claim) ERPNext Role to Assign Auto-Assign on Login?
Office 365 finance_team Finance User :ballot_box_with_check:
Keycloak erp_admins System Manager :ballot_box_with_check:
Google sales_group Sales User :white_large_square:
  • Admins can add multiple mappings, linking external group claims or custom token attributes to Frappe roles.
  • On login, Frappe reads the user’s token claims, finds the matching group(s), and automatically assigns corresponding roles.
  • Optionally, allow toggling auto-assign or manual approval workflows.

If anyone has already tackled this or can share pointers, code snippets, or existing Frappe hooks to easily extend the OAuth login flow with claims-based role assignment, I’d really appreciate your input!

Thanks in advance!
Best regards

2

Check this GitHub - MohammedNoureldin/frappe-oidc-extended: An extension to the ERPNext Social Login authentication method (OIDC) that incorporates new features designed to meet the needs of enterprises. (I guess this is that you need)

If you just need claim mapping check this GitHub - castlecraft/cfe: Castlecraft Extensions for Frappe Framework based Resource Servers (frappe user’s claims can have additional properties)