Nextcloud OIDC integration

girish

We have published a new major version of the nextcloud package that migrates ldap login to oidc login. It is also marked as unstable. I recommend waiting a bit before you update away sensitive instances.

Please report any bugs/issues here.

andreasdueren

@Package-Updates

For security reasons (enforcing 2FA) it makes sense to disable the ldap login. You can do that by adding these two variables in the config file:

  'social_login_auto_redirect' => true,
  'hide_login_form' => true,

girish

@andreasdueren hide_login_form that will prevent admins from logging in, no? social_login_auto_redirect depends on that choice, I guess. Maybe something for the docs?

andreasdueren

@girish Correct. My workflow is usually the following with any app that comes pre setup with an admin account:

1 Login via OIDC/LDAP with user account (to create it in the database)
2 Logout
3 Login with Admin account
4 Make user account admin account
5 Logout
6 Login with OIDC/LDAP
7 Deactivate/Delete admin account

firmansi

I have tried the upgrade of a running nextcloud container, but after the upgrade I don't see any Login button with Cloudron OIDC as it should be and I can't also login with normal authentication with email or username for user registered in Cloudron Directory

andreasdueren

@firmansi out of curiosity: did you have any other openID setup before upgrading?

girish

Also, are you using Cloudron with OIDC integration to start with? Does a fresh install of NC (for testing) have the button?

firmansi

@andreasdueren Not at all this is the first OIDC integration in this instance

firmansi

@girish No, this is not a fresh install, it's been with LDAP from the beginning since 1.5 years ago

girish

@firmansi are you able to login as nextcloud admin? If so, if you go to App -> OIDC , is it configured and enabled?

firmansi

@girish Yes, I can login as Administrator, but have not configure the OIDC, should I activate the OpenID Connect Login App first in Nextcloud App Store?

girish

@firmansi OIDC should be automatically automatic configured. Can you restart the app and check the logs? In the log you should see ==> Disabling LDAP and then ==> Ensure OIDC settings . Do you see these messages?

Can you also open a web terminal and run env | grep CLOUDRON_OIDC ? Do you see a bunch of variables?

jdaviescoates

OK, I've just installed fresh instance of Nextcloud to test this.

I was able to login fine, but I don't seem able to make my user an admin. I can add them to the admin group, but they don't actually get any admin rights.

It is kinda sorta nice that it sucks in all my Cloudron groups, but it's also not appropriate in my case. And none of those groups have access to this Cloudron, so the current set-up would seem to me to be generally inappropriate to me too. I also host a Nextcloud for a small volunteer group and them seeing a list of groups that have nothing whatsoever to do with them would, I imagine, be very confusing. I can imagine it could potentially be useful for some people's set-up though - so perhaps it could/ should only suck in/ create groups that actually have access to the app? (either way, I think the way it currently works needs to change).

jdaviescoates

@jdaviescoates said in Nextcloud OIDC integration:

I was able to login fine, but I don't seem able to make my user an admin. I can add them to the admin group, but they don't actually get any admin rights.

I think something about the way it's syncing to Cloudron groups is what is breaking this.

When I login as admin and edit my user to add them to the admin group, my user does get added as an admin, and then appears in the list of admins.

But once I logout as admin and then back in again as my user, I'm no longer in the admin group. Which is exactly what I see confirmed again when I log back in as the admin. The user is no longer in the admin group (but is in a bunch of Cloudron groups that have been pulled in but don't have anything to do with, nor access to, this app)

Another reason to change the way it's currently working with Cloudron groups.

If possible I think the way forward would be to

1. only pull in/ sync Cloudron groups that have access to the app (i.e. don't pull in nor do anything with Cloudron groups unless those groups have specifically been given access to the app under the Cloudron App Access Control settings)

2. Make sure the group syncing thing doesn't ever touch the admin group.

Or, possibly: just don't sync with Cloudron groups at all (certainly this if you can't get that to work with the existing admin group)

girish

@jdaviescoates thanks for the detailed investigation! Right, this is a bug that the package is enabling OIDC groups. New package coming with it disabled.

avatar1024

@girish But syncing Cloudron group might be super useful in other cases, at least that is certainly the case with the organisation I work with and it was a relief when it started to work with LDAP.

How it should be implemented I'm not sure. I understand the concerns of @jdaviescoates when the way app access work is that, apps have access to everything unless you restrict it and give access to only specific users/groups. So following that logic it seems like the behaviour of all groups being synced (as described by @jdaviescoates) is normal (as it does for users) and that if an app should only see some groups/users, then the Cloudron admin should make sure only those groups are granted access (and then the OIDC plugin should only sync those groups and not others).

The Nextcloud admin group however should be independent of OIDC syncing and Nextcloud admins should be able to manage it independently.

firmansi

@girish I am quite hesitate to do this in my production server as it is now, and actually with current LDAP scenario, I am satisfied. If I may suggest, will it be doable in next update, the Cloudron team can make the OIDC as optional instead of seemingly compulsory configuration? Or at least until this scenario is already proven to work seamless without any hassle.