Nextcloud OIDC integration
-
[5.0.0]
- Migrate from LDAP to OIDC
- Important: With the authentication provider change, you should use the
Login with Cloudronbutton in the Nextcloud login screen. Nextcloud Clients on desktop and mobile may need re-authentication / re-setup .
For security reasons (enforcing 2FA) it makes sense to disable the ldap login. You can do that by adding these two variables in the config file:
'social_login_auto_redirect' => true, 'hide_login_form' => true,run the following command in the app terminal to bypass the login screen completely and redirect to the cloudron login field directly:
occ config:app:set --value=0 user_oidc allow_multiple_user_backends -
@andreasdueren
hide_login_formthat will prevent admins from logging in, no?social_login_auto_redirectdepends on that choice, I guess. Maybe something for the docs?@girish Correct. My workflow is usually the following with any app that comes pre setup with an admin account:
1 Login via OIDC/LDAP with user account (to create it in the database)
2 Logout
3 Login with Admin account
4 Make user account admin account
5 Logout
6 Login with OIDC/LDAP
7 Deactivate/Delete admin account -
I have tried the upgrade of a running nextcloud container, but after the upgrade I don't see any Login button with Cloudron OIDC as it should be and I can't also login with normal authentication with email or username for user registered in Cloudron Directory
-
I have tried the upgrade of a running nextcloud container, but after the upgrade I don't see any Login button with Cloudron OIDC as it should be and I can't also login with normal authentication with email or username for user registered in Cloudron Directory
-
@firmansi out of curiosity: did you have any other openID setup before upgrading?
@andreasdueren Not at all this is the first OIDC integration in this instance
-
Also, are you using Cloudron with OIDC integration to start with? Does a fresh install of NC (for testing) have the button?
-
@girish No, this is not a fresh install, it's been with LDAP from the beginning since 1.5 years ago
-
@firmansi are you able to login as nextcloud admin? If so, if you go to App -> OIDC , is it configured and enabled?
-
@girish Yes, I can login as Administrator, but have not configure the OIDC, should I activate the OpenID Connect Login App first in Nextcloud App Store?
@firmansi OIDC should be automatically automatic configured. Can you restart the app and check the logs? In the log you should see
==> Disabling LDAPand then==> Ensure OIDC settings. Do you see these messages?Can you also open a web terminal and run
env | grep CLOUDRON_OIDC? Do you see a bunch of variables? -
OK, I've just installed fresh instance of Nextcloud to test this.
I was able to login fine, but I don't seem able to make my user an admin. I can add them to the admin group, but they don't actually get any admin rights.
It is kinda sorta nice that it sucks in all my Cloudron groups, but it's also not appropriate in my case. And none of those groups have access to this Cloudron, so the current set-up would seem to me to be generally inappropriate to me too. I also host a Nextcloud for a small volunteer group and them seeing a list of groups that have nothing whatsoever to do with them would, I imagine, be very confusing. I can imagine it could potentially be useful for some people's set-up though - so perhaps it could/ should only suck in/ create groups that actually have access to the app? (either way, I think the way it currently works needs to change).
-
OK, I've just installed fresh instance of Nextcloud to test this.
I was able to login fine, but I don't seem able to make my user an admin. I can add them to the admin group, but they don't actually get any admin rights.
It is kinda sorta nice that it sucks in all my Cloudron groups, but it's also not appropriate in my case. And none of those groups have access to this Cloudron, so the current set-up would seem to me to be generally inappropriate to me too. I also host a Nextcloud for a small volunteer group and them seeing a list of groups that have nothing whatsoever to do with them would, I imagine, be very confusing. I can imagine it could potentially be useful for some people's set-up though - so perhaps it could/ should only suck in/ create groups that actually have access to the app? (either way, I think the way it currently works needs to change).
@jdaviescoates said in Nextcloud OIDC integration:
I was able to login fine, but I don't seem able to make my user an admin. I can add them to the admin group, but they don't actually get any admin rights.
I think something about the way it's syncing to Cloudron groups is what is breaking this.
When I login as admin and edit my user to add them to the admin group, my user does get added as an admin, and then appears in the list of admins.
But once I logout as admin and then back in again as my user, I'm no longer in the admin group. Which is exactly what I see confirmed again when I log back in as the admin. The user is no longer in the admin group (but is in a bunch of Cloudron groups that have been pulled in but don't have anything to do with, nor access to, this app)
Another reason to change the way it's currently working with Cloudron groups.
If possible I think the way forward would be to
-
only pull in/ sync Cloudron groups that have access to the app (i.e. don't pull in nor do anything with Cloudron groups unless those groups have specifically been given access to the app under the Cloudron App Access Control settings)
-
Make sure the group syncing thing doesn't ever touch the admin group.
Or, possibly: just don't sync with Cloudron groups at all (certainly this if you can't get that to work with the existing admin group)
-
-
@girish But syncing Cloudron group might be super useful in other cases, at least that is certainly the case with the organisation I work with and it was a relief when it started to work with LDAP.
How it should be implemented I'm not sure. I understand the concerns of @jdaviescoates when the way app access work is that, apps have access to everything unless you restrict it and give access to only specific users/groups. So following that logic it seems like the behaviour of all groups being synced (as described by @jdaviescoates) is normal (as it does for users) and that if an app should only see some groups/users, then the Cloudron admin should make sure only those groups are granted access (and then the OIDC plugin should only sync those groups and not others).
The Nextcloud admin group however should be independent of OIDC syncing and Nextcloud admins should be able to manage it independently.
-
@girish I am quite hesitate to do this in my production server as it is now, and actually with current LDAP scenario, I am satisfied. If I may suggest, will it be doable in next update, the Cloudron team can make the OIDC as optional instead of seemingly compulsory configuration? Or at least until this scenario is already proven to work seamless without any hassle.
-
@jdaviescoates I have published a new package with groups disabled. Can you please check?
@avatar1024 OIDC Group Sync has to be configured by the package installer just like LDAP Group Sync. Cloudron only exposes groups but does not provision the app (it's not possible for Cloudron to know what group should be what).
@firmansi we can't support both LDAP and OIDC in the long run. But on platform level, we already decided to switch to OIDC for all apps. This is more secure and auditable. I think you can probably wait for the upgrade anyway till all the issues are ironed out. Most of the apps that support OIDC have already been switched to OIDC from LDAP.
-
@firmansi OIDC should be automatically automatic configured. Can you restart the app and check the logs? In the log you should see
==> Disabling LDAPand then==> Ensure OIDC settings. Do you see these messages?Can you also open a web terminal and run
env | grep CLOUDRON_OIDC? Do you see a bunch of variables?@girish I have updated to the latest version and nothing appears in env | grep CLOUDRON_OIDC
Now, I install manually OpenID Connect Login, but I don;t know how and where to set
Do we have to install manually first then update the package maybe? I see in this forum the scenario works fine with fresh installation, but not the old one
-
@girish I have updated to the latest version and nothing appears in env | grep CLOUDRON_OIDC
Now, I install manually OpenID Connect Login, but I don;t know how and where to set
Do we have to install manually first then update the package maybe? I see in this forum the scenario works fine with fresh installation, but not the old one
@firmansi said in Nextcloud OIDC integration:
@girish I have updated to the latest version and nothing appears in env | grep CLOUDRON_OIDC
So, I think you have installed nextcloud without Cloudron user management to start with. In that case, this change won't affect you at all. Just to double check: If you go into the app configuration -> Access Control, I guess you see Dashboard Visibility instead of User Management, correct?
-
@jdaviescoates I have published a new package with groups disabled. Can you please check?
@avatar1024 OIDC Group Sync has to be configured by the package installer just like LDAP Group Sync. Cloudron only exposes groups but does not provision the app (it's not possible for Cloudron to know what group should be what).
@firmansi we can't support both LDAP and OIDC in the long run. But on platform level, we already decided to switch to OIDC for all apps. This is more secure and auditable. I think you can probably wait for the upgrade anyway till all the issues are ironed out. Most of the apps that support OIDC have already been switched to OIDC from LDAP.
@girish said in Nextcloud OIDC integration:
@jdaviescoates I have published a new package with groups disabled. Can you please check?
The existing test install was still broken after the update, i.e. the groups were still there and it still removed my user from the admin group.
A new test install works! No groups and user stays in the admin group once added.
