Nextcloud OIDC integration
-
@girish But syncing Cloudron group might be super useful in other cases, at least that is certainly the case with the organisation I work with and it was a relief when it started to work with LDAP.
How it should be implemented I'm not sure. I understand the concerns of @jdaviescoates when the way app access work is that, apps have access to everything unless you restrict it and give access to only specific users/groups. So following that logic it seems like the behaviour of all groups being synced (as described by @jdaviescoates) is normal (as it does for users) and that if an app should only see some groups/users, then the Cloudron admin should make sure only those groups are granted access (and then the OIDC plugin should only sync those groups and not others).
The Nextcloud admin group however should be independent of OIDC syncing and Nextcloud admins should be able to manage it independently.
-
@girish I am quite hesitate to do this in my production server as it is now, and actually with current LDAP scenario, I am satisfied. If I may suggest, will it be doable in next update, the Cloudron team can make the OIDC as optional instead of seemingly compulsory configuration? Or at least until this scenario is already proven to work seamless without any hassle.
-
@jdaviescoates I have published a new package with groups disabled. Can you please check?
@avatar1024 OIDC Group Sync has to be configured by the package installer just like LDAP Group Sync. Cloudron only exposes groups but does not provision the app (it's not possible for Cloudron to know what group should be what).
@firmansi we can't support both LDAP and OIDC in the long run. But on platform level, we already decided to switch to OIDC for all apps. This is more secure and auditable. I think you can probably wait for the upgrade anyway till all the issues are ironed out. Most of the apps that support OIDC have already been switched to OIDC from LDAP.
-
@girish I have updated to the latest version and nothing appears in env | grep CLOUDRON_OIDC
Now, I install manually OpenID Connect Login, but I don;t know how and where to set
Do we have to install manually first then update the package maybe? I see in this forum the scenario works fine with fresh installation, but not the old one
-
@firmansi said in Nextcloud OIDC integration:
@girish I have updated to the latest version and nothing appears in env | grep CLOUDRON_OIDC
So, I think you have installed nextcloud without Cloudron user management to start with. In that case, this change won't affect you at all. Just to double check: If you go into the app configuration -> Access Control, I guess you see Dashboard Visibility instead of User Management, correct?
-
@girish said in Nextcloud OIDC integration:
@jdaviescoates I have published a new package with groups disabled. Can you please check?
The existing test install was still broken after the update, i.e. the groups were still there and it still removed my user from the admin group.
A new test install works! No groups and user stays in the admin group once added.
-
@girish said in Nextcloud OIDC integration:
@avatar1024 OIDC Group Sync has to be configured by the package installer just like LDAP Group Sync.
Just out of interest, how is this done?
-
@jdaviescoates there is a checkbox in the UI to enable it . I forget the exact text but it's inside the OIDC app settings.
-
@girish I don't really get it, from the first time I set the Nextcloud, user management with Cloudron instead of the app, so when I add new user then it will have access to to Cloudron automatically.
Well, it;s true, What I see when I click Access Control is Dashboard Visibility. Now I set the app visible only to several groups.
-
-
@nebulon I think it's without Cloudron User Management because What i see now is only Dashboard Visibility Setting, why I seem confused, because I have been using this Nextcloud in Cloudron for the last 1,5 years, and all this time I never create new user in Nextcloud directly, but always with Cloudron Users with LDAP
-
I meant to check if your Nextcloud is actually using Cloudron usermanagement or not, since your statements are contradicting between LDAP and dashboard visibility. You can also run
env | grep LDAPin the webterminal into that nextcloud app instance. If you see LDAP related environment variables, it means you are using Cloudron usermanagement. -
This is only an installation choice, so if you have installed it without, you would have to install a fresh Nextcloud and import the data for each user. You can also try importing the current app's backup into a new installation with the import app backup feature (in the Backups view).
-
Just for input, there might be some like me using Nextcloud in cloudron who don't use Cloudron User Management from the beginning, I think for the next update, still give space to those like mine because last time I did the latest update, I can't login with user credential set up in User Directory Cloudron, only with admin credential
-
