Nextcloud OIDC integration
-
@jdaviescoates I have published a new package with groups disabled. Can you please check?
@avatar1024 OIDC Group Sync has to be configured by the package installer just like LDAP Group Sync. Cloudron only exposes groups but does not provision the app (it's not possible for Cloudron to know what group should be what).
@firmansi we can't support both LDAP and OIDC in the long run. But on platform level, we already decided to switch to OIDC for all apps. This is more secure and auditable. I think you can probably wait for the upgrade anyway till all the issues are ironed out. Most of the apps that support OIDC have already been switched to OIDC from LDAP.
-
@firmansi OIDC should be automatically automatic configured. Can you restart the app and check the logs? In the log you should see
==> Disabling LDAPand then==> Ensure OIDC settings. Do you see these messages?Can you also open a web terminal and run
env | grep CLOUDRON_OIDC? Do you see a bunch of variables?@girish I have updated to the latest version and nothing appears in env | grep CLOUDRON_OIDC
Now, I install manually OpenID Connect Login, but I don;t know how and where to set
Do we have to install manually first then update the package maybe? I see in this forum the scenario works fine with fresh installation, but not the old one
-
@girish I have updated to the latest version and nothing appears in env | grep CLOUDRON_OIDC
Now, I install manually OpenID Connect Login, but I don;t know how and where to set
Do we have to install manually first then update the package maybe? I see in this forum the scenario works fine with fresh installation, but not the old one
@firmansi said in Nextcloud OIDC integration:
@girish I have updated to the latest version and nothing appears in env | grep CLOUDRON_OIDC
So, I think you have installed nextcloud without Cloudron user management to start with. In that case, this change won't affect you at all. Just to double check: If you go into the app configuration -> Access Control, I guess you see Dashboard Visibility instead of User Management, correct?
-
@jdaviescoates I have published a new package with groups disabled. Can you please check?
@avatar1024 OIDC Group Sync has to be configured by the package installer just like LDAP Group Sync. Cloudron only exposes groups but does not provision the app (it's not possible for Cloudron to know what group should be what).
@firmansi we can't support both LDAP and OIDC in the long run. But on platform level, we already decided to switch to OIDC for all apps. This is more secure and auditable. I think you can probably wait for the upgrade anyway till all the issues are ironed out. Most of the apps that support OIDC have already been switched to OIDC from LDAP.
@girish said in Nextcloud OIDC integration:
@jdaviescoates I have published a new package with groups disabled. Can you please check?
The existing test install was still broken after the update, i.e. the groups were still there and it still removed my user from the admin group.
A new test install works! No groups and user stays in the admin group once added.
-
@jdaviescoates I have published a new package with groups disabled. Can you please check?
@avatar1024 OIDC Group Sync has to be configured by the package installer just like LDAP Group Sync. Cloudron only exposes groups but does not provision the app (it's not possible for Cloudron to know what group should be what).
@firmansi we can't support both LDAP and OIDC in the long run. But on platform level, we already decided to switch to OIDC for all apps. This is more secure and auditable. I think you can probably wait for the upgrade anyway till all the issues are ironed out. Most of the apps that support OIDC have already been switched to OIDC from LDAP.
@girish said in Nextcloud OIDC integration:
@avatar1024 OIDC Group Sync has to be configured by the package installer just like LDAP Group Sync.
Just out of interest, how is this done?
-
@girish said in Nextcloud OIDC integration:
@avatar1024 OIDC Group Sync has to be configured by the package installer just like LDAP Group Sync.
Just out of interest, how is this done?
-
@firmansi said in Nextcloud OIDC integration:
@girish I have updated to the latest version and nothing appears in env | grep CLOUDRON_OIDC
So, I think you have installed nextcloud without Cloudron user management to start with. In that case, this change won't affect you at all. Just to double check: If you go into the app configuration -> Access Control, I guess you see Dashboard Visibility instead of User Management, correct?
@girish I don't really get it, from the first time I set the Nextcloud, user management with Cloudron instead of the app, so when I add new user then it will have access to to Cloudron automatically.
Well, it;s true, What I see when I click Access Control is Dashboard Visibility. Now I set the app visible only to several groups.
-
@jdaviescoates there is a checkbox in the UI to enable it . I forget the exact text but it's inside the OIDC app settings.
@girish Ah yes, I found it in
/settings/admin/user_oidcthanks
-
@girish I don't really get it, from the first time I set the Nextcloud, user management with Cloudron instead of the app, so when I add new user then it will have access to to Cloudron automatically.
Well, it;s true, What I see when I click Access Control is Dashboard Visibility. Now I set the app visible only to several groups.
-
@nebulon I think it's without Cloudron User Management because What i see now is only Dashboard Visibility Setting, why I seem confused, because I have been using this Nextcloud in Cloudron for the last 1,5 years, and all this time I never create new user in Nextcloud directly, but always with Cloudron Users with LDAP
-
Yeah something is inconsistent then. You can just verify the LDAP extension settings as an admin within Nextcloud to see what is happening.
-
I meant to check if your Nextcloud is actually using Cloudron usermanagement or not, since your statements are contradicting between LDAP and dashboard visibility. You can also run
env | grep LDAPin the webterminal into that nextcloud app instance. If you see LDAP related environment variables, it means you are using Cloudron usermanagement. -
This is only an installation choice, so if you have installed it without, you would have to install a fresh Nextcloud and import the data for each user. You can also try importing the current app's backup into a new installation with the import app backup feature (in the Backups view).
-
Just for input, there might be some like me using Nextcloud in cloudron who don't use Cloudron User Management from the beginning, I think for the next update, still give space to those like mine because last time I did the latest update, I can't login with user credential set up in User Directory Cloudron, only with admin credential
-
@nebulon By the way I have tried with new fresh installation, but always said Could not update the provider: The discovery endpoint is not reachable.
in Nextcloud. My current cofiguration for User Directory is with LDAP Server activated already -
If the app is installed without Cloudron usermanagement, and update will not touch upon the authentication settings, so there is no change for those, the package code simply does not change anything related to users in such a case. So I can't imagine how this has affected your instance.
Also I can't quite make out what you mean with LDAP Server activated already in this context. On Cloudron the LDAP server is always active for apps, but not every app will be setup to use it.
-
@nebulon By the way I have tried with new fresh installation, but always said Could not update the provider: The discovery endpoint is not reachable.
in Nextcloud. My current cofiguration for User Directory is with LDAP Server activated already@firmansi said in Nextcloud OIDC integration:
My current cofiguration for User Directory is with LDAP Server activated already
Note: This LDAP server is for apps external to Cloudron. This is not needed to be enabled for apps installed in Cloudron itself.
