Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Nextcloud
  3. Nextcloud OIDC integration

Nextcloud OIDC integration

Scheduled Pinned Locked Moved Nextcloud
111 Posts 10 Posters 10.4k Views 10 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • jdaviescoatesJ jdaviescoates

    @firmansi said in Nextcloud OIDC integration:

    I simply check env | grep CLOUDRON_OIDC and then delete the existing Registered Provider, and then create new Registered Provider by input the Identifier name as I wish and then input all parameters in CLOUDRON_OIDC

    I doubt that'll survive an app restart.

    But as @andreasdueren suggested above, given the Nextcloud OIDC app doesn't support displaying brand name, I wonder if @staff could rename the provider to something more generic like "Open ID Connect" or "OIDC"?

    firmansiF Offline
    firmansiF Offline
    firmansi
    wrote on last edited by firmansi
    #79

    @jdaviescoates Correct, the deletion back again after restart, but I am okay with this because this default setting actually acts like a guidance for me in case I forget default Cloudron setting that I can apply to other OIDC, I can simply just delete the default Brand Name button without affecting anything, including new Registered Provider I have set up

    1 Reply Last reply
    0
    • jdaviescoatesJ jdaviescoates

      @firmansi said in Nextcloud OIDC integration:

      I simply check env | grep CLOUDRON_OIDC and then delete the existing Registered Provider, and then create new Registered Provider by input the Identifier name as I wish and then input all parameters in CLOUDRON_OIDC

      I doubt that'll survive an app restart.

      But as @andreasdueren suggested above, given the Nextcloud OIDC app doesn't support displaying brand name, I wonder if @staff could rename the provider to something more generic like "Open ID Connect" or "OIDC"?

      J Online
      J Online
      joseph
      Staff
      wrote on last edited by
      #80

      @jdaviescoates said in Nextcloud OIDC integration:

      I wonder if @staff could rename the provider to something more generic like "Open ID Connect" or "OIDC"?

      Those terms are just generic technology terms. One should always have "Login with <provider>" . Like Login with gmail, Login with Github etc. Login with OIDC doesn't actually mean anything (unless it's providing some dropdown of providers after clicking the button). I think we should open a bug report upstream, seems easy to fix

      1 Reply Last reply
      4
      • A Offline
        A Offline
        AartJansen
        wrote on last edited by AartJansen
        #81

        I've had some issues with 2FA and nextcloud. On my android phone the freshly installed nextcloud app opens a browser page, I click "cloudron login" and get an error about

        Access forbidden State token does not match
        

        After retrying "it just works" TM

        Also I used a new account to get into nextcloud, on my PC / firefox, and went to use my normal account afterwards but it automatically goes to the new account, is there a cookie / cached token or something I can delete to fix this? Clearing the entire cache is annoying.

        jdaviescoatesJ 1 Reply Last reply
        0
        • A AartJansen

          I've had some issues with 2FA and nextcloud. On my android phone the freshly installed nextcloud app opens a browser page, I click "cloudron login" and get an error about

          Access forbidden State token does not match
          

          After retrying "it just works" TM

          Also I used a new account to get into nextcloud, on my PC / firefox, and went to use my normal account afterwards but it automatically goes to the new account, is there a cookie / cached token or something I can delete to fix this? Clearing the entire cache is annoying.

          jdaviescoatesJ Offline
          jdaviescoatesJ Offline
          jdaviescoates
          wrote on last edited by
          #82

          @AartJansen I think you'll need to logout of your my.domain to logout then login again using the account you want to use. I now make more use of Firefox containers

          I use Cloudron with Gandi & Hetzner

          1 Reply Last reply
          1
          • O odie referenced this topic on
          • whitespaceW Offline
            whitespaceW Offline
            whitespace
            wrote on last edited by whitespace
            #83

            This may be an exotic case:

            I am running a Nextcloud instance where LDAP is enabled. Uses of the institution thereby have cloudron LDAP accounts that reflect into the Nextcloud instance.

            Now the same institution is creating Nextcloud user accounts within Nextcloud. These users are signing up directly to the Nextcloud instance and not to the parent Cloudron instance. Their profiles do not appear in Cloudron's LDAP directory.

            This results in two types of users. The institution must be able to create user accounts for external collaborators within the Nextcloud instance. They do not need to be Cloudron users.

            Will the upgrade to OIDC affect the user accounts only created within the Nextcloud instance?

            User Management is enabled for the Nextcloud app. Non-Cloudron Nextcloud-only accounts exist and are behaving normally right now.

            The institution is in the process of creating 100+ Nextcloud accounts. Any recommendations before sh*t hits the fan?

            1 Reply Last reply
            0
            • J Online
              J Online
              joseph
              Staff
              wrote on last edited by
              #84

              @whitespace good question. IIUC, what you are asking is if there is an account in nextcloud and cloudron, then what happens after the migration ? Does the nextcloud local account get converted into an OIDC account . Did I get that right ? (I have to test, don't have an answer)

              1 Reply Last reply
              0
              • whitespaceW Offline
                whitespaceW Offline
                whitespace
                wrote on last edited by whitespace
                #85

                Basically yes. Here is the scenario in chronological order.

                1. Fresh Nextcloud is installed on Cloudron instance pre-OIDC, user management being set to Cloudron, not Nextcloud
                2. Accounts are created via Cloudron user management
                3. Users start using Nextcloud
                4. Users create more accounts within Nextcloud
                5. Accounts created within Nextcloud do not sync back to Cloudron user directory. This was not seen as a problem since these local users were able to login into Nextcloud which is all they needed.
                6. Nextcloud gets updated to OIDC version.
                7. Accounts that were LDAP Cloudron accounts can not login via Nextcloud login form anymore. They have to "Login with Cloudron".
                8. Accounts that were created within Nextcloud and did not reflect into Cloudron user directory can not log in anymore.

                This is where we are now. The two problems summarized being:

                1. Nextcloud accounts that do not exist in the Cloudron directory can not login into Nextcloud anymore.
                2. Cloudron accounts that used to login with their Cloudron credentials into Nextcloud's login form, can not login directly. They have to "Login with Cloudron", get redirected to Cloudron's app specific login screen and only after that they are logged in into Nextcloud.

                Expected behaviour:

                1. Nextcloud accounts that do not exist in Cloudron user directory should be able to log in via Nextcloud login form.
                2. Cloudron accounts should be able to login with their Cloudron credentials without the need of "Login with Cloudron" just by typing their Cloudron credentials into Nextcloud's login form.
                J avatar1024A 2 Replies Last reply
                0
                • whitespaceW whitespace

                  Basically yes. Here is the scenario in chronological order.

                  1. Fresh Nextcloud is installed on Cloudron instance pre-OIDC, user management being set to Cloudron, not Nextcloud
                  2. Accounts are created via Cloudron user management
                  3. Users start using Nextcloud
                  4. Users create more accounts within Nextcloud
                  5. Accounts created within Nextcloud do not sync back to Cloudron user directory. This was not seen as a problem since these local users were able to login into Nextcloud which is all they needed.
                  6. Nextcloud gets updated to OIDC version.
                  7. Accounts that were LDAP Cloudron accounts can not login via Nextcloud login form anymore. They have to "Login with Cloudron".
                  8. Accounts that were created within Nextcloud and did not reflect into Cloudron user directory can not log in anymore.

                  This is where we are now. The two problems summarized being:

                  1. Nextcloud accounts that do not exist in the Cloudron directory can not login into Nextcloud anymore.
                  2. Cloudron accounts that used to login with their Cloudron credentials into Nextcloud's login form, can not login directly. They have to "Login with Cloudron", get redirected to Cloudron's app specific login screen and only after that they are logged in into Nextcloud.

                  Expected behaviour:

                  1. Nextcloud accounts that do not exist in Cloudron user directory should be able to log in via Nextcloud login form.
                  2. Cloudron accounts should be able to login with their Cloudron credentials without the need of "Login with Cloudron" just by typing their Cloudron credentials into Nextcloud's login form.
                  J Online
                  J Online
                  joseph
                  Staff
                  wrote on last edited by joseph
                  #86

                  @whitespace said in Nextcloud OIDC integration:

                  Cloudron accounts should be able to login with their Cloudron credentials without the need of "Login with Cloudron" just by typing their Cloudron credentials into Nextcloud's login form.

                  This one is not possible. Cloudron accounts have to use the 'Login with Cloudron' button to login . At a platform level, we have standardized on OIDC and where possible the package has been switched to use this.

                  But apart from that, I suggest just installing a test instance of nextcloud or a clone of your current nextcloud and check out what happens on the upgrade path.

                  avatar1024A whitespaceW 2 Replies Last reply
                  1
                  • J joseph

                    @whitespace said in Nextcloud OIDC integration:

                    Cloudron accounts should be able to login with their Cloudron credentials without the need of "Login with Cloudron" just by typing their Cloudron credentials into Nextcloud's login form.

                    This one is not possible. Cloudron accounts have to use the 'Login with Cloudron' button to login . At a platform level, we have standardized on OIDC and where possible the package has been switched to use this.

                    But apart from that, I suggest just installing a test instance of nextcloud or a clone of your current nextcloud and check out what happens on the upgrade path.

                    avatar1024A Offline
                    avatar1024A Offline
                    avatar1024
                    wrote on last edited by avatar1024
                    #87

                    @joseph said in Nextcloud OIDC integration:

                    This one is not possible. Cloudron accounts have to use the 'Login with Cloudron' button to login . At a platform level, we have standardized on OIDC and where possible the package has been switched to use this.

                    It kinda make sense that this is not possible, and while it may be confusing for existing users to now have to login in a different way, it makes login in more convenient overall.

                    However, it would still be great to have some sort of mapping from OIDC credentials to user credential in Nextcloud, as beyond just logging in, OIDC currently makes it rather awkward to connect to other part of Nextcloud. For example, according to this guide, syncing calendars via CalDAV requires you set-up a separate app login, which pretty much defeats the point of a SSO/OIDC set-up. Frankly, for anyone doing anything else than login into Nextcloud from the web interface (syncing calendars, syncing joplin notes, or using any other app that connect to nextcloud via username and password), the new OIDC set-up is more awkward and complicated than LDAP.

                    Is such a mapping be possible at all, like it is with LDAP??

                    girishG 1 Reply Last reply
                    1
                    • J joseph

                      @whitespace said in Nextcloud OIDC integration:

                      Cloudron accounts should be able to login with their Cloudron credentials without the need of "Login with Cloudron" just by typing their Cloudron credentials into Nextcloud's login form.

                      This one is not possible. Cloudron accounts have to use the 'Login with Cloudron' button to login . At a platform level, we have standardized on OIDC and where possible the package has been switched to use this.

                      But apart from that, I suggest just installing a test instance of nextcloud or a clone of your current nextcloud and check out what happens on the upgrade path.

                      whitespaceW Offline
                      whitespaceW Offline
                      whitespace
                      wrote on last edited by
                      #88

                      @joseph We are already up-to-date on a live Nextcloud. Thankfully problem 1. only affaects 5 accounts so far. We will manually transfer those to Cloudron.

                      A nice option would be to customize the text of the "Login with Cloudron" button and the info text shown above. Or, even better, a redirect to Cloudron's login form without a need of the button to begin with.

                      girishG 1 Reply Last reply
                      1
                      • avatar1024A avatar1024

                        @joseph said in Nextcloud OIDC integration:

                        This one is not possible. Cloudron accounts have to use the 'Login with Cloudron' button to login . At a platform level, we have standardized on OIDC and where possible the package has been switched to use this.

                        It kinda make sense that this is not possible, and while it may be confusing for existing users to now have to login in a different way, it makes login in more convenient overall.

                        However, it would still be great to have some sort of mapping from OIDC credentials to user credential in Nextcloud, as beyond just logging in, OIDC currently makes it rather awkward to connect to other part of Nextcloud. For example, according to this guide, syncing calendars via CalDAV requires you set-up a separate app login, which pretty much defeats the point of a SSO/OIDC set-up. Frankly, for anyone doing anything else than login into Nextcloud from the web interface (syncing calendars, syncing joplin notes, or using any other app that connect to nextcloud via username and password), the new OIDC set-up is more awkward and complicated than LDAP.

                        Is such a mapping be possible at all, like it is with LDAP??

                        girishG Offline
                        girishG Offline
                        girish
                        Staff
                        wrote on last edited by girish
                        #89

                        @avatar1024 the auth situation is not ideal, agreed. But are you comfortable having a setup where users are storing their raw password in all these devices, mobile apps (whichever app your users install) and laptops?

                        Can't/not my place to make security choices for you 🙂 , but I think if you want the old setup, I think you have to setup nextcloud without Cloudron user management and create users inside nextcloud itself . For us (platform point of view), we want to guide users to what we consider better/more secure. A leaked raw password of the platform has very big implications (compromises all apps)

                        avatar1024A 1 Reply Last reply
                        2
                        • whitespaceW whitespace

                          @joseph We are already up-to-date on a live Nextcloud. Thankfully problem 1. only affaects 5 accounts so far. We will manually transfer those to Cloudron.

                          A nice option would be to customize the text of the "Login with Cloudron" button and the info text shown above. Or, even better, a redirect to Cloudron's login form without a need of the button to begin with.

                          girishG Offline
                          girishG Offline
                          girish
                          Staff
                          wrote on last edited by joseph
                          #90

                          @whitespace said in Nextcloud OIDC integration:

                          A nice option would be to customize the text of the "Login with Cloudron" button and the info text shown above. Or, even better, a redirect to Cloudron's login form without a need of the button to begin with.

                          Cloudron already supports this but wasn't supported in the nextcloud plugin. But good news, this was just implemented upstream - https://github.com/nextcloud/user_oidc/issues/859 . It's still not released yet.

                          edit: looks like this is released, will try to update package

                          1 Reply Last reply
                          2
                          • girishG girish

                            @avatar1024 the auth situation is not ideal, agreed. But are you comfortable having a setup where users are storing their raw password in all these devices, mobile apps (whichever app your users install) and laptops?

                            Can't/not my place to make security choices for you 🙂 , but I think if you want the old setup, I think you have to setup nextcloud without Cloudron user management and create users inside nextcloud itself . For us (platform point of view), we want to guide users to what we consider better/more secure. A leaked raw password of the platform has very big implications (compromises all apps)

                            avatar1024A Offline
                            avatar1024A Offline
                            avatar1024
                            wrote on last edited by avatar1024
                            #91

                            @girish said in Nextcloud OIDC integration:

                            A leaked raw password of the platform has very big implications (compromises all apps)

                            Very much agreed with that and overall I take your point about wanted to prioritise more secured routes. This approach does increase security but I would say only marginally, and with that reasoning we could make cloudron and various apps even more secured but at the further expense of convenience, which I don't think anymore would be up for.

                            Security is about a range of practices which have somewhat a hierarchy. Things like encrypting your device hard drive being probably the overarching security measure when it comes to password protection, along with using apps that transmit login details securely between device and server (though storing securely is less of a problem if device is encrypted) and using an proper password token / manager. Otherwise if someone get physical access to your device, it is likely they will get access to the platform password by some other means, for example from the web browser where, unless told otherwise, casual users will keep their platform password stored for convenience.

                            Sure no one is saying we should make the task easy for anyone attempting an attack like keeping all your passwords in a plain text file on your desktop, but wanting to protect the platform password by making usability much worst, where in fact the main security culprit is elsewhere (in people devices encryption and password practices) I'm not sure makes much sense. That's just my opinion, I'm happy to be told wrong and it is also not my place to tell you about security choices :).

                            1 Reply Last reply
                            2
                            • whitespaceW whitespace

                              Basically yes. Here is the scenario in chronological order.

                              1. Fresh Nextcloud is installed on Cloudron instance pre-OIDC, user management being set to Cloudron, not Nextcloud
                              2. Accounts are created via Cloudron user management
                              3. Users start using Nextcloud
                              4. Users create more accounts within Nextcloud
                              5. Accounts created within Nextcloud do not sync back to Cloudron user directory. This was not seen as a problem since these local users were able to login into Nextcloud which is all they needed.
                              6. Nextcloud gets updated to OIDC version.
                              7. Accounts that were LDAP Cloudron accounts can not login via Nextcloud login form anymore. They have to "Login with Cloudron".
                              8. Accounts that were created within Nextcloud and did not reflect into Cloudron user directory can not log in anymore.

                              This is where we are now. The two problems summarized being:

                              1. Nextcloud accounts that do not exist in the Cloudron directory can not login into Nextcloud anymore.
                              2. Cloudron accounts that used to login with their Cloudron credentials into Nextcloud's login form, can not login directly. They have to "Login with Cloudron", get redirected to Cloudron's app specific login screen and only after that they are logged in into Nextcloud.

                              Expected behaviour:

                              1. Nextcloud accounts that do not exist in Cloudron user directory should be able to log in via Nextcloud login form.
                              2. Cloudron accounts should be able to login with their Cloudron credentials without the need of "Login with Cloudron" just by typing their Cloudron credentials into Nextcloud's login form.
                              avatar1024A Offline
                              avatar1024A Offline
                              avatar1024
                              wrote on last edited by
                              #92

                              @whitespace said in Nextcloud OIDC integration:

                              Nextcloud accounts that do not exist in Cloudron user directory should be able to log in via Nextcloud login form.

                              This seems to be working as expected. Some users in one of my Nextcloud instance are not Cloudron users and after the update enabling OIDC they haven't been logged out and their credentials seem to be working as usual.

                              1 Reply Last reply
                              1
                              • girishG girish

                                @jdaviescoates I have published a new package with groups disabled. Can you please check?

                                @avatar1024 OIDC Group Sync has to be configured by the package installer just like LDAP Group Sync. Cloudron only exposes groups but does not provision the app (it's not possible for Cloudron to know what group should be what).

                                @firmansi we can't support both LDAP and OIDC in the long run. But on platform level, we already decided to switch to OIDC for all apps. This is more secure and auditable. I think you can probably wait for the upgrade anyway till all the issues are ironed out. Most of the apps that support OIDC have already been switched to OIDC from LDAP.

                                avatar1024A Offline
                                avatar1024A Offline
                                avatar1024
                                wrote on last edited by avatar1024
                                #93

                                @girish said in Nextcloud OIDC integration:

                                OIDC Group Sync has to be configured by the package installer just like LDAP Group Sync.

                                Hi @girish

                                So is there a solution to add users in the Nextcloud admin group with OIDC group mapping activated?

                                Group mapping works well but when I add users to the admin group from the Nextcloud user interface it doesn't work (as noted by @jdaviescoates earlier in this thread).

                                jdaviescoatesJ 1 Reply Last reply
                                0
                                • avatar1024A avatar1024

                                  @girish said in Nextcloud OIDC integration:

                                  OIDC Group Sync has to be configured by the package installer just like LDAP Group Sync.

                                  Hi @girish

                                  So is there a solution to add users in the Nextcloud admin group with OIDC group mapping activated?

                                  Group mapping works well but when I add users to the admin group from the Nextcloud user interface it doesn't work (as noted by @jdaviescoates earlier in this thread).

                                  jdaviescoatesJ Offline
                                  jdaviescoatesJ Offline
                                  jdaviescoates
                                  wrote on last edited by
                                  #94

                                  @avatar1024 it's working for me. But you can only edit/ update users that have logged in post updating to OIDC - it's like all the previous users don't really exist anymore.

                                  I use Cloudron with Gandi & Hetzner

                                  avatar1024A 1 Reply Last reply
                                  0
                                  • jdaviescoatesJ jdaviescoates

                                    @avatar1024 it's working for me. But you can only edit/ update users that have logged in post updating to OIDC - it's like all the previous users don't really exist anymore.

                                    avatar1024A Offline
                                    avatar1024A Offline
                                    avatar1024
                                    wrote on last edited by avatar1024
                                    #95

                                    @jdaviescoates Thanks! Have you activated group mapping / syncing though? For me it's not working. I cannot add myself to the admin group (and I have definitely logged in - in fact that's how I know I'm not an admin 🙂 ). I can login with the "admin" user via the Nextcloud form but cannot add anyone else to the admin group, including myself.

                                    jdaviescoatesJ 1 Reply Last reply
                                    0
                                    • avatar1024A avatar1024

                                      @jdaviescoates Thanks! Have you activated group mapping / syncing though? For me it's not working. I cannot add myself to the admin group (and I have definitely logged in - in fact that's how I know I'm not an admin 🙂 ). I can login with the "admin" user via the Nextcloud form but cannot add anyone else to the admin group, including myself.

                                      jdaviescoatesJ Offline
                                      jdaviescoatesJ Offline
                                      jdaviescoates
                                      wrote on last edited by
                                      #96

                                      @avatar1024 said in Nextcloud OIDC integration:

                                      Have you activated group mapping / syncing though?

                                      No.

                                      I use Cloudron with Gandi & Hetzner

                                      avatar1024A 1 Reply Last reply
                                      0
                                      • jdaviescoatesJ jdaviescoates

                                        @avatar1024 said in Nextcloud OIDC integration:

                                        Have you activated group mapping / syncing though?

                                        No.

                                        avatar1024A Offline
                                        avatar1024A Offline
                                        avatar1024
                                        wrote on last edited by avatar1024
                                        #97

                                        @jdaviescoates Yeah so it also works for me if I don't activate group mapping / syncing but I was asking if there is a solution to add admins users with that enabled.

                                        On one instance we used LDAP groups syncing and so switching to OIDC we need to also sync groups...but then we also needs admins 😅

                                        Anyone got a clue?

                                        PS: I've tried with my user who is a cloudron superadmin and with another user who is a Cloudron admin. None of them appear in the NC admin group or can be added to it.

                                        1 Reply Last reply
                                        1
                                        • J Online
                                          J Online
                                          joseph
                                          Staff
                                          wrote on last edited by
                                          #98

                                          @avatar1024 can nextcloud admin group have an arbitrary name or should it be admin(s) ? Since group sync is turned on, you have to create a such a group on Cloudron. The admins group is reserved in Cloudron, but this can be changed I think.

                                          avatar1024A 1 Reply Last reply
                                          0
                                          Reply
                                          • Reply as topic
                                          Log in to reply
                                          • Oldest to Newest
                                          • Newest to Oldest
                                          • Most Votes


                                          • Login

                                          • Don't have an account? Register

                                          • Login or register to search.
                                          • First post
                                            Last post
                                          0
                                          • Categories
                                          • Recent
                                          • Tags
                                          • Popular
                                          • Bookmarks
                                          • Search