Nextcloud OIDC integration
-
@avatar1024 there is a "Group whitelist regex" field in the OIDC UI. Have you tried setting it to only the groups you care about? It says it supports regexp, but not sure if it supports lookahead regexps (ask chatgpt) . i.e match all groups that are not admin.
@joseph Thanks, that worked!
So far I haven't been able to allow all groups but exclude "admin", but when I only allow only a specific group then the admin group is not provisioned and works as expected.
-
Ok this regex to whitelist all groups except "admin" seems to work well
: ^(?!admin$).+$
-
J joseph referenced this topic on
-
Is there a way to lead logged-in Nextcloud OICD users from Logout back to the Cloudron login form in logged-out state?
Expected behaviour
- User is logged-in in Nextcloud
- User presses "Logout" in Nextcloud.
- User is logged out of the Nextcloud and from Cloudron.
- User sees the Cloudron login form.
What happens with ˋallow_user_multiple_backendsˋ set to value=0:
- User presses "Logout" in Nextcloud
- User is invisibly getting redirected to Cloudron login form that reports to the Nextcloud instance that user is logged-in.
- User ends up logged-in in Nextcloud.
This would be useful for instances where Nextcloud is the primarily hosted app. We have a server with Nextcloud and Collabora Office backend. There is usually no necessity for users to ever see the dashboard other than editing their profile.
-
I guess Nextcloud initiates the OpenID login redirection automatically in that case then. Since the user still has a login session with the OpenID provider (the Cloudron) it will auto-login.
Since the logout of Nextcloud itself is from the Nextcloud session, the OpenID provider has no clue about a logout event, so I don't think this is currently possible.
-
Is this known that the encryption keys are not initialized anymore after login in with OIDC? I am currently unable to access any of my files via web after the login and the message "Encryption app is enabled, but your keys are not initialized. Please log-out and log-in again." appears but logging out and in again does not help
-
Is this known that the encryption keys are not initialized anymore after login in with OIDC? I am currently unable to access any of my files via web after the login and the message "Encryption app is enabled, but your keys are not initialized. Please log-out and log-in again." appears but logging out and in again does not help
@RaV001 said in Nextcloud OIDC integration:
Is this known that the encryption keys are not initialized anymore after login in with OIDC? I am currently unable to access any of my files via web after the login and the message "Encryption app is enabled, but your keys are not initialized. Please log-out and log-in again." appears but logging out and in again does not help
Okay I updated to the latest version of Nextcloud in Cloudron and now this has changed to telling me that "Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files" but not sure what the old password should be as I am still using the same account but now logged in via OIDC. No files are readable currently
-
@RaV001 said in Nextcloud OIDC integration:
Is this known that the encryption keys are not initialized anymore after login in with OIDC? I am currently unable to access any of my files via web after the login and the message "Encryption app is enabled, but your keys are not initialized. Please log-out and log-in again." appears but logging out and in again does not help
Okay I updated to the latest version of Nextcloud in Cloudron and now this has changed to telling me that "Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files" but not sure what the old password should be as I am still using the same account but now logged in via OIDC. No files are readable currently
@RaV001 said in Nextcloud OIDC integration:
not sure what the old password should be
I'm not sure as I don't use this, but presumably it'll be whatever "your private key password" (not your Cloudron pw) was before whenever you set it up.
Hopefully you made a note of it or remember it?!
If not you could well be stuck.
As an "doesn't help you right now" aside, this is precisely why I personally don't use encryption much myself - I figure the risk of me somehow losing access to my own files by something going wrong or me losing or forgetting my keys is actually quite a lot higher (in that it's actually happened before) than someone nefarious gaining access to my files (which as far as I know has never actually happened)
-
@RaV001 said in Nextcloud OIDC integration:
Is this known that the encryption keys are not initialized anymore after login in with OIDC? I am currently unable to access any of my files via web after the login and the message "Encryption app is enabled, but your keys are not initialized. Please log-out and log-in again." appears but logging out and in again does not help
Okay I updated to the latest version of Nextcloud in Cloudron and now this has changed to telling me that "Invalid private key for encryption app. Please update your private key password in your personal settings to recover access to your encrypted files" but not sure what the old password should be as I am still using the same account but now logged in via OIDC. No files are readable currently
-
@RaV001 never used Nextclouds encryption, but maybe it used the password which was also used by the user account/LDAP before to open the encryption key. Have you tried to use the same password as your Cloudron user has?
-
@RaV001 said in Nextcloud OIDC integration:
not sure what the old password should be
I'm not sure as I don't use this, but presumably it'll be whatever "your private key password" (not your Cloudron pw) was before whenever you set it up.
Hopefully you made a note of it or remember it?!
If not you could well be stuck.
As an "doesn't help you right now" aside, this is precisely why I personally don't use encryption much myself - I figure the risk of me somehow losing access to my own files by something going wrong or me losing or forgetting my keys is actually quite a lot higher (in that it's actually happened before) than someone nefarious gaining access to my files (which as far as I know has never actually happened)
@jdaviescoates I am pretty sure I never have used a special password for this. As far as I can tell this was always the users password but somehow I am not seeing where I could have backed up any recovery stuff but Nextcloud seems to do encryption in different ways and some things have changed a lot over time
-
@jdaviescoates I am pretty sure I never have used a special password for this. As far as I can tell this was always the users password but somehow I am not seeing where I could have backed up any recovery stuff but Nextcloud seems to do encryption in different ways and some things have changed a lot over time
@RaV001 well, good luck! I hope the backup works and you manage to regain access to your files!
-
@jdaviescoates I have published a new package with groups disabled. Can you please check?
@avatar1024 OIDC Group Sync has to be configured by the package installer just like LDAP Group Sync. Cloudron only exposes groups but does not provision the app (it's not possible for Cloudron to know what group should be what).
@firmansi we can't support both LDAP and OIDC in the long run. But on platform level, we already decided to switch to OIDC for all apps. This is more secure and auditable. I think you can probably wait for the upgrade anyway till all the issues are ironed out. Most of the apps that support OIDC have already been switched to OIDC from LDAP.
@girish said in Nextcloud OIDC integration:
we can't support both LDAP and OIDC in the long run. But on platform level, we already decided to switch to OIDC for all apps. This is more secure and auditable. I think you can probably wait for the upgrade anyway till all the issues are ironed out. Most of the apps that support OIDC have already been switched to OIDC from LDAP.
This is a pretty big deal for companies with a lot of users who have set NextCloud up with LDAP (because we don't need OIDC). Did the Cloudron team consider that? It will require a lot of hand-holding and manual effort to re-establish new user accounts, reconnect mobile apps and manually reconfigure their files shares and group access. It would have been nice to provide a way to migrate NC users to Cloudron while maintaining files, shares and access.
I get that it is better, it's just that now you are forcing your subscribers to jump through a very tall hoop. I just onboarded our entire company to NextCloud, which was a hard enough process. Now I will have to explain to everyone why they need to go through that process all over again. Not fun and not at all what I need right now. We probably won't upgrade until I can figure out what to do. I might migrate our install to a Docker VM. That way I can keep the users in tact and also get the HPBE with AIO. Either way it's a lot of work.
-
@girish said in Nextcloud OIDC integration:
we can't support both LDAP and OIDC in the long run. But on platform level, we already decided to switch to OIDC for all apps. This is more secure and auditable. I think you can probably wait for the upgrade anyway till all the issues are ironed out. Most of the apps that support OIDC have already been switched to OIDC from LDAP.
This is a pretty big deal for companies with a lot of users who have set NextCloud up with LDAP (because we don't need OIDC). Did the Cloudron team consider that? It will require a lot of hand-holding and manual effort to re-establish new user accounts, reconnect mobile apps and manually reconfigure their files shares and group access. It would have been nice to provide a way to migrate NC users to Cloudron while maintaining files, shares and access.
I get that it is better, it's just that now you are forcing your subscribers to jump through a very tall hoop. I just onboarded our entire company to NextCloud, which was a hard enough process. Now I will have to explain to everyone why they need to go through that process all over again. Not fun and not at all what I need right now. We probably won't upgrade until I can figure out what to do. I might migrate our install to a Docker VM. That way I can keep the users in tact and also get the HPBE with AIO. Either way it's a lot of work.
Hello @overholt
@overholt said in Nextcloud OIDC integration:
It would have been nice to provide a way to migrate NC users to Cloudron while maintaining files, shares and access.
All users that exist in LDAP are automatically migrated to OIDC when they log in for the first time with OIDC.
They retain all files, shares, access, groups and so on.
The reconfiguration part on the desktop client or mobile client part is only a login and everything else should stay the same.
One exception for other clients explained further down.@overholt said in Nextcloud OIDC integration:
Now I will have to explain to everyone why they need to go through that process all over again.
I understand this is not optimal and the wish for a discussion first with the community is also very understandable.
If you are looking for the argument for your company that just started using Nextcloud on Cloudron why this change is necessary?
Answer with, Security and Usability.
Usability might not be that obvious at first since the given task of migration at hand.OIDC Login enables 2FA authentication before the application.
Plain vanilla LDAP has no concept of 2FA.
So, with LDAP, users will have to maintain 2FA codes for every application.
With OIDC, only one 2FA code is needed.Nextcloud specific security advancement with OIDC is that you need to create an app-password within Nextcloud for external clients like DAVx5 or other calendar apps.
This reduces the risk of some random thrid party application leaking the user password. -
Hello @overholt
@overholt said in Nextcloud OIDC integration:
It would have been nice to provide a way to migrate NC users to Cloudron while maintaining files, shares and access.
All users that exist in LDAP are automatically migrated to OIDC when they log in for the first time with OIDC.
They retain all files, shares, access, groups and so on.
The reconfiguration part on the desktop client or mobile client part is only a login and everything else should stay the same.
One exception for other clients explained further down.@overholt said in Nextcloud OIDC integration:
Now I will have to explain to everyone why they need to go through that process all over again.
I understand this is not optimal and the wish for a discussion first with the community is also very understandable.
If you are looking for the argument for your company that just started using Nextcloud on Cloudron why this change is necessary?
Answer with, Security and Usability.
Usability might not be that obvious at first since the given task of migration at hand.OIDC Login enables 2FA authentication before the application.
Plain vanilla LDAP has no concept of 2FA.
So, with LDAP, users will have to maintain 2FA codes for every application.
With OIDC, only one 2FA code is needed.Nextcloud specific security advancement with OIDC is that you need to create an app-password within Nextcloud for external clients like DAVx5 or other calendar apps.
This reduces the risk of some random thrid party application leaking the user password.@james Thanks for the explanation. It does help. It sounds like the migration might be easier than I'm thinking. My worry is having to manually reconfigure shares, etc inside NextCloud for users.
Just so I make sure I understand, is LDAP the default authentication protocol used when installing NextCloud on Cloudron and selecting "let application manage users?" I think I might be misunderstanding what LDAP is in relation to Cloudron and NextCloud. I might not even be using LDAP.
-
@james Thanks for the explanation. It does help. It sounds like the migration might be easier than I'm thinking. My worry is having to manually reconfigure shares, etc inside NextCloud for users.
Just so I make sure I understand, is LDAP the default authentication protocol used when installing NextCloud on Cloudron and selecting "let application manage users?" I think I might be misunderstanding what LDAP is in relation to Cloudron and NextCloud. I might not even be using LDAP.
-
@james Thanks for the explanation. It does help. It sounds like the migration might be easier than I'm thinking. My worry is having to manually reconfigure shares, etc inside NextCloud for users.
Just so I make sure I understand, is LDAP the default authentication protocol used when installing NextCloud on Cloudron and selecting "let application manage users?" I think I might be misunderstanding what LDAP is in relation to Cloudron and NextCloud. I might not even be using LDAP.
@overholt said in Nextcloud OIDC integration:
LDAP the default authentication protocol used when installing NextCloud on Cloudron and selecting "let application manage users?"
Just emphasis @james's point, when you select "let application manage users", then you're not using LDAP at all, you're using Nextcloud internal user registration which is not affected whatsoever by the migration from LDAP to OIDC.
@overholt said in Nextcloud OIDC integration:
My worry is having to manually reconfigure shares, etc inside NextCloud for users.
Even if you were using LDAP, the transition to OIDC only affects the login process (for NC itself and all external apps) but not anything internal like folder shares, groups, circles, etc.
-
Hello @overholt
No, when you choose "let application manage users" the app itself manages the users.
If all your users truly only exist in Nextcloud and not in Cloudron this migration does not concern you at all.@james said in Nextcloud OIDC integration:
Hello @overholt
No, when you choose "let application manage users" the app itself manages the users.
If all your users truly only exist in Nextcloud and not in Cloudron this migration does not concern you at all.Thanks for clearing that up. I tried asking ChatGPT this question and it made things more complex than they needed to be, as it sometimes does.
@avatar1024 said in Nextcloud OIDC integration:
Even if you were using LDAP, the transition to OIDC only affects the login process (for NC itself and all external apps) but not anything internal like folder shares, groups, circles, etc.
I know now it doesn't pertain to my situation, but I was asking ChatGPT before I commented here and it said I would have to recreate all my NextCloud users in Cloudron and that those users would have no relation to the existing LDAP users in NextCloud, so I'd have to manually migrate everything inside NextCloud from the old users to the new users created by Cloudron. I'm guess that answer was way off?
-
@overholt said in Nextcloud OIDC integration:
I'm guess that answer was way off?
Yes. Completly wrong.
@overholt said in Nextcloud OIDC integration:
as it sometimes does
Most of the time it does when the AI does not have the necessary information in its model.
Since this a very specific context of Nextcloud inside Cloudron, the AI would need accessive knowledge about what Cloudron is and what it does.
Some AI Models you can pre-feed with details like giving them the docs URL or such.
But even then the Parrot AI starts imagining things.
Better to ask here directly before getting lead on a wild goose chase by the AI.
