OpenID Connect SSO with Kopano Meet and (for example) Nextcloud

fbartels

While native support for OAuth has recently been removed from Cloudron users can still utilise OAuth 2 and OpenID Connect (oidc) to authorize users thanks to the built in OpenID Provider of the Kopano Meet app.

Under the hood Kopano Meet uses OpenID Connect to sign users into the application and this functionality is provided through Kopano Konnect, which is bundled inside of the app and pre-configured to allow Cloudron users to login. This article will show how to extend the configuration of Kopano Konnect to allow other apps to make use of OpenID Connect.

Requirements:

• Cloudron 5.1
• Installation of the latest version of Kopano Meet
• Nextcloud app
  • "Social Login" app installed within Nextcloud

Nextcloud only serves as an example most users will probably already be familiar with, any other app allowing login through oidc can be configured in a similar way.

In the below configuration snippets I am going to use the domain meet.9wd.eu for my Kopano Meet installation and cloud.9wd.eu for my Nextcloud installation. Make sure to use your actual domain names during the configuration.

Extending the configuration of Kopano Konnect

To modify the configuration of Konnect you need to login at your Cloudron dashboard (which is usually available at https://my.your-comain.com) and open the terminal view of the Meet app (Look for "Console Access" in the settings of Meet). Here you need to open /app/data/konnectd-identifier-registration.yaml in an editor and add the following text to the end of the file:

- id: cloud.9wd.eu
  application_type: web
  name: Nextcloud Cloudron
  trusted: true
  redirect_uris:
  - https://cloud.9wd.eu/index.php/apps/sociallogin/custom_oidc/CloudronMeet

Important: the redirect url must match the "internal name" specified during the social login configuration later on

After the file has been modified restart Konnect by running supervisorctl restart kopano-konnectd (alternatively the whole meet app could be restarted, but this is faster).

The rest of the configuration is done inside of Nextcloud.

Configuring Nextcloud for SSO with OpenID Connect

To configure Nextcloud for oidc you first need to login with an admin level user and install the "social login" app inside of Nextcloud. After the app has been installed you have go into its settings (which are located at https://cloud.9wd.eu/settings/admin/sociallogin) to configure it.

I recommend to have the following general configuration settings set in the app:

• Disable auto create new users
• Allow users to connect social logins with their account

This will mean that new users will first need to login through the "traditional" Nextcloud login and then from within their user settings link their oidc login to Nextcloud. This will be further explained once oidc is generally setup in Nextcloud.

Further down in the settings add your own "custom OpenID Connect" provider. You need to fill in the following values:

• Internal name: CloudronMeet
  • users won't see this name, but it needs to match with the redirect_uris in konnectd-identifier-registration.yaml
• Title: Kopano Konnect (Cloudron)
  • This is what the end user will see. The name should be something the user can relate to
• Authorize url: https://meet.9wd.eu/signin/v1/identifier/_/authorize
  • Needs to match the domain the Meet app was installed on. Values can be retrieved from https://meet.9wd.eu/.well-known/openid-configuration
• Token url: https://meet.9wd.eu/konnect/v1/token
• User info URL (optional): https://meet.9wd.eu/konnect/v1/userinfo
• Logout URL (optional): not required to be filled out
• Client Id: cloud.9wd.eu
• Client Secret: some-password
  • this value is not verified in the OpenID provider configuration, but needs to be specified anyways
• Scope: openid profile email konnect/hashed_sub
• Groups claim (optional): I have left this empty
• Button style: OpenID
• Default group: None

Once this is setup log out with your admin user account and you will see another login button on the Nextcloud login page titled "Kopano Konnect (Cloudron)".

Linking your Nextcloud user to oidc

Before the user can use oidc to log into Nextcloud, he need to link his existing Cloudron user to it. For this log into Nextcloud like you have done in the past and afterwards go into the settings of the user. Here you will now find an option called "social login" (the url will be similar to https://cloud.9wd.eu/settings/user/sociallogin).

Users need to manually connect their existing Nextcloud account with the oidc identity.

At this menu item you will find a section called "Available providers" with a button underneath that will read "Kopano Konnect (Cloudron)". Click this button once to link your Nextcloud account to your new OpenID identity. In case you have previously not been logged into Meet you will be asked for your credentials for this (which are your normal Cloudron credentials).

Once your Nextcloud account has been linked you can easily switch between Nextcloud and Kopano Meet without having to login again.

This article has also been published on my blog.

fbartels

The following configuration needs to be added to the identifier registration of Kopano Konnect to enable SSO with Rocketchat:

- id: rocketchat.9wd.eu
  name: Rocketchat
  trusted: true
  application_type: web
  redirect_uris:
  - https://rocketchat.9wd.eu/_oauth/konnect

Remember to restart Konnect after modifying the registry. If you want to verify that the configuration was properly loaded you have to modify log_level in /app/data/konnectd.cfg to read /app/data/konnectd.cfg. With another restart Konnect will then print a message like the following at startup:

Apr 20 20:21:30 time="2020-04-20T18:21:30Z" level=debug msg="registered client" application_type=web client_id=rocketchat.9wd.eu insecure=false origins="[https://rocketchat.9wd.eu]" redirect_uris="[https://rocketchat.9wd.eu/_oauth/konnect]" trusted=true with_client_secret=false

In Rocket.chat the following configuration needs to be added. For this go into the admin backend, select "OAuth" and there "Add custom oauth". I am using the following settings:

• URL: https://meet.9wd.eu
• Token Path: /konnect/v1/token
• Token Sent Via: Header
• Identity Token Sent Via: Same as "Token Sent Via"
• Identity Path: /konnect/v1/userinfo
• Authorize Path: /signin/v1/identifier/_/authorize
• Scope: openid profile email
• Id: rocketchat.9wd.eu
• Secret: rocketchat
• Login Style: Default
• Button Text: Kopano Konnect (needs to be something the user can relate to)
• Button Text Color: #FFFFFF
• Button Color: #13679A
• Username field: preferred_username
• Merge users: false

After storing these log out of Rocket.chat and you will see a new button on your login page titled "Kopano Konnect", which will then use the new login method.