Nextcloud OIDC integration
-
@Joseph Is this something you're interested in debugging? Otherwise I'll just wipe the machine and install fresh
-
@andreasdueren thanks for the access! I am making a new package to fix the issue.
For those interested, here is the technical information:
-
On some VPS providers, when you create a VM with hostname
my.foo.com, it will put an entry in /etc/hosts of the server with 127.0.1.1 . -
Starting Cloudron 8, we started using Docker for the DNS resolution. Docker reads /etc/hosts and starts resolving my.foo.com to 127.0.1.1 .
-
This meant that for apps (which are running in containers) using the domain name my.foo.com (like OIDC service) does not work. This is because it's resolving to 127.0.1.1.
-
To workaround this, we added ExtraHosts to container config. Docker simply adds entries to /etc/hosts of the container. Now, when apps try to resolve my.foo.com they will resolve to 172.18.0.1 because /etc/hosts has more priority than DNS look up.
-
This works for all apps... except nextcloud has decided to implement some DNS pinning protection which I think is to prevent against DNS Rebinding attacks. This code looks up DNS directly (thus skipping /etc/hosts lookup) and thus ends up with 127.0.1.1
It blocks the access thinking it's an attack. -
Luckily, there is a config
dns_pinningto disable this functionality.
-
-
@andreasdueren thanks for the access! I am making a new package to fix the issue.
For those interested, here is the technical information:
-
On some VPS providers, when you create a VM with hostname
my.foo.com, it will put an entry in /etc/hosts of the server with 127.0.1.1 . -
Starting Cloudron 8, we started using Docker for the DNS resolution. Docker reads /etc/hosts and starts resolving my.foo.com to 127.0.1.1 .
-
This meant that for apps (which are running in containers) using the domain name my.foo.com (like OIDC service) does not work. This is because it's resolving to 127.0.1.1.
-
To workaround this, we added ExtraHosts to container config. Docker simply adds entries to /etc/hosts of the container. Now, when apps try to resolve my.foo.com they will resolve to 172.18.0.1 because /etc/hosts has more priority than DNS look up.
-
This works for all apps... except nextcloud has decided to implement some DNS pinning protection which I think is to prevent against DNS Rebinding attacks. This code looks up DNS directly (thus skipping /etc/hosts lookup) and thus ends up with 127.0.1.1
It blocks the access thinking it's an attack. -
Luckily, there is a config
dns_pinningto disable this functionality.
-
-
@girish So I should add
'dns_pinning' => false,to the config file? -
@girish Works perfectly now, thanks!
-
Migration of a smaller instance seems to work smoothly so far.
-
@girish Since my installation is user not managed by Cloudron so I can't enable OIDC (but not just this, I can't curl the OIDC Server eventhough it's the same Cloudron server),i just want to let know the issue that I experience lately, after I updated Nextcloud including latest update with DNS Pinning, after update I can't login since the LDAP and Group Backend disabled automaticall after update, so i have to enable manually in Nextcloud Apps, the config in Nextcloud Setting for LDAP/AD Integration is a bit different than previously before update but anywhow I can still login back normally. Please be aware of this issue. Thanks
-
@girish Proposition to change the OpenID Identifier from "Cloudron" to "OpenID" or "SSO" since we can't have the branding from the Cloudron instance
-
@girish Since my installation is user not managed by Cloudron so I can't enable OIDC (but not just this, I can't curl the OIDC Server eventhough it's the same Cloudron server),i just want to let know the issue that I experience lately, after I updated Nextcloud including latest update with DNS Pinning, after update I can't login since the LDAP and Group Backend disabled automaticall after update, so i have to enable manually in Nextcloud Apps, the config in Nextcloud Setting for LDAP/AD Integration is a bit different than previously before update but anywhow I can still login back normally. Please be aware of this issue. Thanks
@firmansi the auth mechanism is chosen at install time. if you go behind cloudron's back and make changes to the app configuration, this will eventually not work. in your situation, you have installation nextcloud without LDAP/OIDC and then later configuring it inside the app manually. This won't work and is not supported. The way to fix this is like this:
- take backup of your nextcloud. download the backup configuration of this new backup
- install new nextcloud with cloudron user management
- import the backup from setup 1 . app -> backups -> import
It will work after this.
-
Do you mean I simply back up in Cloudron? From my understanding, if I do the back up from Cloudron, then when I do the import, it will adjust to the old one without user management managed by Cloudron, please let me know if my assumption is wrong
-
@firmansi the auth mechanism is chosen at install time. if you go behind cloudron's back and make changes to the app configuration, this will eventually not work. in your situation, you have installation nextcloud without LDAP/OIDC and then later configuring it inside the app manually. This won't work and is not supported. The way to fix this is like this:
- take backup of your nextcloud. download the backup configuration of this new backup
- install new nextcloud with cloudron user management
- import the backup from setup 1 . app -> backups -> import
It will work after this.
-
@firmansi the auth mechanism is chosen at install time. if you go behind cloudron's back and make changes to the app configuration, this will eventually not work. in your situation, you have installation nextcloud without LDAP/OIDC and then later configuring it inside the app manually. This won't work and is not supported. The way to fix this is like this:
- take backup of your nextcloud. download the backup configuration of this new backup
- install new nextcloud with cloudron user management
- import the backup from setup 1 . app -> backups -> import
It will work after this.
@joseph It seems the OIDC is working now, something wrong with Cloudflare that affect my Cloudron Installation,and follow your instruction I don exactly the same, backup and import, but now the Nextcloud is not responding with this error message
Feb 09 21:49:20 => Healtheck error: Error: connect ECONNREFUSED 172.18.16.17:80 Feb 09 21:49:20 No such app enabled: user_ldap Feb 09 21:49:20 ==> Ensure OIDC settings Feb 09 21:49:21 Error: Could not download app user_oidc Feb 09 21:49:22 2025-02-09T21:49:22+07:00 Feb 09 21:49:22 Feb 09 21:49:22 There are no commands defined in the "user_oidc" namespace. -
@joseph It seems the OIDC is working now, something wrong with Cloudflare that affect my Cloudron Installation,and follow your instruction I don exactly the same, backup and import, but now the Nextcloud is not responding with this error message
Feb 09 21:49:20 => Healtheck error: Error: connect ECONNREFUSED 172.18.16.17:80 Feb 09 21:49:20 No such app enabled: user_ldap Feb 09 21:49:20 ==> Ensure OIDC settings Feb 09 21:49:21 Error: Could not download app user_oidc Feb 09 21:49:22 2025-02-09T21:49:22+07:00 Feb 09 21:49:22 Feb 09 21:49:22 There are no commands defined in the "user_oidc" namespace.@firmansi said in Nextcloud OIDC integration:
Feb 09 21:49:21 Error: Could not download app user_oidc
This seems to be the issue. Can you put the app in repair mode and try
sudo -u www-data php /app/code/occ app:install user_oidc? Maybe some dns or network related issue preventing it from download the app from nextcloud's store -
@firmansi said in Nextcloud OIDC integration:
Feb 09 21:49:21 Error: Could not download app user_oidc
This seems to be the issue. Can you put the app in repair mode and try
sudo -u www-data php /app/code/occ app:install user_oidc? Maybe some dns or network related issue preventing it from download the app from nextcloud's store -
@joseph Well, I think before I backup,i have to install the user_oidc first, because the container even can't start, I am doing the 2nd try
-
@firmansi I see. So, just to be clear: a fresh install of nextcloud with cloudron user management works? and you can also oidc login? the import should also work if that is the case (i.e it's not a network issue then)
@joseph Yes it works. it's a network issue, even I still don't know why it happens, I don't use any proxy in Cloudflare but anyway, how to change Identifier for the OIDC ? I have change the brand name as well when I see in env | grep CLOUDRON_OIDC, but still the identifier name still Cloudron in Registered Providers in Nextcloud OpenID backend integration
-
@firmansi I see. So, just to be clear: a fresh install of nextcloud with cloudron user management works? and you can also oidc login? the import should also work if that is the case (i.e it's not a network issue then)
@joseph All good. I can change the identifier too or the brand name shown in button.
I simply check env | grep CLOUDRON_OIDC and then delete the existing Registered Provider, and then create new Registered Provider by input the Identifier name as I wish and then input all parameters in CLOUDRON_OIDC
-
@joseph All good. I can change the identifier too or the brand name shown in button.
I simply check env | grep CLOUDRON_OIDC and then delete the existing Registered Provider, and then create new Registered Provider by input the Identifier name as I wish and then input all parameters in CLOUDRON_OIDC
@firmansi said in Nextcloud OIDC integration:
I simply check env | grep CLOUDRON_OIDC and then delete the existing Registered Provider, and then create new Registered Provider by input the Identifier name as I wish and then input all parameters in CLOUDRON_OIDC
I doubt that'll survive an app restart.
But as @andreasdueren suggested above, given the Nextcloud OIDC app doesn't support displaying brand name, I wonder if @staff could rename the provider to something more generic like "Open ID Connect" or "OIDC"?
-
@firmansi said in Nextcloud OIDC integration:
I simply check env | grep CLOUDRON_OIDC and then delete the existing Registered Provider, and then create new Registered Provider by input the Identifier name as I wish and then input all parameters in CLOUDRON_OIDC
I doubt that'll survive an app restart.
But as @andreasdueren suggested above, given the Nextcloud OIDC app doesn't support displaying brand name, I wonder if @staff could rename the provider to something more generic like "Open ID Connect" or "OIDC"?
@jdaviescoates Correct, the deletion back again after restart, but I am okay with this because this default setting actually acts like a guidance for me in case I forget default Cloudron setting that I can apply to other OIDC, I can simply just delete the default Brand Name button without affecting anything, including new Registered Provider I have set up
-
@firmansi said in Nextcloud OIDC integration:
I simply check env | grep CLOUDRON_OIDC and then delete the existing Registered Provider, and then create new Registered Provider by input the Identifier name as I wish and then input all parameters in CLOUDRON_OIDC
I doubt that'll survive an app restart.
But as @andreasdueren suggested above, given the Nextcloud OIDC app doesn't support displaying brand name, I wonder if @staff could rename the provider to something more generic like "Open ID Connect" or "OIDC"?
@jdaviescoates said in Nextcloud OIDC integration:
I wonder if @staff could rename the provider to something more generic like "Open ID Connect" or "OIDC"?
Those terms are just generic technology terms. One should always have "Login with <provider>" . Like Login with gmail, Login with Github etc. Login with OIDC doesn't actually mean anything (unless it's providing some dropdown of providers after clicking the button). I think we should open a bug report upstream, seems easy to fix
