Nextcloud OIDC integration
-
@firmansi OIDC should be automatically automatic configured. Can you restart the app and check the logs? In the log you should see
==> Disabling LDAP
and then==> Ensure OIDC settings
. Do you see these messages?Can you also open a web terminal and run
env | grep CLOUDRON_OIDC
? Do you see a bunch of variables? -
OK, I've just installed fresh instance of Nextcloud to test this.
I was able to login fine, but I don't seem able to make my user an admin. I can add them to the admin group, but they don't actually get any admin rights.
It is kinda sorta nice that it sucks in all my Cloudron groups, but it's also not appropriate in my case. And none of those groups have access to this Cloudron, so the current set-up would seem to me to be generally inappropriate to me too. I also host a Nextcloud for a small volunteer group and them seeing a list of groups that have nothing whatsoever to do with them would, I imagine, be very confusing. I can imagine it could potentially be useful for some people's set-up though - so perhaps it could/ should only suck in/ create groups that actually have access to the app? (either way, I think the way it currently works needs to change).
-
@jdaviescoates said in Nextcloud OIDC integration:
I was able to login fine, but I don't seem able to make my user an admin. I can add them to the admin group, but they don't actually get any admin rights.
I think something about the way it's syncing to Cloudron groups is what is breaking this.
When I login as admin and edit my user to add them to the admin group, my user does get added as an admin, and then appears in the list of admins.
But once I logout as admin and then back in again as my user, I'm no longer in the admin group. Which is exactly what I see confirmed again when I log back in as the admin. The user is no longer in the admin group (but is in a bunch of Cloudron groups that have been pulled in but don't have anything to do with, nor access to, this app)
Another reason to change the way it's currently working with Cloudron groups.
If possible I think the way forward would be to
-
only pull in/ sync Cloudron groups that have access to the app (i.e. don't pull in nor do anything with Cloudron groups unless those groups have specifically been given access to the app under the Cloudron App Access Control settings)
-
Make sure the group syncing thing doesn't ever touch the admin group.
Or, possibly: just don't sync with Cloudron groups at all (certainly this if you can't get that to work with the existing admin group)
-
-
@girish But syncing Cloudron group might be super useful in other cases, at least that is certainly the case with the organisation I work with and it was a relief when it started to work with LDAP.
How it should be implemented I'm not sure. I understand the concerns of @jdaviescoates when the way app access work is that, apps have access to everything unless you restrict it and give access to only specific users/groups. So following that logic it seems like the behaviour of all groups being synced (as described by @jdaviescoates) is normal (as it does for users) and that if an app should only see some groups/users, then the Cloudron admin should make sure only those groups are granted access (and then the OIDC plugin should only sync those groups and not others).
The Nextcloud admin group however should be independent of OIDC syncing and Nextcloud admins should be able to manage it independently.
-
@girish I am quite hesitate to do this in my production server as it is now, and actually with current LDAP scenario, I am satisfied. If I may suggest, will it be doable in next update, the Cloudron team can make the OIDC as optional instead of seemingly compulsory configuration? Or at least until this scenario is already proven to work seamless without any hassle.
-
@jdaviescoates I have published a new package with groups disabled. Can you please check?
@avatar1024 OIDC Group Sync has to be configured by the package installer just like LDAP Group Sync. Cloudron only exposes groups but does not provision the app (it's not possible for Cloudron to know what group should be what).
@firmansi we can't support both LDAP and OIDC in the long run. But on platform level, we already decided to switch to OIDC for all apps. This is more secure and auditable. I think you can probably wait for the upgrade anyway till all the issues are ironed out. Most of the apps that support OIDC have already been switched to OIDC from LDAP.
-
@girish I have updated to the latest version and nothing appears in env | grep CLOUDRON_OIDC
Now, I install manually OpenID Connect Login, but I don;t know how and where to set
Do we have to install manually first then update the package maybe? I see in this forum the scenario works fine with fresh installation, but not the old one
-
@firmansi said in Nextcloud OIDC integration:
@girish I have updated to the latest version and nothing appears in env | grep CLOUDRON_OIDC
So, I think you have installed nextcloud without Cloudron user management to start with. In that case, this change won't affect you at all. Just to double check: If you go into the app configuration -> Access Control, I guess you see Dashboard Visibility instead of User Management, correct?
-
@girish said in Nextcloud OIDC integration:
@jdaviescoates I have published a new package with groups disabled. Can you please check?
The existing test install was still broken after the update, i.e. the groups were still there and it still removed my user from the admin group.
A new test install works! No groups and user stays in the admin group once added.
-
@girish said in Nextcloud OIDC integration:
@avatar1024 OIDC Group Sync has to be configured by the package installer just like LDAP Group Sync.
Just out of interest, how is this done?
-
@jdaviescoates there is a checkbox in the UI to enable it . I forget the exact text but it's inside the OIDC app settings.
-
@girish I don't really get it, from the first time I set the Nextcloud, user management with Cloudron instead of the app, so when I add new user then it will have access to to Cloudron automatically.
Well, it;s true, What I see when I click Access Control is Dashboard Visibility. Now I set the app visible only to several groups.
-
-
@nebulon I think it's without Cloudron User Management because What i see now is only Dashboard Visibility Setting, why I seem confused, because I have been using this Nextcloud in Cloudron for the last 1,5 years, and all this time I never create new user in Nextcloud directly, but always with Cloudron Users with LDAP
-
I meant to check if your Nextcloud is actually using Cloudron usermanagement or not, since your statements are contradicting between LDAP and dashboard visibility. You can also run
env | grep LDAP
in the webterminal into that nextcloud app instance. If you see LDAP related environment variables, it means you are using Cloudron usermanagement.