ContextQMD
Back to Authelia

Nextcloud

docs/content/integration/openid-connect/clients/nextcloud/index.md

4.39.199.6 KB
Original Source

Tested Versions

{{% oidc-common %}}

Assumptions

This example makes the following assumptions:

  • Application Root URL: https://nextcloud.{{< sitevar name="domain" nojs="example.com" >}}/
  • Authelia Root URL: https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/
  • Client ID: nextcloud
  • Client Secret: insecure_secret

Some of the values presented in this guide can automatically be replaced with documentation variables.

{{< sitevar-preferences >}}

{{< callout context="caution" title="Important Note" icon="outline/alert-triangle" >}} It has been reported that some of the Nextcloud plugins do not properly encode the client secret. as such it's important to only use alphanumeric characters as well as the other RFC3986 Unreserved Characters. We recommend using the generating client secrets guidance above. {{< /callout >}}

Available Options

The following two tested options exist for Nextcloud:

  1. OpenID Connect Login App
  2. OpenID Connect user backend App

OpenID Connect Login App

The following example uses the Nextcloud OpenID Connect Login app which is assumed to be installed, as well as have pretty urls enabled when following this section of the guide.

Configuration

Authelia

{{< callout context="tip" title="Did you know?" icon="outline/rocket" >}} The is_nextcloud_admin user attribute renders the value true if the user is in the nextcloud-admins group within Authelia, otherwise it renders false. You can adjust this to your preference to assign the admin role to the appropriate user groups. {{< /callout >}}

The following YAML configuration is an example Authelia client configuration for use with Nextcloud which will operate with the application example:

yaml
definitions:
  user_attributes:
    is_nextcloud_admin:
      ## Expression to evaluate admin privilege for Nextcloud.
      expression: '"nextcloud-admins" in groups'

identity_providers:
  oidc:
    claims_policies:
      nextcloud_userinfo:
        custom_claims:
          is_nextcloud_admin: {}

    scopes:
      nextcloud_userinfo:
        claims:
          - 'is_nextcloud_admin'

    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
    ## See: https://www.authelia.com/c/oidc
    clients:
      - client_id: 'nextcloud'
        client_name: 'NextCloud'
        client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng'  # The digest of 'insecure_secret'.
        public: false
        authorization_policy: 'two_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        claims_policy: 'nextcloud_userinfo'
        redirect_uris:
          - 'https://nextcloud.{{< sitevar name="domain" nojs="example.com" >}}/apps/oidc_login/oidc'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          - 'groups'
          - 'nextcloud_userinfo'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'

Application

To configure Nextcloud and the Nextcloud OpenID Connect Login app there is one method, using the Configuration File.

Configuration File

{{< callout context="tip" title="Did you know?" icon="outline/rocket" >}} Generally the configuration file is named config.php. {{< /callout >}}

To configure Nextcloud and the Nextcloud OpenID Connect Login app to utilize Authelia as an OpenID Connect 1.0 Provider use the following configuration:

php
$CONFIG = array (
    'allow_user_to_change_display_name' => false,
    'lost_password_link' => 'disabled',
    'oidc_login_provider_url' => 'https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}',
    'oidc_login_client_id' => 'nextcloud',
    'oidc_login_client_secret' => 'insecure_secret',
    'oidc_login_auto_redirect' => false,
    'oidc_login_end_session_redirect' => false,
    'oidc_login_button_text' => 'Log in with Authelia',
    'oidc_login_hide_password_form' => false,
    'oidc_login_use_id_token' => false,
    'oidc_login_attributes' => array (
        'id' => 'preferred_username',
        'name' => 'name',
        'mail' => 'email',
        'groups' => 'groups',
        'is_admin' => 'is_nextcloud_admin',
    ),
    'oidc_login_default_group' => 'oidc',
    'oidc_login_use_external_storage' => false,
    'oidc_login_scope' => 'openid profile email groups nextcloud_userinfo',
    'oidc_login_proxy_ldap' => false,
    'oidc_login_disable_registration' => true,
    'oidc_login_redir_fallback' => false,
    'oidc_login_tls_verify' => true,
    'oidc_create_groups' => false,
    'oidc_login_webdav_enabled' => false,
    'oidc_login_password_authentication' => false,
    'oidc_login_public_key_caching_time' => 86400,
    'oidc_login_min_time_between_jwks_requests' => 10,
    'oidc_login_well_known_caching_time' => 86400,
    'oidc_login_update_avatar' => false,
    'oidc_login_code_challenge_method' => 'S256'
);

OpenID Connect user backend App

The following example uses the Nextcloud OpenID Connect user backend app which is assumed to be installed, as well as have pretty urls enabled when following this section of the guide.

Configuration

Authelia

The following YAML configuration is an example Authelia client configuration for use with Nextcloud which will operate with the application example:

yaml
identity_providers:
  oidc:
    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
    ## See: https://www.authelia.com/c/oidc
    clients:
      - client_id: 'nextcloud'
        client_name: 'NextCloud'
        client_secret: 'insecure_secret'
        public: false
        authorization_policy: 'two_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'https://nextcloud.{{< sitevar name="domain" nojs="example.com" >}}/apps/user_oidc/code'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
          - 'groups'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'

Application

To configure Nextcloud and the Nextcloud OpenID Connect user backend app there are two methods, using the Web GUI or using the CLI.

Web GUI

To configure Nextcloud and the Nextcloud OpenID Connect user backend app to utilize Authelia as an OpenID Connect 1.0 Provider, use the following instructions:

  1. Edit the OpenID Connect configuration in the Nextcloud Administration settings:

    • Identifier: Authelia
    • Client ID: nextcloud
    • Client secret: insecure_secret
    • Discovery endpoint: https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/.well-known/openid-configuration
    • Scope: openid email profile

  2. Add the following to the Nextcloud config.php configuration:

php
'user_oidc' => [
  'default_token_endpoint_auth_method' => 'client_secret_post',
]
CLI

To configure Nextcloud and the Nextcloud OpenID Connect user backend app to utilize Authelia as an OpenID Connect 1.0 Provider, use the following instructions:

  1. Run occ user_oidc:provider Authelia --clientid="nextcloud" --clientsecret="insecure_secret" --discoveryuri="https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/.well-known/openid-configuration

  2. Add the following to the Nextcloud config.php configuration:

php
'user_oidc' => [
  'default_token_endpoint_auth_method' => 'client_secret_post',
]

See Also