feat: integrate login via OIDC #212
Conversation
Disabling the OIDC authentication can be done via: `ucr set appcenter/apps/nextcloud/disable-oidc-login=true` Setting the OIDC login identifier (displayed in the login dialog) can be achieved via: `ucr set appcenter/apps/nextcloud/oidc-identifier=UCS` Disabling the SAML authentication can be done via: `ucr set appcenter/apps/nextcloud/disable-saml-login=true` Changing these settings requires a new run of the joinscript. Nextcloud by default doesn't permit accessing local networks, which makes testing harder. It just says: `Could not reach the OpenID Connect provider.`. For testing purposes this can just be disabled via adding `'allow_local_remote_servers' => true,` to `/var/www/html/config/config.php`. Fixes: nextcloud#204 Signed-off-by: Florian Best <best@univention.de>
| --redirect-uri "$NC_OIDC_BASE_URL/*" \ | ||
| --request-uris "$NC_OIDC_BASE_URL/apps/user_oidc/*" \ |
There was a problem hiding this comment.
And on logout we end up with having the keycloak screen with an "Invalid redirect uri" error.
The cause is probably here, I can only test next week.
| univention-app shell nextcloud sudo -u www-data php /var/www/html/occ user_oidc:provider \ | ||
| -c "$CLIENT_ID" \ | ||
| -s "$CLIENT_SECRET" \ | ||
| -d "$(univention-keycloak "$@" get-keycloak-base-url)/realms/ucs/.well-known/openid-configuration" \ | ||
| "${appcenter_apps_nextcloud_oidc_identifier:-UCS}" || die "Could not configure Keycloak as Nextcloud OpenID Provider" |
There was a problem hiding this comment.
One thing I noticed, OIDC does not seem to play along with LDAP, and administrators are not promited ot NC admins either.
OK, NC admins cannot login because they don't exists in Keycloak.
I didn't have problems for Administrator accounts (from UCS)
"are not promited ot " means "are not permitted or" ?
|
Hello there, We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process. Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6 Thank you for contributing to Nextcloud and we hope to hear from you soon! (If you believe you should not receive this message, you can add yourself to the blocklist.) |
1 participant
Disabling the OIDC authentication can be done via:
ucr set appcenter/apps/nextcloud/disable-oidc-login=trueSetting the OIDC login identifier (displayed in the login dialog) can be achieved via:
ucr set appcenter/apps/nextcloud/oidc-identifier=UCSDisabling the SAML authentication can be done via:
ucr set appcenter/apps/nextcloud/disable-saml-login=trueChanging these settings requires a new run of the joinscript.
Nextcloud by default doesn't permit accessing local networks, which makes testing harder. It just says:
Could not reach the OpenID Connect provider..For testing purposes this can just be disabled via adding
'allow_local_remote_servers' => true,to/var/www/html/config/config.php.Fixes: #204