Server: Enable single sign-on with OAuth 2 / OIDC (for Azure AD, Google Apps, and more)

An app implementing OIDC or OAuth2 login would be welcome, however this would not be part of the server core and should be implemented as a dedicated app.

Note that we already support SSO using SAML 2.0 which Azure AD as well as Google Apps both support as IdP.

SAML is not less pain than LDAP, sadly (I'd say even more)... the goal of using OIDC/OAuth2 is that they would drastically simplify the architecture and the setup.

@LukasReschke So, I've been trying to setup SAML, and here's the biggest problem I've found so far: quoting from the documentation, "you can use the Nextcloud LDAP user provider to keep the convenience for users. (e.g. when sharing)". Essentially, SAML still requires me to have a domain controller; switching to OIDC and having the proper endpoints would remove that limitation.

Is this fixed by that plugin?
https://nextcloud.com/blog/open-id-sso-by-gluu-oxd-is-now-integrated-to-nextcloud/

Or this?
https://apps.nextcloud.com/apps/user_saml

Didn't grok them or their relation yet...

Gluu: No, this doesn't quite solve it because that plugin requires the oxd server which is a paid service...
user_saml: this is not OIDC which is what's being requested by this open issue

Good to clarify.

As of gluu: the above url says:

Gluu’s OpenID Connect Single Sign-On (SSO) NextCloud APP will enable you to authenticate users against any standard OpenID Connect Provider (OP). If you don’t already have an OpenID Provider you can use for example Google or deploy the free and open source Gluu Server.

So this sounds like gluu implements OIDC and their nextcloud plugin can also connect to any other OIDC server. Did i get this wrong?

RITE, re-reading the pages, gluu oxd in fact is proprietary middleware decorated with marketing gibberish that hides that fact.

As OpenID Connect builds on OAuth2, can this be a start?
https://github.com/nextcloud/apps/tree/master/user_oauth

@axel-rutz This app implements server side part of oauth, so i don't think it could be a start

oAuth2 would in fact be a great addon. As I understand , NC already uses oAuth, but it is not exposed in the UI and is intended only for external storage .. I think it would be a good idea to enhance it to be more open and flexible for users to configure themselves with other services . After all - the whole point ( at least for me ) for using NC is to be free from google / microsoft / dropbox etc ..

@x9t9 this issue is actually for a different thing... being able to use OIDC/OAuth to authenticate into Nextcloud. That is, as an alternative to LDAP...

I expect this request about OAuth2 is about what they have now released for ownCloud? https://owncloud.org/blog/introducing-oauth2-secure-authorization-flow/

@EgoAleSum - I am sorry, but I really do not understand why this issue is different . If nextcloud exposes both parts of the OAuth2 than any vendor could potentially use it . To Authenticate into nextcloud from other vendors / services , and also vice versa . Nextcloud can be a server to Authenticate users for other services / plugins / vendors , and exposing the service in a betteer way in the UI will allow other services to Authenticate users for ownCloud ( twitter, facebook, MyOwnServiceSite, google etc .. even other nextcloud servers ..)

@neufeind IMHO what owncloud integrated now is still not exposed enough . it is offered for the specific client - what is really needed is an open service ( api ? ) and UI . I also did not really find where it is documented . Looking at the repository there is in fact a class to handle oAuth2 in nextclod ..

@neufeind and @x9t9 again, what you're talking about is different.

What ownCloud introduced is the ability for OC clients to authenticate with the OC server using OAuth. That is: OC acts as the OAuth server.

This issue is about having the NC server use an external OAuth/OpenID Connect directory to authenticate users. So, the clients would not authenticate with NC anymore, but rather with a third-party (Azure AD, Google Apps), and then pass the claim to the NC server.

Maybe someone (OP or admin) can update the title to something like
"Let NectCloud authenticate users against external OAuth / OpenID Connect Server"

I'm trying to make this work: https://github.com/maltevogl/useroidc
But so far having issues with autoloading classes... Maybe somebody could take a look?

Error: Class 'OpenIDConnectClient' not found
/var/www/nextcloud/apps/useroidc/lib/Controller/AuthController.php - line 55: OCA\UserOidc\OpenIDConnectClient->setProvider('cilogon')
[internal function] OCA\UserOidc\Controller\AuthController->login(*** sensitive parameters replaced ***)
/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 160: call_user_func_array(Array, Array)
/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php - line 90: OC\AppFramework\Http\Dispatcher->executeController(Object(OCA\UserOidc\Controller\AuthController), 'login')
/var/www/nextcloud/lib/private/AppFramework/App.php - line 114: OC\AppFramework\Http\Dispatcher->dispatch(Object(OCA\UserOidc\Controller\AuthController), 'login')
/var/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php - line 47: OC\AppFramework\App main('OCA\\UserOidc\\Co...', 'login', Object(OC\AppFramework\DependencyInjection\DIContainer), Array)
[internal function] OC\AppFramework\Routing\RouteActionHandler->__invoke(Array)
/var/www/nextcloud/lib/private/Route/Router.php - line 299: call_user_func(Object(OC\AppFramework\Routing\RouteActionHandler), Array)
/var/www/nextcloud/lib/base.php - line 1010: OC\Route\Router->match('/apps/useroidc/...')
/var/www/nextcloud/index.php - line 40: OC handleRequest()

@dimm0: That's really good news!
To your question: I'm not too deep into that, but from a quick look it might be that the composer.json lacks the psr4 info like so:

    "autoload": {
        "psr-4": {
            "OCA\\UserOidc\\": "lib"
        }
    }

For further issues you might want to

• fork that repo
• add an issue with more info
• link that issue(s) here

HTH!

Hello. I do quite a lot of SSO integration, and indeed having an OIDC (OpenID connect) app for nextcloud would be far far better than the existing SAML. Not that the SAML app is bad (it's a little picky about what he accepts, but it's ok), but SAML itself is complicated and hard to integrate. While OIDC typically is a lot easier. The gluu stuff is not a solution (you have to pay and it's closed source, indeed ).

I tried enabling https://github.com/maltevogl/useroidc again with CiLogon in nextcloud 13. After fixing a couple things in the code i've hit a problem with usernames - the user ID in cilogon is a URL, and nextcloud doesn't like having symbols in usernames. So at this point I gave up making it to work.

https://github.com/zorn-v/nextcloud-social-login
https://apps.nextcloud.com/apps/sociallogin

Used hybridauth there https://hybridauth.github.io/providers.html, so can easy add other providers

This looks awesome! I already added an issue: Add a parametrizable Oauth2 provider for non-coders · Issue #1 · zorn-v/nextcloud-social-login

😎++!

Thanks for flagging this. I think this is something, but still not offering everything that I had in mind. The end goal would have to be a module that offers the same support that is offered for LDAP, which is a very legacy protocol that many are hoping to get rid of :)

A deep integration with directory services such as Google Apps and Azure AD / Office365 would not only require support for authentication through OAuth, but also the ability to use the remote directory as user database (so users wouldn't have to be re-provisioned inside Nextcloud, and every user in the directory is automatically a user in NC).

Any updates here?

I made a small tutorial to do authentication with Azure AD Connect for Nextcloud:

https://gist.github.com/wgroenewold/ace6a64537f0f500676a325632796261

That’s very interesting, thanks!

It’s a step in the right direction as it provides SSO. It still doesn’t integrate with the directory and requires LDAP somewhere, however :(

The release notes for NextCloud 12 say
"Nextcloud also offers deep integration with various enterprise authentication methods. These include:

OpenID Connect
OAuth2"

Though, how does this work exactly? I haven't found clear instructions anywhere.

@akloster
I know what you mean, its not really easy to set it up.
I could make a connection between OpenID on Wordpress with NextCloud, but the way the user name get displayed in Nextcloud is not really satisfying :/

How did you do it and was it OpenID or OpenID connect?

@akloster I have used the OpenID Plugin for wordpress https://de.wordpress.org/plugins/openid/
and the simpleID software https://github.com/simpleid/simpleid
Unfortunately its version 2 which is providing OIDC is in develpment and the developer seems not really to be motivated or open for support to finish it. The documentation of Version 2 is unclear. If you are fine with OpenID v1, than you can selfhost it and get it connected with wordpress and with Nextcloud. But it doesnt really look to be in development anymore. Currently are VERIMI (closed source, propritary) and ID4ME (public open development, support by large corporation, on gitlab) the latest approach for a modern identity service. ID4ME is at least providing the similar structure like OpenID, but is not domain based, its DNS based, which doesnt make it easier.

Again, however, please note that this issue is about something a bit different. Not just SSO, but a deeper integration with the SaaS directory.

+1
I'd like to use solid as my Identity Provider, which supports WebID-OIDC Authentication which is based on OAuth2/OIDC.

Is this best done as a separate app or added to e.g. user_external?

Took a stab at a OIDC auth relay over in https://github.com/nextcloud/user_saml/pull/308, feedback very welcome!

You can already use Nextcloud with any OIDC-conformant IdP, including the German IdPs "netID" and "Verimi", by using Auth0 as a broker in between Nextcloud and the original IdP.
Since Nextcloud supports SAML2 already ootb, you'd setup Nextcloud with SAML2 and Auth0 as IdP (broker), while in Auth0 you configure any OIDC connection (netID, Verimi, etc.).

Nextcloud <-- (SAML2) --> Auth0 <-- (OIDC) --> any OIDC-conformant IdP

Useful resources related to this:

• https://medium.com/@mathiasconradt/nextcloud-single-sign-on-with-auth0-a546cdf1fccf
• https://github.com/auth0-blog/auth0-netid-sample
• https://github.com/auth0-blog/auth0-verimi-sample

Nice thing about this approach is that it's entirely based on officially supported (=supported in SLA) Nextcloud components (user_saml), doesn't rely on mod_auth_openidc.

Additionally, you'd get additional optional features such as account linking / merging (i.e. user logs in via username/password and next time via OIDC/social login, both users can automatically be merged into one user - having two identities).

(Disclaimer: I worked at Nextcloud before, I now work at Auth0.)

Hi @mathiasconradt please see my comment above for more details:

The end goal would have to be a module that offers the same support that is offered for LDAP, which is a very legacy protocol that many are hoping to get rid of :)

A deep integration with directory services such as Google Apps and Azure AD / Office365 would not only require support for authentication through OAuth, but also the ability to use the remote directory as user database (so users wouldn't have to be re-provisioned inside Nextcloud, and every user in the directory is automatically a user in NC).

(Big fan of Auth0 too - just check my profile for some stuff I've done with them - but my ask is for a deeper directory integration than just what current SAML implementation offers)

@ItalyPaleAle Got it. Yes, your initial request was a bit broader, so for cases where only simply OIDC is needed, the above might be a way to go adhoc and with supported components.

It would be very nice to implement oidc client that would work just like user_saml
user_saml is not a solution because I'm using keycloak and throug SAML I can't manage permissions for user accounts there for which sites they can login

social login is not a solution either because it offers login through oidc as one of the options, while I want it to be the only option, with nextcloud login page always redirecting to keycloak realm login; another issue with social login is that users, that existed before connecting oidc can login either through keycloak with their keycloak passwords OR through nextcloud login with their OLD nextcloud passwords

linking this here for reference: https://forum.solidproject.org/t/nextlcloud-with-solid-webid-login/1067

@zamgreg

social login is not a solution either because it offers login through oidc as one of the options, while I want it to be the only option, with nextcloud login page always redirecting to keycloak realm login

You can enable 'social_login_auto_redirect' => true setting in config.php if only one provider is configured.

I got a solution: We are currently using Azure AD to authenticate our stuff. So we config a local Active Directory server and sync all objects from Azure AD. So that we got LDAP service locally. And use LDAP to connect nextcloud to our local AD server. It looks hard to config but it works.

It’s not exactly the ideal solution either, however, as you’re still relying on LDAP, and you need to manage domain controllers (with required patching, high availability...).

And your still handling the users credentials with ldap. :/

@ItalyPaleAle throughout the issue you point out the issue is about external auth provider support AND alternatives to LDAP(suggesting Azure AD / Google Apps)... but your title isn't clear on that latter subject imo(it mentions the two providers but in relation to OIDC which I don't think is the intent).

Personally these are two separate issues, so it doesn't help that this issue thread is trying to discuss/request both.

Are there open-source self-hosted alternatives to LDAP that are acceptable to you offering similar experience/parity to what Azure AD or Google Apps is? (I don't have experience with either).

I'm personally interested in OIDC support(or something like Grafana's Auth Proxy which uses a config to match with HTTP auth headers), preferrably with Keycloak(it provides built-in LDAP or you can use external provider). The SAML support as mentioned isn't sufficient as others have shared.

I'm not using NextCloud myself yet, I have come across this NextCloud app for OIDC:

Make possible create users and login via one single OpenID Connect provider. Even though a fork of nextcloud-social-login, it fundamentally differs in two ways - aims for simplistic, single provider login (and hence is very minimalastic), and it supports having LDAP as the primary user backend. This way, you can use OpenID Connect to login to Nextcloud while maintaining an LDAP backend with attributes with the LDAP plugin. Supports automatic discovery of endpoints through the OpenID Connect spec, with a single provider configuration attribute.

Could anyone with NextCloud setup give that a try and provide some feedback if it does the job well?(I'm ok with LDAP for now if I can get single OIDC provider login working as this seems to imply)

@polarathene they are two separate issues but tightly connected, as you can't implement connecting to an external directory without implementing OIDC first.

Yeah... so raise the OIDC issue and push for that first. Doesn't need support for an external directory to get that through. Optionally raise a 2nd issue about external directory support and link back to it depending on the OIDC issue.

Instead you are trying to push for both in a single issue, but they're separate features.

The title itself still needs to be more clear about your two intents imo. How about:

Support for SSO with OAuth/OIDC(Google, Github, Keycloak) and external directories(Azure AD, Google Apps)

I have forked @zorn-v's nextcloud-social-login to nextcloud-oidc-login, which supports only OpenID Connect 1.0 and has very different design philosophy (only one login provider).

It would be very nice to implement oidc client that would work just like user_saml
user_saml is not a solution because I'm using keycloak and throug SAML I can't manage permissions for user accounts there for which sites they can login

social login is not a solution either because it offers login through oidc as one of the options, while I want it to be the only option, with nextcloud login page always redirecting to keycloak realm login; another issue with social login is that users, that existed before connecting oidc can login either through keycloak with their keycloak passwords OR through nextcloud login with their OLD nextcloud passwords

Followup. Everything is fine, no issues. First one could be managed on keycloak's side by adding a custom script to a login flow, the second thing could be managed by manually deleting strings with your existing users from nextcloud DB. Those users will be recreated after login and you'll keep everything because uids are the same and all references to users in DB are there. It sounds like a bad advice, though after such recreation (after swithching to user_saml in my case, though this should be applicable to social login as well) I had everything in place, even my unread articles in rss reader.