Custom OAuth2 by “social login” app authentication with authentik

Hello everyone,

I’m currently integrating Authentik and Nextcloud using Custom OAuth2 in Nextcloud’s social login app.To configure Authentik, I’ve created an application named ‘Nextcloud’ with the settings shown in the attached screenshot.

After that I created the provider for the ‘Nextcloud’ application in Authentik.

The issue arises when I click the Authentik ‘Nextcloud’ application. It should redirect to “http ://nextcloud.example. com/apps/sociallogin/custom_oauth2/Authentik”, but instead, it logs me directly into “nextcloud.example. com” with Authentik user credentials.

This “http ://nextcloud.example. com/apps/sociallogin/custom_oauth2/Authentik” link bypasses the login UI, achieving Single Sign-On (SSO) with one click, similar to SAML."

After closing my Nextcloud site (“http ://nextcloud.example. com”) without logging out, I revisited Authentik and clicked the ‘Nextcloud’ application again. However, it threw an error because I was still logged in to Nextcloud “http ://nextcloud.example. com”. For each reload the error could be vary.

Interestingly, when I performed the same steps with Frappe (using social login and OAuth2), I was allowed to log in again without issues. But Nextcloud throws an error in this scenario.

You can see all the details in nextcloud discussion page.

I’m not sure what is the problem, SSO is IMO the reason to use Authentik?

I test Authentik a while ago but I don’t remember there was any issue. Authentik didn’t support backchannel logout so logging out from Nextcloud doesn’t logout the Authentik session - more or less automated login is expected on subsequent visit (but I have to admit I rarely used Authentik applications but always started from NC login)

Be aware Social Login desn’t allow linking SSO users already created in NC

this was a reason to switch to user_oidc-app.

But in general it should work. I could imagin the problem result from your launch_url been set to /apps/sociallogin/custom_oauth2/Authentik which IMHO should be the main app. The one you are using is the redirect URL where the user return after login to a IdP.