Enable SSO with OAuth 2 (for Azure AD and Google Apps)

I’m so happy to hear about NextCloud! My first and only (for now, at least :slight_smile: ) request is to please introduce Single-SignOn support in NextCloud, for example with OAuth 2.

This will allow signing into NextCloud using credentials from Azure AD or Google Apps, for example.

I know ownCloud 9 already supports LDAP, but that is not an ideal solution because:

  1. LDAP is heavy, and requires lots of libraries and a PHP extension
  2. LDAP is slow
  3. LDAP requires a direct connection to the domain controller (so if NextCloud is off-prem, you need a VPN and a replicated DC)
  4. LDAP doesn’t do SSO, but just sharing of credentials
  5. No one wants to rely on a technology like LDAP which is more than 20 years old, if they had the option

I hope NextCloud will follow Box, DropBox and 1,000s of other services that allow SSO with modern protocols like OAuth! Most organizations are bringing their identities to the cloud already.

5 Likes

SSO is something that would be a welcome feature of Nextcloud.

In the meantime, I would like to point out solutions such as mod_auth_pubtkt that can be used at the webserver level.

Nextcloud as an OpenID-Provider would also be an idea :thinking:

5 Likes

@jyaworski that would not integrate with NextCloud, however, would it? That’s just for authenticating on the webserver…

@mar1u5 What I’m asking is the other way around: use OAuth/OpenID to sign in to NextCloud. This comes from the fact that most organizations today have or are going to have their identities synchronized with a cloud provider (mostly Azure AD or Google Apps), and it’s the best way to allow Single Sign-On in a web application. The only other option today is LDAP, but I think I’ve bashed it enough :slight_smile:
Making NextCloud an OpenID provider would essentially make it another identity provider, with its own directory. I’d agree it would be a “nice to have”, but I can’t really think of specific, non-niche use cases… Organizations have long standardized on Active Directory (or open source equivalents) as identity stores, and now are just synchronizing them with the cloud. For consumers that want an identity provider and can’t deploy a full Active Directory server, implementing support for Azure AD and Google Apps would make it possible to create a directory quickly on the cloud (using “cloud-only accounts”, not synchronized with AD).

OAuth 2 is not used for authentication. So you need to implement OpenID Connect.

You may as well implement SAML.

But you need to decide whether this should be an IdP or a service provider. In my opinion Nextcloud is more of a service provider.

@cornelinux I’m not suggesting creating an IdP. On the opposite: I’m suggesting allowing authentication to NextCloud (service provider) using OAuth.

1 Like

Correct. It doesn’t integrate with Nextcloud. However, it could if you thought of it in a different way. 2FA can mean two passwords, and having one for the webserver and Nextcloud could fulfill that requirement.

That being said, I’m a fan of SAML like @cornelinux said. OpenID seems like it’s dying, but if it’s easy to implement sure.

@jyaworski Doing that however would certainly break all clients (desktop and mobile). And the goal is to get to a single password, not a second one :slight_smile: I’m all down for MFA, when the second factor is a token.

To be honest, we have had experiences both with LDAP, OAuth and SAML.
Our findings:

  • When it comes to an authentication backend, LDAP still is king, however when set up right with master/slave servers etc
  • OAuth is nice, but focussed on authorization, less authentication. It is clearly build to “authorize” applications, less to authenticate (not going into detail here but read the protocol standards…)
  • SAML is… well… hell. We had it in production in several manners, it stays bulky, slow, complex, utterly ridiculous in terms of authentication and actually it uses LDAP backends or similar so it is nothing more then a layer on top of an active directory. The only advantage is that it allows you to actually stay logged in across several applications within the same enterprise backend. I personally am not a fan at all. Implementation in PHP is a disaster, the only thing that actually comes close to a solution is simpleSamlPHP and it is not as simple as the name might promise

If OAuth is on the table, I think @AllessandroS suggestion is more in the direction :slight_smile:

Regards,

Dominique

Is it possible you confused authorization and authentication?

OAuth is generally for authentication. However, both Azure AD and Google Apps support OpenID Connect on top of OAuth 2.0 for authorization: https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios/ and https://developers.google.com/identity/protocols/OpenIDConnect

I agree LDAP is a really mature (and sometimes outdated :wink: ) protocol, but LDAP was designed for the on-prem days. OAuth/OpenID Connect are the ones for the cloud world.

:astonished:
Hopefully not (public clouds). Poor industry

@z000ao8q many organizations are fine with the public cloud; the others will stick to LDAP :wink:

1 Like

Well it depends, OAuth is used by Facebook Apps for authorization, while other industries use it for authentication… hence the mix up. I agree with you however it’s confusing lol :slight_smile:

I had a working (but not very clean) mod_auth_pubtkt integration for NC9 which, unfortunately, isn’t compatible with NC10. I can post it if anybody is interested in adding support for NC10.

@andyboeh: What would it take to get it up to NC10? That seems like it might be what I’m looking for.

Hello all,

I was wondering where to find more information about this, as I don’t see it presently discussed anywhere. Has anybody pitched an implementation of this?

1 Like

Hello all,

Just bumping this. I’m still looking for a way to login to Nextcloud by using an OAuth2 provider, preferably generic so my Drupal provider can work.

Thank you!

This might be a starting point: https://github.com/nextcloud/server/tree/master/apps/oauth2

From what I understand, this is again doing the opposite to what I’m asking for. It seems that app is to turn NC into an OAuth server, so other apps can sign in using NC’s users’ database. What I wish existed was something to allow NC to authenticate users through an external directory, with a more modern protocol than LDAP.

1 Like

Hey all,

any updates on this?
We are looking for the solution to this as what Nextcloud currently provides for these kind of directory integrations (LDAP, SAML, Keberos and so on) is not suitable for our needs.
We are looking for OAuth and want to have NC as an open system - not locking us in on NC´s internal user directories as we are experiencing it currenlty based on NC´s docs and administration experience.

Best,
erosinger