I access NC in two patterns, via an external reverse proxy and via an internal reverse proxy. I also have an SSO application(OpenID Connect backend) installed on NC.
For access from an external reverse proxy, only SSO users should be able to log in, but for access from an internal reverse proxy, it is necessary to allow local administrators account to log in as well.
Therefore, I came up with a way to add the following settings to config.php. Please tell me how to set it correctly.
If there is only one OIDC provider configured, it can be made the default login
method and the user would get redirected to the provider immediately for the
login. Admins can still use the regular login through adding the ?direct=1
parameter to the login URL.
by activating this setting with occ config:app:set user_oidc allow_multiple_user_backends --value=0 you force everybody to use the OpenID login… if you block the ?direct=1 in you external reverse proxy config this should satisfy your requirement…
UPDATE: replace wrong ?redirect=1 with correct ?direct=1
I made the settings you taught me and confirmed that the browser automatically redirect to OpenID login page(Keycloak) as explained.
But for the other, ?redirect=1 I have not been able to get it to work properly.
I am accessing the URI added as an option at the end of the normal login page with a Firefox/Chrome browser as shown below, but it is redirected to the Keycloak page as it is.
till now I didn’t implement… further check shows it must be ?direct=1 - for some reason I had wrong reference?redirect=1 in my written text even the quote was right . In my dev system I successfully tested https://<my.cloud.tld>/login?direct=1 - in my case index.php is rewritten by reverse proxy - (just use your login URL without automatic redirection.)
. In my dev system I successfully tested 
.