Nextcloud *AS* an identity provider?

I’ve got Nextcloud connected to Keycloak, and it’s fantastic. However, one thing I wish I could enable is per-user encryption, and that’s not available when using an identity provider with Nextcloud. Also, running Keycloak obviously means maintaining a separate system.

This got me thinking. Nextcloud provides authentication mechanisms, 2FA options, etc. Why can’t it be used as an identity provider in and of itself? I don’t know enough about the technical details of SAML and OIDC to know what else they provide that doesn’t already exist within Nextcloud.

Could this be developed as an app? Are there any plans for developing such a feature? What if NC was connected to LDAP and then something like SimpleSAMLphp was connected in front of the LDAP controller - would that possibly work, and would it make per-user encryption possible?

Potentially useful links:

Perhaps this should be moved to development. Mods, feel free to recategorize.

Hi Summersab,

would this be something? GitHub - nextcloud/user_oidc: OIDC connect user backend for Nextcloud

I am not sure, but how I understand it is that it uses nextcloud as the provider (?). Apologies if that’ the opposite way

Thanks for the suggestion, @denNorske. I gave it a look, and it appears to work in the opposite direction (it allows NC to connect to an identity provider, not act as one).

If you don’t use external storage on a different server (what the server-side encryption was designed for), I’d rather use End-to-End encryption (either the build in from Nextcloud, it’s not the oldest implementation, so I don’t have recent experience to judge if it is already stable enough, or some other end-to-end encryption).

For the identity provider:

and to solve the encryption problem:

Well, it looks like the E2E apps are pretty buggy, at the moment. I’m not sure I’d trust that in production.

Good finds on the PRs and feature requests on GitHub! That second one looks like it will solve the problem perfectly - I’m going to keep a sharp eye on that one and play with that code a little.