Nextcloud, Social Login with custom OpenID and EU Login

ℹ️ Support
, ,
1

Dear Nextcloud friends and expert,

I’m working for EU research center and I install nextcloud to share files with other EU teams accross the world. In ordert to apply the EU policy Nextclound needs to use the SSO server to authenticate the users.

This is my first time that I use OpenID service. From the app store I found “social login” app. It seems the right app to connect nextcloud and “EU login service” using the OpenID protocol. The team of SSO EU server send me a JSON file but I’m not able to use it.

This is the JSON file:

{
  "application_type" : "web",
  "client_id" : "wQD4AyXXXXXXXXXXXXXMMGV",
  "client_id_issued_at" : 17XXXXX010,
  "client_name" : "neXXXXXX12",
  "client_secret" : "UeBXXXXXXXXToCrsolWo",
  "client_secret_expires_at" : 0,
  "client_type" : "confidential",
  "contacts" : [ "aXXXXXXXXXni@XXXXXXXXXX.eu" ],
  "default_acr_values" : [ "https://eAAAAAAAAAA.eu/loa/basic" ],
  "grant_types" : [ "autXXXXXXXXXde" ],
  "id_token_signed_response_alg" : "PS512",
  "jwt_access_token_explicit_type" : "at+jwt",
  "jwt_access_token_signed_response_alg" : "PS512",
  "oauth_application_type" : "web_application",
  "redirect_uris" : [ "https://dcalXXXXXXXXXXXud" ],
  "registration_access_token" : "_KSQXXXXXXXXXXXXHg4A",
  "registration_client_uri" : "https://ecaAAAAAAAAA/cas/oauth2/register?client_id=wQD4A*********SenRzWfe9MMGV",
  "response_types" : [ "code" ],
  "scope" : "openid",
  "subject_type" : "public",
  "token_endpoint_auth_method" : "client_secret_jwt"
}

I’m not able to map the social login “OpenID” fields with the JSON file value (Probably I’m too stupid to understand it ! ) .

Someone can help me to setup correctly the Social OpenID using JSON file or suggest another way to use this JSON to setup the nextclound with a custom opendID service?

Many thanks for your help.

NB: sorry If I write the message in the wrong section and my bad english.

2

first of all be aware sociallogin app is great but there is no more active development. I would recommend using “official” user_oidc app which becomes more polished during last months. There is good tutorial showing basic setup - you will need some fine-tuning…

2 Likes
3

Dear friend,

thanks for you help.

I reply to you after six months :smile: , because the main problem was not the software configuration but the network. I spend a lot of time with the network team and security team to explain my needs ! Anyway… today I’m able to reach our openID system (friendly called EU Login ) used by all European Commission.

As you suggest i move to user_oidc apps and everything seems works excpet the algorithm. I got this message:

Message: Unrecognised or unsupported EC curve

The configuration file of nexcloud contains these lines:

  // Configurazione OpenID
  // permette la creazione di utenti da SSO
  'allow_local_remote_servers' => true,
  'user_oidc' => [
    // Disattiva la richiesta dei gruppi
    'enable_default_claims' => false,
    'auto_provision' => true,
    'soft_auto_provision' => true,
  ],
  'oidc_login_code_challenge_method' => 'RS256',

The OpenID server support these method: RS256, RS384, RS512, PS256, PS384, PS512, ES512, Ed25519, EdDSA, Ed448.

Did you know how I can solve my problem ? I’m not able to find with method user_oidc are able to use.

Thanks

AndreA

4

from the github repo GitHub - nextcloud/user_oidc: OIDC connect user backend for Nextcloud it looks many different algorithms are supported by the libs… but I don’t see any settings at first glance. as you are commercial user I would recommend you open a bug report and sign an enterprise support contract with Nextcloud.

UPDATE: I don’t think oidc_code_challenge_method is required. but seems you can apply some tweaks like code_challenge_methods_supported and/or maybe pkce_challenge_method (but I don’t find any docs so far)

I would double check which methods your IdP supports OpenID providers must provide a discovery endpoint usually hosted at .well-known/openid-configuration