OAuth2 Client for Nextcloud

Hi,

I want to authorize my login against a OAuth2 Server. It uses Grant Type Authorization Code according to this link:

Besides username I do also receive information about group-memberships.

What I already programmed is: Link to the login, callback function in Nextcloud, receives authorization. My idea now was to create the user @ nextcloud and assign it to the corresponding groups @ nextcloud. This works as well.

What I am currently facing is the problem, that I cannot log in this user. I tried \OCP\IUserSession->login() but it always returns false.

Any ideas?

Thank you in advance!

Thomas

1 Like

Do you want to login to Nextcloud with oauth2 or make Nextcloud as an oauth2 provider?

Login to Nextcloud with a oauth2 would be great in my case. Can nextcloud be an oauth client ?

AFAIK currently not (and the OAuth provider/server option does not give access to user details).

You could maybe build a bridge with Keycloak and the SAML plugin, but that one also depends on LDAP for user details, so it becomes a complex mess…

IMHO the best would be probably to make a new app that implements Hybridauth, see: https://hybridauth.github.io/
(They are releasing a major update version 3.0 this month… so perfect timing for someone to take that up? :slight_smile: )

Check this https://github.com/zorn-v/nextcloud-social-login

3 Likes

This social-login looks like it is implementing hybridauth 3.0, with is pretty cool and also allows many other log in providers!

Thanks a lot for this great app!

hi @Krischan i have been trying to setup the social login app, but i am having a logical problem:

  • my nextcloud users have their unique IDs and email addresses
  • the same users also have an account on my private Oauth provider server which shares the same unique email address, but not the ID (of course, the ID is generated by different databases)

how do i let nextcloud match the users, if this matching is done only based on the ID?

i have tried to reach out on the App dev team, ,and they have just slammed a port at my face:

how have you managed to work around this strange problem?

You can ask users to manually link their OIDC account in the user settings. Otherwise, sorry I am not aware of a way to do that.

i will have a look at it, but to be honest, i dont want to give users freedom to mess around with such kind of information, as this might create security issues.

so i would rather not allow them to change their user name and email address, and have to ask the admin for it instead

If I recall correctly (has been a while since I last used this app) it does not involve changing any of these details. All the manual account linking does is to enable people to use the one-click login method offered by OIDC with their existing regular NC account.