Proper OpenID Connect support? (port new app from Owncloud?)

After the disappointment with Gluu (e.g. their use of a for pay middle layer), there hasn’t been much progress on implementing an OpenID Connect auth client in Nextcloud it seems.

However there seems to be some recent work on something like that for Owncloud, see:

Might be worth a look if it can be ported easily?

Contrary to the User_saml app it also seems to support additional user attributes like groups etc.

Or am I misunderstanding the functionality of it?

2 Likes

Strange that there seems so little interest in this, as OpenID Connect is the standard many webservices are using, and it is also relatively easy to set up your own provider with:

Or Keycloak etc.

It also seems like the repository mentioned above was updated to work with Nextcloud12 & maybe 13.

There are also several options to integrate with popular CMS.

Edit: There seems to be a further fork:

1 Like

I definitely don’t understand why nobody cares about this feature… When you know how much information ID provider like Google and Co are stealing when you use this kind of authentication, it seems to me like it is a must have for helping people leaving google.

Some people are talking about it here (Enable SSO with OAuth 2 (for Azure AD and Google Apps))

I am very interested in this. It seems like the social login app would solve part of it at least, but there doesn’t seem to be much info out there for people who haven’t memorized pages of standards, terms, etc. I am trying to use Keycloak as an identity server with Nextcloud and a few other things.

You can already use Nextcloud with any OIDC-conformant IdP, including the German IdPs “netID” and “Verimi”, by using Auth0 as a broker in between Nextcloud and the original IdP.
Since Nextcloud supports SAML2 already ootb, you’d setup Nextcloud with SAML2 and Auth0 as IdP (broker), while in Auth0 you configure any OIDC connection (netID, Verimi, etc.).

Nextcloud ← (SAML2) → Auth ← (OIDC) → any OIDC-conformant IdP

Useful resources related to this:

Nice thing about this approach is that it’s entirely based on officially supported (=supported in SLA) Nextcloud components (user_saml), doesn’t rely on mod_auth_openidc.

Additionally, you’d get additional optional features such as account linking / merging (username/password and next time via social login can automatically be merged into one user).

(Disclaimer: I worked at Nextcloud before, I now work at Auth0.)

1 Like