SSO like hack using Nextcloud to protect other webapps on nginx

Hi,

I have the situation where nextcloud is installed on a webserver along with other tools:

  • path: /nextcloud The Nextcloud instance
  • path: /grafana A grafana instance
  • path: /media some other stuff

My goal is to protect the other URLs using the login from Nextcloud.

I built a very small nextcloud-app that:

  • changes the cookie path to /
  • provides an GET endpoint checking if the user is authenticated

Then nginx uses auth_request against this new endpoint to authorize every request to the other apps (yes this impairs performance a bit).

If you are interested please have a look: GitHub - yvesf/nextcloud-app-poorsso: *BROKEN* in newer nextcloud version. Hook has been removed. Poor men's SSO using nextcloud login Feedback is welcome.

I’m not experienced with Nextcloud and open for suggestions and especially security hints.

Kind regards, yves