Nextcloud OIDC integration

Add lots of pictures
    Document provider, application settings in Authentik
    Document settings in Nextcloud
    User quotas using custom attributes and property mappings

pages/02.linux/authentik/nextcloud-oidc/default.en.md

@@ -1,7 +1,7 @@
 ---
-title: 'Nextcloud OIDC'
+title: "Nextcloud OIDC"
 visible: false
-media_order: 'authentik-create-provider.webp, authentik-create-application.webp'
+media_order: "authentik-create-provider.webp, authentik-create-application.webp, nextcloud-openid-connect.webp, authentik-custom-property-mapping.webp, authentik-oauth-scope.webp"
 ---
 
 [toc]
@@ -18,14 +18,14 @@ First, a new provider needs to be created. The setting can be found under `Appli
 
 In the first screen, select `OAuth2/OpenID Provider` and click `Next`
 
-![Screenshot of the provider creation page with settings filled in](authentik-create-provider.webp)
-
 - _Authorization flow_: default-provider-authorization-implicit-consent (Choosing explicit consent instead means the user has to approve every login)
 - _Client type_: Confidential
 - _Client ID_: The auto generated value is fine, copy it for use later.
-- _Client Secret_: **WARNING** user_oidc currently only supports values up to 64 characters in length. Make sure to trim the value below that, or generate a new secret with less characters. `openssl rand -base64 60` [Issue on user_oidc GitHub](https://github.com/nextcloud/user_oidc/issues/405)
-- _Redirect URIs/Origins_: https://{NEXTCLOUD URL}/apps/user_oidc/code
-- _Advanced protocol settings > Subject mode_: Based on the User's username, this setting should be used to ensure Nextcloud’s federated cloud ID will have a human-readable value
+- _Client Secret_: **WARNING** user_oidc currently only supports values up to 64 characters in length. Make sure to trim the value below that, or generate a new secret with less characters. `openssl rand -base64 40` [Issue on user_oidc GitHub](https://github.com/nextcloud/user_oidc/issues/405)
+- _Redirect URIs/Origins_: `https:\/\/nextcloud\.example\.com.*`
+- _Signing Key_: Set this to a valid TLS Certificate
+
+![Screenshot of the provider creation page with settings filled in](authentik-create-provider.webp)
 
 ### Create application
 
@@ -36,4 +36,78 @@ Other settings can be left at their defaults.
 
 ![Screenshot of application creation dialog](authentik-create-application.webp)
 
+Now, go back to the `Providers` screen and click on the previously created provider.  
+Copy the value from `OpenID Configuration URL`, it should be something like `https://{AUTHENTIK URL}/application/o/{PROVIDER NAME}/.well-known/openid-configuration`
+
 ## Nextcloud
+
+Log in as administrator, go to `Apps` and search for `OpenID Connect user backend`  
+Click `Download and Enable` to install the app.
+
+Next, open the administration settings in Nextcloud and go to `OpenID Connect`.  
+Click on the `+` below `Registered Providers`
+
+- _Identifier_: Authentik (This value is shown to the users when they try to log in)
+- _Client ID_: (value copied from Authentik)
+- _Client Secret_: (value copied from Authentik)
+- _Discovery endpoint_: (OpenID Configuration URL copied from Authentik, should end with .well-known/openid-configuration)
+
+**Attribute mapping**
+
+- _User ID mapping_: `sub`
+- _Display name mapping_: `nickname`
+
+- Uncheck `Use unique user id`, otherwise nextcloud will hash the provided user id mapping together with the provider and use that as identifier. This is unnecessary unless you're using multiple providers with non-unique names.
+- Check `Use group provisioning` in order to create and update user groups in Nextcloud from Authentik.
+
+All other settings here should be left at their default.
+
+![OpenID Connect Plugin provider settings](nextcloud-openid-connect.webp)
+
+If you are running the Authentik in the same local network as Nextcloud and use internal addresses, you also need to add the setting `'allow_local_remote_servers' => true,` to your `config.php` file.  
+Otherwise Nextcloud rejects the connection.
+
+## Setting user quotas in Authentik
+
+Using custom attributes, property mappings and scope mappings it is possible to set the desired storage quota for users.
+
+### Assign custom attribute
+
+Go to `Directory > Users`, click on a user and select `Edit`.  
+In the field `Attributes` custom attributes can be specified in JSON or YAML format.
+
+_Example_:
+
+```yaml
+app-nextcloud-quota: 20G
+```
+
+### Create propery mapping
+
+Go to `Customisation > Property Mappings` and create a new mapping of the type `Scope Mapping`
+
+The name can be chosen freely, choose something identifiable.  
+Scope name will be used in the Nextcloud OpenID Connect config as scope.  
+The expression is used to get the previously created custom attribute.
+
+```py
+return {
+    "quota": request.user.attributes.get("app-nextcloud-quota", "default"),
+}
+```
+
+![Authentik custom property mapping settings](authentik-custom-property-mapping.webp)
+
+### Expose propery mapping
+
+Click on the previously created provider for Nextcloud and select `Edit`.  
+Go to `Advanced protocol settings > Scopes` and `CTRL + Click` the newly created Nextcloud quota mapping.
+
+![Selected scope mappings](authentik-oauth-scope.webp)
+
+### Nextcloud config
+
+Nextcloud needs to request access to the scope we just created.  
+Simply add `quota` to the space separated list of Scopes in the OpenID Connect provider settings.
+
+Changing the quota attribute, will update the storage quota for the user upon the next login.