Nextcloud OIDC integration

Add lots of pictures
    Document provider, application settings in Authentik
    Document settings in Nextcloud
    User quotas using custom attributes and property mappings
This commit is contained in:
RealStickman 2023-04-02 19:56:19 +02:00
parent d5f0896cb4
commit 8479165a5d
5 changed files with 81 additions and 7 deletions

Binary file not shown.

Before

Width:  |  Height:  |  Size: 23 KiB

After

Width:  |  Height:  |  Size: 30 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 13 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 9.3 KiB

View File

@ -1,7 +1,7 @@
---
title: 'Nextcloud OIDC'
title: "Nextcloud OIDC"
visible: false
media_order: 'authentik-create-provider.webp, authentik-create-application.webp'
media_order: "authentik-create-provider.webp, authentik-create-application.webp, nextcloud-openid-connect.webp, authentik-custom-property-mapping.webp, authentik-oauth-scope.webp"
---
[toc]
@ -18,14 +18,14 @@ First, a new provider needs to be created. The setting can be found under `Appli
In the first screen, select `OAuth2/OpenID Provider` and click `Next`
![Screenshot of the provider creation page with settings filled in](authentik-create-provider.webp)
- _Authorization flow_: default-provider-authorization-implicit-consent (Choosing explicit consent instead means the user has to approve every login)
- _Client type_: Confidential
- _Client ID_: The auto generated value is fine, copy it for use later.
- _Client Secret_: **WARNING** user_oidc currently only supports values up to 64 characters in length. Make sure to trim the value below that, or generate a new secret with less characters. `openssl rand -base64 60` [Issue on user_oidc GitHub](https://github.com/nextcloud/user_oidc/issues/405)
- _Redirect URIs/Origins_: https://{NEXTCLOUD URL}/apps/user_oidc/code
- _Advanced protocol settings > Subject mode_: Based on the User's username, this setting should be used to ensure Nextclouds federated cloud ID will have a human-readable value
- _Client Secret_: **WARNING** user_oidc currently only supports values up to 64 characters in length. Make sure to trim the value below that, or generate a new secret with less characters. `openssl rand -base64 40` [Issue on user_oidc GitHub](https://github.com/nextcloud/user_oidc/issues/405)
- _Redirect URIs/Origins_: `https:\/\/nextcloud\.example\.com.*`
- _Signing Key_: Set this to a valid TLS Certificate
![Screenshot of the provider creation page with settings filled in](authentik-create-provider.webp)
### Create application
@ -36,4 +36,78 @@ Other settings can be left at their defaults.
![Screenshot of application creation dialog](authentik-create-application.webp)
Now, go back to the `Providers` screen and click on the previously created provider.
Copy the value from `OpenID Configuration URL`, it should be something like `https://{AUTHENTIK URL}/application/o/{PROVIDER NAME}/.well-known/openid-configuration`
## Nextcloud
Log in as administrator, go to `Apps` and search for `OpenID Connect user backend`
Click `Download and Enable` to install the app.
Next, open the administration settings in Nextcloud and go to `OpenID Connect`.
Click on the `+` below `Registered Providers`
- _Identifier_: Authentik (This value is shown to the users when they try to log in)
- _Client ID_: (value copied from Authentik)
- _Client Secret_: (value copied from Authentik)
- _Discovery endpoint_: (OpenID Configuration URL copied from Authentik, should end with .well-known/openid-configuration)
**Attribute mapping**
- _User ID mapping_: `sub`
- _Display name mapping_: `nickname`
- Uncheck `Use unique user id`, otherwise nextcloud will hash the provided user id mapping together with the provider and use that as identifier. This is unnecessary unless you're using multiple providers with non-unique names.
- Check `Use group provisioning` in order to create and update user groups in Nextcloud from Authentik.
All other settings here should be left at their default.
![OpenID Connect Plugin provider settings](nextcloud-openid-connect.webp)
If you are running the Authentik in the same local network as Nextcloud and use internal addresses, you also need to add the setting `'allow_local_remote_servers' => true,` to your `config.php` file.
Otherwise Nextcloud rejects the connection.
## Setting user quotas in Authentik
Using custom attributes, property mappings and scope mappings it is possible to set the desired storage quota for users.
### Assign custom attribute
Go to `Directory > Users`, click on a user and select `Edit`.
In the field `Attributes` custom attributes can be specified in JSON or YAML format.
_Example_:
```yaml
app-nextcloud-quota: 20G
```
### Create propery mapping
Go to `Customisation > Property Mappings` and create a new mapping of the type `Scope Mapping`
The name can be chosen freely, choose something identifiable.
Scope name will be used in the Nextcloud OpenID Connect config as scope.
The expression is used to get the previously created custom attribute.
```py
return {
"quota": request.user.attributes.get("app-nextcloud-quota", "default"),
}
```
![Authentik custom property mapping settings](authentik-custom-property-mapping.webp)
### Expose propery mapping
Click on the previously created provider for Nextcloud and select `Edit`.
Go to `Advanced protocol settings > Scopes` and `CTRL + Click` the newly created Nextcloud quota mapping.
![Selected scope mappings](authentik-oauth-scope.webp)
### Nextcloud config
Nextcloud needs to request access to the scope we just created.
Simply add `quota` to the space separated list of Scopes in the OpenID Connect provider settings.
Changing the quota attribute, will update the storage quota for the user upon the next login.

Binary file not shown.

After

Width:  |  Height:  |  Size: 32 KiB