thegrind/authentikate
4
0
Fork 0
generated from thegrind/laravel-dockerized
Code Issues Pull Requests Actions Packages Projects Releases 5 Wiki Activity
authentikate/docs/integrations/nextcloud.md
Javier Feliz 9db9b0f6b3
All checks were successful
linter / quality (push) Successful in 3m34s
Details
tests / ci (push) Successful in 7m10s
Details
Got claude started on the docs. Will have to update them heavily
2025-08-03 00:23:06 -04:00

370 lines
11 KiB
Markdown
Raw Blame History

# Nextcloud Integration
This guide shows how to integrate Nextcloud with AuthentiKate using the OpenID Connect app for seamless single sign-on.
## Prerequisites
- AuthentiKate running and accessible
- Nextcloud instance with admin access
- Nextcloud OpenID Connect app installed
## Step 1: Install OpenID Connect App
### Via Nextcloud App Store
1. Log into Nextcloud as an administrator
2. Go to **Apps****Authentication**
3. Find and install **"OpenID Connect user backend"**
4. Enable the app
### Via Command Line
```bash
# Install via occ command
sudo -u www-data php occ app:install user_oidc
sudo -u www-data php occ app:enable user_oidc
```
## Step 2: Create Application in AuthentiKate
1. Log into your AuthentiKate admin panel
2. Navigate to **Applications****Create Application**
3. Fill in the application details:
```
Name: Nextcloud
Redirect URI: https://cloud.yourdomain.com/apps/user_oidc/code
Icon: https://cdn.jsdelivr.net/gh/selfhst/icons/webp/nextcloud.webp
```
4. Click **Save** and note the generated:
- **Client ID**
- **Client Secret**
## Step 3: Configure Nextcloud OIDC
### Via Web Interface
1. Go to **Settings****Administration****OpenID Connect**
2. Configure the OIDC provider:
```
Provider Name: AuthentiKate
Identifier: authentikate
Client ID: your-client-id
Client Secret: your-client-secret
Discovery endpoint: https://auth.yourdomain.com/.well-known/openid_configuration
```
3. **Advanced Settings** (click to expand):
```
Scope: openid profile email
Unique user identifier: preferred_username
```
4. Click **Save**
### Via Command Line
```bash
# Set OIDC configuration
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-clientId --value="your-client-id"
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-clientSecret --value="your-client-secret"
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-discoveryUrl --value="https://auth.yourdomain.com/.well-known/openid_configuration"
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-scope --value="openid profile email"
# Set unique identifier
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-uniqueUid --value="1"
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-uniqueUidMapping --value="preferred_username"
```
## Step 4: User Attribute Mapping
Configure how AuthentiKate user attributes map to Nextcloud:
### Via Web Interface
In **Settings****Administration****OpenID Connect****Advanced**:
```
Display name mapping: name
Email mapping: email
Unique user identifier: preferred_username
```
### Via Command Line
```bash
# User attribute mapping
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-displayNameMapping --value="name"
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-emailMapping --value="email"
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-quotaMapping --value=""
```
## Step 5: Auto-Provisioning (Optional)
Enable automatic user creation on first login:
### Via Web Interface
In the OIDC settings, enable:
- **Auto provision users**
- **Respect email verified claim**
### Via Command Line
```bash
# Enable auto-provisioning
sudo -u www-data php occ config:app:set user_oidc auto-provision --value="1"
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-provisioningEnabled --value="1"
# Respect email verification
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-checkEmailVerification --value="1"
```
## Step 6: Group Mapping (Optional)
If you plan to add groups to AuthentiKate in the future:
```bash
# Enable group provisioning
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-groupProvisioning --value="1"
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-groupMapping --value="groups"
```
## Step 7: Login Button Customization
Customize the OAuth login button:
### Via Config
```bash
# Set custom button text
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-buttonText --value="Login with AuthentiKate"
# Hide default login form (optional)
sudo -u www-data php occ config:system:set hide_login_form --value=true
```
### Custom CSS (Optional)
Add custom styling in **Settings****Administration****Theming**:
```css
/* Style the OIDC login button */
.oidc-login-button {
background-color: #3b82f6 !important;
border-color: #3b82f6 !important;
}
.oidc-login-button:hover {
background-color: #2563eb !important;
border-color: #2563eb !important;
}
```
## Complete Configuration Example
Here's a complete command-line setup:
```bash
#!/bin/bash
# Install and enable OIDC app
sudo -u www-data php occ app:install user_oidc
sudo -u www-data php occ app:enable user_oidc
# Configure OIDC provider
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-clientId --value="your-client-id"
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-clientSecret --value="your-client-secret"
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-discoveryUrl --value="https://auth.yourdomain.com/.well-known/openid_configuration"
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-scope --value="openid profile email"
# User mapping
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-uniqueUid --value="1"
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-uniqueUidMapping --value="preferred_username"
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-displayNameMapping --value="name"
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-emailMapping --value="email"
# Auto-provisioning
sudo -u www-data php occ config:app:set user_oidc auto-provision --value="1"
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-provisioningEnabled --value="1"
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-checkEmailVerification --value="1"
# Button customization
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-buttonText --value="Login with AuthentiKate"
echo "Nextcloud OIDC integration configured successfully!"
```
## Docker Compose Example
Complete Docker setup with Nextcloud and AuthentiKate:
```yaml
version: '3.8'
services:
nextcloud:
image: nextcloud:latest
container_name: nextcloud
restart: unless-stopped
ports:
- "80:80"
environment:
- NEXTCLOUD_ADMIN_USER=admin
- NEXTCLOUD_ADMIN_PASSWORD=secure_password
- NEXTCLOUD_TRUSTED_DOMAINS=cloud.yourdomain.com
- OVERWRITEPROTOCOL=https
- OVERWRITEHOST=cloud.yourdomain.com
volumes:
- nextcloud_data:/var/www/html
- ./setup-oidc.sh:/docker-entrypoint-hooks.d/pre-installation/setup-oidc.sh:ro
labels:
# Traefik labels
- "traefik.enable=true"
- "traefik.http.routers.nextcloud.rule=Host(`cloud.yourdomain.com`)"
- "traefik.http.routers.nextcloud.entrypoints=websecure"
- "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"
volumes:
nextcloud_data:
```
## Testing the Integration
1. **Log out** of Nextcloud (if currently logged in)
2. **Navigate to** your Nextcloud login page
3. **Click "Login with AuthentiKate"** button
4. **Authenticate** with your AuthentiKate credentials
5. **Verify** you're logged into Nextcloud with correct user information
## Advanced Configuration
### Custom User Provisioning
Control how users are created:
```bash
# Set default quota for new users
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-defaultQuota --value="5GB"
# Set default group for new users
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-defaultGroup --value="users"
```
### Backup Users
Prevent deletion of users not found in OIDC:
```bash
# Enable soft delete (backup users)
sudo -u www-data php occ config:app:set user_oidc provider-authentikate-softAutoUpdate --value="1"
```
### Admin Users
Make specific users administrators:
```bash
# Add users to admin group (run after first login)
sudo -u www-data php occ group:adduser admin "admin_username"
```
## Troubleshooting
### Common Issues
#### "Invalid redirect URI" Error
Ensure the redirect URI in AuthentiKate exactly matches:
```
https://cloud.yourdomain.com/apps/user_oidc/code
```
#### OIDC Login Button Missing
Check that the app is enabled:
```bash
sudo -u www-data php occ app:list | grep user_oidc
```
#### Users Not Auto-Created
Verify auto-provisioning is enabled:
```bash
sudo -u www-data php occ config:app:get user_oidc auto-provision
sudo -u www-data php occ config:app:get user_oidc provider-authentikate-provisioningEnabled
```
#### Wrong User Information
Check the attribute mapping:
```bash
sudo -u www-data php occ config:app:get user_oidc provider-authentikate-displayNameMapping
sudo -u www-data php occ config:app:get user_oidc provider-authentikate-emailMapping
```
### Debug Mode
Enable debugging in Nextcloud:
```bash
# Enable debug mode
sudo -u www-data php occ config:system:set debug --value=true
# Check logs
sudo -u www-data php occ log:tail
```
### Configuration Check
Verify your OIDC configuration:
```bash
# List all OIDC settings
sudo -u www-data php occ config:list user_oidc
# Test OIDC discovery endpoint
curl https://auth.yourdomain.com/.well-known/openid_configuration
```
### Reset Configuration
If you need to start over:
```bash
# Remove OIDC configuration
sudo -u www-data php occ config:app:delete user_oidc provider-authentikate-clientId
sudo -u www-data php occ config:app:delete user_oidc provider-authentikate-clientSecret
sudo -u www-data php occ config:app:delete user_oidc provider-authentikate-discoveryUrl
# Disable auto-provisioning
sudo -u www-data php occ config:app:set user_oidc auto-provision --value="0"
```
## Security Considerations
### Trusted Domains
Ensure your domain is in Nextcloud's trusted domains:
```bash
sudo -u www-data php occ config:system:set trusted_domains 0 --value="cloud.yourdomain.com"
```
### HTTPS Configuration
Force HTTPS in Nextcloud:
```bash
sudo -u www-data php occ config:system:set overwriteprotocol --value="https"
sudo -u www-data php occ config:system:set overwrite.cli.url --value="https://cloud.yourdomain.com"
```
### Session Security
Configure secure sessions:
```bash
sudo -u www-data php occ config:system:set session_lifetime --value=3600
sudo -u www-data php occ config:system:set session_keepalive --value=false
```
Your Nextcloud instance is now integrated with AuthentiKate! Users can sign in with their AuthentiKate credentials and access their Nextcloud files and applications.
Reference in New Issue View Git Blame Copy Permalink