This guide will be using OIDC with the user_oidc plugin.
First, a new provider needs to be created. The setting can be found under Applications > Providers
, click Create
In the first screen, select OAuth2/OpenID Provider
and click Next
openssl rand -base64 40
Issue on user_oidc GitHubhttps:\/\/nextcloud\.example\.com.*
Now it is time to create the application.
Go to Applications > Applications
and click Create
Set a name and choose the previously created provider under the Provider
setting.
Other settings can be left at their defaults.
Now, go back to the Providers
screen and click on the previously created provider.
Copy the value from OpenID Configuration URL
, it should be something like https://{AUTHENTIK URL}/application/o/{PROVIDER NAME}/.well-known/openid-configuration
Log in as administrator, go to Apps
and search for OpenID Connect user backend
Click Download and Enable
to install the app.
Next, open the administration settings in Nextcloud and go to OpenID Connect
.
Click on the +
below Registered Providers
Attribute mapping
User ID mapping: sub
Display name mapping: nickname
Uncheck Use unique user id
, otherwise nextcloud will hash the provided user id mapping together with the provider and use that as identifier. This is unnecessary unless you're using multiple providers with non-unique names.
Check Use group provisioning
in order to create and update user groups in Nextcloud from Authentik.
All other settings here should be left at their default.
If you are running the Authentik in the same local network as Nextcloud and use internal addresses, you also need to add the setting 'allow_local_remote_servers' => true,
to your config.php
file.
Otherwise Nextcloud rejects the connection.
Using custom attributes, property mappings and scope mappings it is possible to set the desired storage quota for users.
Go to Directory > Users
, click on a user and select Edit
.
In the field Attributes
custom attributes can be specified in JSON or YAML format.
Example:
app-nextcloud-quota: 20G
Go to Customisation > Property Mappings
and create a new mapping of the type Scope Mapping
The name can be chosen freely, choose something identifiable.
Scope name will be used in the Nextcloud OpenID Connect config as scope.
The expression is used to get the previously created custom attribute.
return {
"quota": request.user.attributes.get("app-nextcloud-quota", "default"),
}
Click on the previously created provider for Nextcloud and select Edit
.
Go to Advanced protocol settings > Scopes
and CTRL + Click
the newly created Nextcloud quota mapping.
Nextcloud needs to request access to the scope we just created.
Simply add quota
to the space separated list of Scopes in the OpenID Connect provider settings.
Changing the quota attribute, will update the storage quota for the user upon the next login.
Complete guide to Nextcloud OIDC authentication with Authentik