Skip to content

feat: integrate login via OIDC #212

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
spaceone wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

feat: integrate login via OIDC #212

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions inst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ ERROR_FILE=$(getarg "--error-file")
. /usr/share/univention-join/joinscripthelper.lib
. /usr/share/univention-appcenter/joinscripthelper.sh
. /usr/share/univention-lib/ldap.sh
. /usr/share/univention-lib/ucr.sh

joinscript_init
eval "$(ucr shell)"
Expand All @@ -52,6 +53,7 @@ IS_UPDATE=false
NC_LDAP_BIND_DN="$appcenter_apps_nextcloud_hostdn"
NC_LDAP_BIND_PW_FILE="$(joinscript_container_file /etc/machine.secret)"
NC_LDAP_BIND_PW="$(< $NC_LDAP_BIND_PW_FILE)"
NC_OIDC_SECRET_FILE="$(joinscript_container_file /etc/client.secret)"
NC_ADDITIONAL_CURL_ARGS=

NC_OFFICE_SUITE="oo_community" # fallback
Expand All @@ -67,6 +69,7 @@ nextcloud_main() {
fi
nextcloud_ensure_ucr
nextcloud_attempt_memberof_support
nextcloud_configure_oidc "$@"
nextcloud_configure_saml "$@"
nextcloud_configure_ldap_backend
nextcloud_modify_users "$@"
Expand Down Expand Up @@ -259,7 +262,67 @@ nextcloud_urlEncode() {
"$1" ""
}

nextcloud_configure_oidc() {
if is_ucr_true appcenter/apps/nextcloud/disable-oidc-login; then
univention-app shell nextcloud sudo -u www-data php /var/www/html/occ app:disable user_oidc || true
return;
fi
if ! ucs_needsKeycloakSetup "$@"; then
return;
fi

if [ ! -e "$NC_OIDC_SECRET_FILE" ]; then
create_machine_password > "$NC_OIDC_SECRET_FILE"
fi

CLIENT_SECRET="$(< $NC_OIDC_SECRET_FILE)"
NC_OIDC_BASE_URL="https://$hostname.$domainname/nextcloud"
CLIENT_ID="$NC_OIDC_BASE_URL/"
univention-keycloak "$@" oidc/rp create \
--client-secret "$CLIENT_SECRET" \
--description "Nextcloud UCS App OIDC client" \
--name "$CLIENT_ID" \
--app-url "$NC_OIDC_BASE_URL" \
--host-fqdn "$hostname.$domainname" \
--redirect-uri "$NC_OIDC_BASE_URL/*" \
--request-uris "$NC_OIDC_BASE_URL/apps/user_oidc/*" \
Comment on lines +287 to +288

@spaceone spaceone Apr 30, 2025

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@blizzz

And on logout we end up with having the keycloak screen with an "Invalid redirect uri" error.

The cause is probably here, I can only test next week.

--frontchannel-logout-url "$NC_OIDC_BASE_URL/apps/user_oidc/sls" \
--backchannel-logout-url "$NC_OIDC_BASE_URL/apps/user_oidc/sls" \
--post-logout-redirect-uris "$NC_OIDC_BASE_URL" \
--always-display-in-console \
"$CLIENT_ID" || die "Could not create Nextloud Relying Party"
# [--web-origins WEB_ORIGINS]
# [--direct-access-grants]
# [--allow-implicit-flow]
# [--access-token-lifespan ACCESS_TOKEN_LIFESPAN]
# [--service-accounts-enabled]
# [--no-frontchannel-logout]
# [--auth-browser-flow AUTH_BROWSER_FLOW]
# [--add-audience-mapper]
# [--access-token-audience ACCESS_TOKEN_AUDIENCE]
# [--id-token-audience ID_TOKEN_AUDIENCE]
# [--policy-url POLICY_URL]
# [--logo-url LOGO_URL]
# [--tos-url TOS_URL]
# [--pkce-code-challenge-method {,plain,S256}]
# [--default-scopes DEFAULT_SCOPES]
# [--optional-scopes OPTIONAL_SCOPES]
# [--consent CONSENT]

univention-app shell nextcloud sudo -u www-data php /var/www/html/occ app:enable user_oidc || true
univention-app shell nextcloud sudo -u www-data php /var/www/html/occ user_oidc:provider \
-c "$CLIENT_ID" \
-s "$CLIENT_SECRET" \
-d "$(univention-keycloak "$@" get-keycloak-base-url)/realms/ucs/.well-known/openid-configuration" \
"${appcenter_apps_nextcloud_oidc_identifier:-UCS}" || die "Could not configure Keycloak as Nextcloud OpenID Provider"
Comment on lines +313 to +317

@spaceone spaceone Apr 30, 2025

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@blizzz

One thing I noticed, OIDC does not seem to play along with LDAP, and administrators are not promited ot NC admins either.

OK, NC admins cannot login because they don't exists in Keycloak.
I didn't have problems for Administrator accounts (from UCS)

"are not promited ot " means "are not permitted or" ?

}

nextcloud_configure_saml() {
if is_ucr_true appcenter/apps/nextcloud/disable-saml-login; then
univention-app shell nextcloud sudo -u www-data php /var/www/html/occ app:disable user_saml || true
return;
fi
univention-app shell nextcloud sudo -u www-data php /var/www/html/occ app:enable user_saml || true
SETCMD="univention-app shell nextcloud sudo -u www-data php /var/www/html/occ config:app:set user_saml"
$SETCMD type --value="saml"
$SETCMD general-require_provisioned_account --value="1"
Expand Down
1 change: 1 addition & 0 deletions setup
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,7 @@ if [ "$NC_IS_UPGRADE" -eq 0 ] ; then
$OCC background:cron
$OCC app:enable user_ldap
$OCC app:install user_saml && $OCC app:enable user_saml
$OCC app:install user_oidc && $OCC app:enable user_oidc
$OCC app:disable updatenotification
install_hub_apps

Expand Down