search

pulsejet / nextcloud-oidc-login

Nextcloud login via a single OpenID Connect 1.0 provider
https://apps.nextcloud.com/apps/oidc_login
GNU Affero General Public License v3.0
219 stars 59 forks source link

Help with setting up authelia and nextcloud clients #250

Open aleprovencio opened 9 months ago

aleprovencio commented 9 months ago

** edited an updated post

Hi!

I have already managed to make this app to work to authelia without having to mess with its access_control settings, so logging in is just a matter of clicking Log in with authelia button on nextcloud's WebUI login page.

However for nextcloud's clients (desktop and mobile) get to work (authenticating and syncing), I had to bypass lots of resources on authelia.

Is this the right path or maybe I'm missing something about setting up OIDC ?

authelia


access_control:
  default_policy: deny
  rules:
    - domain: authelia.{{ domain_name }}
      policy: bypass
    - domain: nextcloud.{{ domain_name }}
      policy: bypass
      resources:
        - '^/api.*$'
        - '^/status.php$'
        - '^/index.php.*$'
        - '^/login/v2.*$'
        - '^/remote.php/dav.*$'
        - '^/ocs/v2.php/apps.*$'
        - '^/ocs/v1.php/cloud.*$'
        # - '^/index.php/login/v2.*$'
        # - '^/index.php/apps/news/api/.*$'
        # - '^/index.php/apps/phonetrack.*$'
    # Default
    - domain:
        - '*.{{ domain_name }}'
        - '{{ domain_name }}'
      policy: two_factor

identity_providers:
  oidc:
    hmac_secret: '{{ authelia_hmac_secret }}'
    issuer_private_key: |
      {{ authelia_issuer_private_key }}
    access_token_lifespan: 1h
    authorize_code_lifespan: 1m
    id_token_lifespan: 1h
    refresh_token_lifespan: 90m
    enable_client_debug_messages: false
    cors:
      endpoints:
        - authorization
        - token
        - revocation
        - introspection
      allowed_origins:
        - "*"
        # - https://{{ domain_name }}
      allowed_origins_from_client_redirect_uris: false
    clients:
      - id: nextcloud
        description: NextCloud
        secret: '{{ authelia_nextcloud_secret }}'
        public: false
        authorization_policy: two_factor
        consent_mode: implicit
        redirect_uris:
          - https://nextcloud.{{ domain_name }}/apps/oidc_login/oidc
        scopes:
          - openid
          - profile
          - email
          - groups
        userinfo_signing_algorithm: none

nextcloud

  'allow_user_to_change_display_name' => false,
  'lost_password_link' => 'disabled',
  'oidc_login_provider_url' => 'https://authelia.{{ domain_name }}',
  'oidc_login_client_id' => 'nextcloud',
  'oidc_login_client_secret' => {{ stack_apps_nextcloud_oidc_login_client_secret }},
  'oidc_login_auto_redirect' => false,
  'oidc_login_end_session_redirect' => false,
  'oidc_login_button_text' => 'Log in with Authelia',
  'oidc_login_hide_password_form' => false,
  'oidc_login_use_id_token' => true,
  'oidc_login_attributes' => array (
      'id' => 'preferred_username',
      'name' => 'name',
      'mail' => 'email',
      'groups' => 'groups',
      'is_admin' => true,
  ),
  'oidc_login_default_group' => 'oidc',
  'oidc_login_use_external_storage' => false,
  'oidc_login_scope' => 'openid profile email groups',
  'oidc_login_proxy_ldap' => false,
  'oidc_login_disable_registration' => true,
  'oidc_login_redir_fallback' => false,
  'oidc_login_alt_login_page' => 'assets/login.php',
  'oidc_login_tls_verify' => true,
  'oidc_create_groups' => false,
  'oidc_login_webdav_enabled' => true,
  'oidc_login_password_authentication' => false,
  'oidc_login_public_key_caching_time' => 86400,
  'oidc_login_min_time_between_jwks_requests' => 10,
  'oidc_login_well_known_caching_time' => 86400,
  'oidc_login_update_avatar' => false,