diff --git a/.env.sample b/.env.sample index a1bd2ae..3e84dc5 100644 --- a/.env.sample +++ b/.env.sample @@ -93,6 +93,14 @@ DEFAULT_QUOTA="10 GB" #SECRET_TALK_TURN_SECRET_VERSION=v1 # length=64 charset=default #SECRET_TALK_SIGNALING_SECRET_VERSION=v1 # length=64 charset=default +# COMPOSE_FILE="$COMPOSE_FILE:compose.user_oidc.yml" +# APPS="$APPS user_oidc" +# USER_OIDC_PROVIDER= +# USER_OIDC_ID= +# USER_OIDC_DISCOVERY_URI= +# USER_OIDC_END_SESSION_URI= +# USER_OIDC_LOGIN_ONLY=false +# SECRET_USER_OIDC_SECRET_VERSION=v1 # HSTS Options # Uncomment this line to enable HSTS: https://docs.nextcloud.com/server/30/admin_manual/installation/harden_server.html diff --git a/README.md b/README.md index 7478cd6..5be0370 100644 --- a/README.md +++ b/README.md @@ -188,6 +188,31 @@ We've been able to get this setup by using the [social login](https://apps.nextc If using Keycloak, you'll want to do [this trick](https://janikvonrotz.ch/2020/10/20/openid-connect-with-nextcloud-and-keycloak/) also. +## How do I enable OpenID Connect (OIDC) providers? +[user_oidc](https://github.com/nextcloud/user_oidc) is the recommended way to integrate Nextcloud with OIDC providers. + +Run `abra app config ` + +Set the following envs: +```env +COMPOSE_FILE="$COMPOSE_FILE:compose.user_oidc.yml" +APPS="$APPS user_oidc" +USER_OIDC_PROVIDER=example-provider # this has been tested with keycloak +USER_OIDC_ID=example-client-id # get this from your oidc provider +USER_OIDC_DISCOVERY_URI=example-oidc-provider.com/.well-known/openid-configuration # get this from your oidc provider +USER_OIDC_END_SESSION_URI=example-oidc-provider.com/protocol/openid-connect/logout # get this from your oidc provider +USER_OIDC_LOGIN_ONLY=false # set this to true to automatically redirect all logins to your oidc provider +SECRET_USER_OIDC_SECRET_VERSION=v1 +``` + +Then insert the client secret from your OIDC provider: +```sh +abra app secret insert user_oidc_secret v1 +``` + +After you deploy (or redeploy), run the following to set up the user_oidc Nextcloud app: +`abra app cmd app set_user_oidc` + ## How can I customise the CSS? There is some basic stuff in the admin settings. diff --git a/abra.sh b/abra.sh index f4b12f2..af39f71 100644 --- a/abra.sh +++ b/abra.sh @@ -159,6 +159,23 @@ set_authentik() { run_occ 'config:system:set lost_password_link --value=disabled' } +set_user_oidc() { + install_apps user_oidc + USER_OIDC_SECRET=$(cat /run/secrets/user_oidc_secret) + run_occ "user_oidc:provider \ + --clientid=${USER_OIDC_ID} \ + --clientsecret=${USER_OIDC_SECRET} \ + --discoveryuri=${USER_OIDC_DISCOVERY_URI} \ + --endsessionendpointuri=${USER_OIDC_END_SESSION_URI} \ + --postlogouturi=https://${DOMAIN} \ + --scope='openid email profile' \ + ${USER_OIDC_PROVIDER}" + # disable non user_oidc login + if [[ ${USER_OIDC_LOGIN_ONLY:-false} = "true" ]]; then + run_occ "config:app:set --value=0 user_oidc allow_multiple_user_backends" + fi +} + disable_skeletondirectory() { run_occ "config:system:set skeletondirectory --value ''" } diff --git a/compose.user_oidc.yml b/compose.user_oidc.yml new file mode 100644 index 0000000..5ba64ca --- /dev/null +++ b/compose.user_oidc.yml @@ -0,0 +1,10 @@ +version: "3.8" +services: + app: + secrets: + - user_oidc_secret + +secrets: + user_oidc_secret: + external: true + name: ${STACK_NAME}_user_oidc_secret_${SECRET_USER_OIDC_SECRET_VERSION}