document user_oidc setup

add command for initializing user_oidc
add env and secrets for user_oidc app
2026-03-12 09:56:53 -04:00 · 2026-03-11 15:55:53 -04:00 · 2026-03-11 15:55:26 -04:00
4 changed files with 60 additions and 0 deletions
--- a/.env.sample
+++ b/.env.sample
@ -93,6 +93,14 @@ DEFAULT_QUOTA="10 GB"
 #SECRET_TALK_TURN_SECRET_VERSION=v1 # length=64 charset=default
 #SECRET_TALK_SIGNALING_SECRET_VERSION=v1 # length=64 charset=default
 # COMPOSE_FILE="$COMPOSE_FILE:compose.user_oidc.yml"
 # APPS="$APPS user_oidc"
 # USER_OIDC_PROVIDER=
 # USER_OIDC_ID=
 # USER_OIDC_DISCOVERY_URI=
 # USER_OIDC_END_SESSION_URI=
 # USER_OIDC_LOGIN_ONLY=false
 # SECRET_USER_OIDC_SECRET_VERSION=v1
 # HSTS Options
 # Uncomment this line to enable HSTS: https://docs.nextcloud.com/server/30/admin_manual/installation/harden_server.html
--- a/README.md
+++ b/README.md
@ -188,6 +188,31 @@ We've been able to get this setup by using the [social login](https://apps.nextc
 If using Keycloak, you'll want to do [this trick](https://janikvonrotz.ch/2020/10/20/openid-connect-with-nextcloud-and-keycloak/) also.
 ## How do I enable OpenID Connect (OIDC) providers?
 [user_oidc](https://github.com/nextcloud/user_oidc) is the recommended way to integrate Nextcloud with OIDC providers.
 Run `abra app config <app-name>`
 Set the following envs:
 ```env
 COMPOSE_FILE="$COMPOSE_FILE:compose.user_oidc.yml"
 APPS="$APPS user_oidc"
 USER_OIDC_PROVIDER=example-provider # this has been tested with keycloak
 USER_OIDC_ID=example-client-id # get this from your oidc provider
 USER_OIDC_DISCOVERY_URI=example-oidc-provider.com/.well-known/openid-configuration # get this from your oidc provider
 USER_OIDC_END_SESSION_URI=example-oidc-provider.com/protocol/openid-connect/logout # get this from your oidc provider
 USER_OIDC_LOGIN_ONLY=false # set this to true to automatically redirect all logins to your oidc provider
 SECRET_USER_OIDC_SECRET_VERSION=v1
 ```
 Then insert the client secret from your OIDC provider:
 ```sh
 abra app secret insert <app-name> user_oidc_secret v1 <client-secret from oidc provider>
 ```
 After you deploy (or redeploy), run the following to set up the user_oidc Nextcloud app:
 `abra app cmd <app-name> app set_user_oidc`
 ## How can I customise the CSS?
 There is some basic stuff in the admin settings.
--- a/abra.sh
+++ b/abra.sh
@ -159,6 +159,23 @@ set_authentik() {
    run_occ 'config:system:set lost_password_link --value=disabled'
 }
 set_user_oidc() {
    install_apps user_oidc
    USER_OIDC_SECRET=$(cat /run/secrets/user_oidc_secret)
    run_occ "user_oidc:provider \
            --clientid=${USER_OIDC_ID} \
            --clientsecret=${USER_OIDC_SECRET} \
            --discoveryuri=${USER_OIDC_DISCOVERY_URI} \
            --endsessionendpointuri=${USER_OIDC_END_SESSION_URI} \
            --postlogouturi=https://${DOMAIN} \
            --scope='openid email profile' \
            ${USER_OIDC_PROVIDER}"
    # disable non user_oidc login
    if [[ ${USER_OIDC_LOGIN_ONLY:-false} = "true" ]]; then
        run_occ "config:app:set --value=0 user_oidc allow_multiple_user_backends"
    fi
 }
 disable_skeletondirectory() {
    run_occ "config:system:set skeletondirectory --value ''"
 }
--- a/compose.user_oidc.yml
+++ b/compose.user_oidc.yml
@ -0,0 +1,10 @@
 version: "3.8"
 services:
  app:
    secrets:
      - user_oidc_secret
 secrets:
  user_oidc_secret:
    external: true
    name: ${STACK_NAME}_user_oidc_secret_${SECRET_USER_OIDC_SECRET_VERSION}
Author	SHA1	Message	Date
sorrel	ec5934e191	document user_oidc setup	2026-03-12 09:56:53 -04:00
sorrel	4c3f6fa14d	add command for initializing user_oidc	2026-03-11 15:55:53 -04:00
sorrel	eb3816b9c2	add env and secrets for user_oidc app	2026-03-11 15:55:26 -04:00