🚀 Feature: OIDC with Nextcloud #466

New Issue

OVERLORD · 2025-10-07T00:16:02+03:00

OVERLORD commented

2025-10-07 00:16:02 +03:00

Originally created by @breitero on GitHub.

Feature description

Tutorial for OIDC with Nextcloud

Pitch

I wrote stonith404 for help with OIDC-Login in Nextcloud.
Here is what I got so you can also use this as tutorial.

Nextcloud: Install the app https://apps.nextcloud.com/apps/oidc_login and edit the config.php where you add the following lines:

  'allow_user_to_change_display_name' => false,
  'lost_password_link' => 'disabled',
  'oidc_login_provider_url' => 'https://pocket-id',
  'oidc_login_client_id' => '<your_client_id>',
  'oidc_login_client_secret' => '<your_secret>',
  'oidc_login_auto_redirect' => true,
  'oidc_login_button_text' => 'Log in with Pocket ID',
  'oidc_login_hide_password_form' => false,
  'oidc_login_use_id_token' => true,
  'oidc_login_disable_registration' => true,
  'oidc_login_scope' => 'openid profile email',
  'oidc_login_attributes' => 
  array (
    'id' => 'preferred_username',
    'name' => 'name',
    'mail' => 'email',
  ),

Pocket-ID:
The Callback-URL which you use in Pocket-ID is: https://nextcloud/apps/oidc_login/oidc

Originally created by @breitero on GitHub. ### Feature description Tutorial for OIDC with Nextcloud ### Pitch I wrote stonith404 for help with OIDC-Login in Nextcloud. Here is what I got so you can also use this as tutorial. Nextcloud: Install the app https://apps.nextcloud.com/apps/oidc_login and edit the config.php where you add the following lines: ``` 'allow_user_to_change_display_name' => false, 'lost_password_link' => 'disabled', 'oidc_login_provider_url' => 'https://pocket-id', 'oidc_login_client_id' => '<your_client_id>', 'oidc_login_client_secret' => '<your_secret>', 'oidc_login_auto_redirect' => true, 'oidc_login_button_text' => 'Log in with Pocket ID', 'oidc_login_hide_password_form' => false, 'oidc_login_use_id_token' => true, 'oidc_login_disable_registration' => true, 'oidc_login_scope' => 'openid profile email', 'oidc_login_attributes' => array ( 'id' => 'preferred_username', 'name' => 'name', 'mail' => 'email', ), ``` Pocket-ID: The Callback-URL which you use in Pocket-ID is: https://nextcloud/apps/oidc_login/oidc

OVERLORD added the feature label 2025-10-07 00:16:02 +03:00

OVERLORD closed this issue

2025-10-07 00:16:02 +03:00

OVERLORD commented

2025-10-07 00:16:04 +03:00

@EweSparky commented on GitHub:

@tarunkumar519 I used user_oidc and configured it as such:

Pocket ID:

Callback URL: https://nextcloud.example.com/apps/user_oidc/code
Unselect PKCE; apparently user_oidc supports it but I keep getting an error with it
Add an extra claim to each user of username and their Nextcloud username

Nextcloud:

Set the identifier, client ID, and client secret from Pocket ID.
Discovery endpoint: https://pocketid.example.com/.well-known/openid-configuration
Scope: openid email profile
Extra claims: username
I de-checked all other settings except "Use group provisioning" and "Check Bearer token on API and WebDAV requests"

Edit your config.php file:

'user_oidc' => [
	'auto_provision' => true, // default: true
	'soft_auto_provision' => true, // default: true
	'disable_account_creation' => true, // default: false
],

@EweSparky commented on GitHub: @tarunkumar519 I used [user_oidc](https://apps.nextcloud.com/apps/user_oidc) and configured it as such: **Pocket ID:** - Callback URL: https://nextcloud.example.com/apps/user_oidc/code - Unselect `PKCE`; apparently `user_oidc` supports it but I keep getting an error with it - Add an extra claim to each user of `username` and their Nextcloud username **Nextcloud:** - Set the identifier, client ID, and client secret from Pocket ID. - Discovery endpoint: https://pocketid.example.com/.well-known/openid-configuration - Scope: openid email profile - Extra claims: username - I de-checked all other settings except "Use group provisioning" and "Check Bearer token on API and WebDAV requests" Edit your `config.php` file: ```php 'user_oidc' => [ 'auto_provision' => true, // default: true 'soft_auto_provision' => true, // default: true 'disable_account_creation' => true, // default: false ], ```

OVERLORD commented

2025-10-07 00:16:04 +03:00

@tarunkumar519 commented on GitHub:

Hi, using the above flow, pocket-id keeps creating new users but does not link to old users with same username or Email. If i use 'oidc_login_disable_registration' => true, it won't create a new user but fails auth entirely. I already have users in nextcloud with their own usernames and Email, how do i link to these with same pocket-id emails? (linking to pocket-id usernames is also fine)

@tarunkumar519 commented on GitHub: Hi, using the above flow, pocket-id keeps creating new users but does not link to old users with same username or Email. If i use 'oidc_login_disable_registration' => true, it won't create a new user but fails auth entirely. I already have users in nextcloud with their own usernames and Email, how do i link to these with same pocket-id emails? (linking to pocket-id usernames is also fine)

OVERLORD commented

2025-10-07 00:16:05 +03:00

@stonith404 commented on GitHub:

Thanks for sharing :)

@stonith404 commented on GitHub: Thanks for sharing :)

OVERLORD referenced this issue

2025-10-07 00:22:15 +03:00

[PR #466] [MERGED] refactor: add ldap tests #781

OVERLORD referenced this issue

2025-10-07 00:22:18 +03:00

[PR #466] refactor: add ldap tests #784

Sign in to join this conversation.