Nextcloud OpenID Connect with Gluu

By: Ronald R. user 06 May 2019 at 6:20 p.m. CDT

11 Responses
Ronald R. gravatar
It seems like such a basic question that I'd rather not ask, however I've been searching everywhere and was unable to get this working. I've installed Gluu and Nextcloud with the Social login plugin on another server. I'm trying to authenticate my nextcloud installation with my Gluu instance. Unfortunately I'm very new to Gluu and SSO in particular but I want to learn. The NC addon is asking me for the following: ``` Authorize url Token url User info URL Client Id Client Secret Scope ``` After searching the docs I came to the following which, unfortunately, seems wrong. ``` Authorize url: https://idp.hostname/oxauth/restv1/authorize Token url: https://idp.hostname/oxauth/restv1/token User info URL: blank Client Id: Generated by Gluu Client Secret: Generated by Gluu Scope: email ``` As I want my users to login with their email address I've set "scope" to email. This might, however, be the wrong method of achieving this. In Gluu under OpenID Connect > Clients I created a new client with the following config: ``` OPENID CONNECT CLIENTS DETAILS ------------------------------ - **Name:** Nextcloud - **Description:** Nextcloud - **Client ID:** XXXXXXXXXXX - **Subject Type:** public - **Expirattion date:** Sat May 06 00:00:00 UTC 2119 - **ClientSecret:** XXXXXXXXXXX - **Application Type:** web - **Persist Client Authorizations:** true - **Pre-Authorization:** true - **Authentication method for the Token Endpoint:** client_secret_basic - **Logout Session Required:** false - **Include Claims In Id Token:** false - **Disabled:** false - **Login Redirect URIs:** [https://nextcloudserver/index.php/apps/sociallogin/custom_oidc/Gluu] - **Scopes:** [email, openid, profile] - **Grant types:** [authorization_code] - **Response types:** [code] ``` When trying to login to NC with the Social Login feature I'm presented with the following error: ``` {"error":"invalid_request_redirect_uri","error_description":"The redirect_uri in the Authorization Request does not match any of the Client's pre-registered redirect_uris.","state":"HA-S2TR5WI8VA9X0DGPUE643YMF1OJBZHCQNKL7"} ``` Anyone here that can help me out with the correct "Authorize" and "Token" URL, and anything else that might be wrong with this configuration? I'm also wondering how I would define a users role/permission within Gluu in order to have effect on, for example, NC. Thanks in advance for any guidance in, what must be, an easy matter.
Ubuntu 16.04
closed

Answers

By Ronald R. user 06 May 2019 at 6:45 p.m. CDT

Copy
Ronald R. gravatar
After searching this forum some more I've changed my "Login redirect URI". This seems to have brought me one step closer. NC is currently presenting me with the following error message: ``` Unable to exchange code for API access token. HTTP error 401. Raw Provider API response: {"error":"invalid_client","error_description":"Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client."}. ```

By Michael Schwartz Account Admin 07 May 2019 at 4:23 a.m. CDT

Copy
Michael Schwartz gravatar
@Mohit.Mali can dive into this? I'd really like to see the Nextcloud integration working. If it's not well documented, can you fix?

By Mohit Mali staff 08 May 2019 at 6:04 a.m. CDT

Copy
Mohit Mali gravatar
hi @Ronald R , Thanks for reaching out gluu support , I will assist you on this issue. Let me figured out Next Cloud Integration with GLuu. Is you are following this documentation of gluu with next cloud integration ? https://gluu.org/docs/oxd/plugin/nextcloud/ https://www.youtube.com/watch?v=GmLexnQkig0 Thanks and Regards Mohit Mali

By Mohit Mali staff 08 May 2019 at 7:58 a.m. CDT

Copy
Mohit Mali gravatar
hi @Ronald R , May i know the next cloud version you are using ?

By Ronald R. user 08 May 2019 at 5:26 p.m. CDT

Copy
Ronald R. gravatar
Hi @Mohit.Mali, Thanks for your reply. I'm running NC version 16 (latest). I have tried the NC plugin provided by Gluu, however it has only been tested against version 11 of NC which I consider to old to be running on a soon to be production server. Instead I've choses to go with the Social Login plugin: https://apps.nextcloud.com/apps/sociallogin This plugin is regularly updated and allows to setup login to an external OpenID Connect provider, in my case this would be the Gluu server. Kind regards, Ronald.

By Mohit Mali staff 09 May 2019 at 5:46 a.m. CDT

Copy
Mohit Mali gravatar
hi @Ronald R, I have just check the plugin with NC version 16 (Latest), its working fine so please use gluu plugin to connect with OpenID Connect. please follow this document. 1. Installed Next cloud 16. 2. Gluu server 3. oxd server follow the link it will work thanks https://gluu.org/docs/oxd/plugin/nextcloud/

By Michael Schwartz Account Admin 27 May 2020 at 9:28 a.m. CDT

Copy
Michael Schwartz gravatar
Probably best to just use SAML. Gluu is not maintaining this plugin anymore.

By Philipp Zykov user 20 May 2021 at 2:09 p.m. CDT

Copy
Philipp Zykov gravatar
Hello! I need to make integration between Gluu 4.0.1 and Nextcloud Hub 21 What i need to use, if plugin is not maintaining, anymore? And if it's SAML - do you have a guide for such integration? Thank you.

By Chee Chong Low Account Admin 20 Sep 2021 at 1:32 a.m. CDT

Copy
Chee Chong Low gravatar
Just for the record, I have NextCloud successfully integrated with Gluu via *OpenID Connect*. Gluu Version: 4.2.3.Final NextCloud Version: 20.0.12 OpenID Connect user backend Plugin Version: 1.1.0 ==== I have the following setup in my environment: ![](https://i.ibb.co/rfs7LVG/ocub3.png) 1. Users are provisioned into MS Active Directory (AD) 2. Gluu has cache refresh configured that sync users from AD 3. NextCloud has LDAP/AD Integration configured that sync users from same AD 4. ***sAMAccountName*** is the common attribute used In Gluu, change `openidSubAttribute` (JSON Configuration > OxAuth Configuration) to **uid** ![](https://i.ibb.co/qrJyXVC/ocub4.png) In NextCloud LDAP/AD Integration, navigate to *Expert* - *Override UUID detection*, add **sAMAccountName** to `UUID Attribute for Users`. ![](https://i.ibb.co/K6qtxHP/ocub2.png) In NextCloud OpenID Connect user backend, ensure `Use unique user id` is disabled. Otherwise, new NextCloud user will be created whenever an existing user logs in to NextCloud via OpenID Connect. ![](https://i.ibb.co/9bch0wT/ocub1.png)
ocub3.png

By Chee Chong Low Account Admin 20 Sep 2021 at 1:43 a.m. CDT

Copy
Chee Chong Low gravatar
By the way, make sure PHP version is up-to-date. See https://docs.nextcloud.com/server/latest/admin_manual/installation/system_requirements.html. Otherwise, you'll run into issue(s) executing OpenID Connect user backend Plugin.

By Michael Schwartz Account Admin 24 Sep 2021 at 1:46 p.m. CDT

Copy
Michael Schwartz gravatar
This is super cool Chee Chong. You should write a blog about this! We also use NextCloud at Gluu, but we're using SAML. We should try out your solution.

Post an answer