OpenID Connect SSO with Kopano Meet and (for example) Nextcloud

By Felix Bartels on Wednesday, April 22nd 2020

This is a guest article from Felix Bartels originally posted on his blog.

While native support for OAuth has recently been removed from Cloudron users can still utilise OAuth 2 and OpenID Connect (oidc) to authorize users thanks to the built in OpenID Provider of the Kopano Meet app.

Under the hood Kopano Meet uses OpenID Connect to sign users into the application and this functionality is provided through Kopano Konnect, which is bundled inside of the app and pre-configured to allow Cloudron users to login. This article will show how to extend the configuration of Kopano Konnect to allow other apps to make use of OpenID Connect.

Requirements:

  • Cloudron 5.1
  • Installation of the latest version of Kopano Meet
  • Nextcloud app

Nextcloud only serves as an example most users will probably already be familiar with, any other app allowing login through oidc can be configured in a similar way.

In the below configuration snippets I am going to use the domain meet.9wd.eu for my Kopano Meet installation and cloud.9wd.eu for my Nextcloud installation. Make sure to use your actual domain names during the configuration.

Extending the configuration of Kopano Konnect

To modify the configuration of Konnect you need to login at your Cloudron dashboard (which is usually available at https://my.your-comain.com) and open the terminal view of the Meet app (Look for "Console Access" in the settings of Meet). Here you need to open /app/data/konnectd-identifier-registration.yaml in an editor and add the following text to the end of the file:

- id: cloud.9wd.eu
  application_type: web
  name: Nextcloud Cloudron
  trusted: true
  redirect_uris:
  - https://cloud.9wd.eu/index.php/apps/sociallogin/custom_oidc/CloudronMeet

Important: the redirect url must match the "internal name" specified during the social login configuration later on

After the file has been modified restart Konnect by running supervisorctl restart kopano-konnectd (alternatively the whole meet app could be restarted, but this is faster).

The rest of the configuration is done inside of Nextcloud.

Configuring Nextcloud for SSO with OpenID Connect

To configure Nextcloud for oidc you first need to login with an admin level user and install the "social login" app inside of Nextcloud. After the app has been installed you have go into its settings (which are located at https://cloud.9wd.eu/settings/admin/sociallogin) to configure it.

I recommend to have the following general configuration settings set in the app:

  • Disable auto create new users
  • Allow users to connect social logins with their account

This will mean that new users will first need to login through the "traditional" Nextcloud login and then from within their user settings link their oidc login to Nextcloud. This will be further explained once oidc is generally setup in Nextcloud.

Further down in the settings add your own "custom OpenID Connect" provider. You need to fill in the following values:

  • Internal name: CloudronMeet
    • users won't see this name, but it needs to match with the redirect_uris in konnectd-identifier-registration.yaml
  • Title: Kopano Konnect (Cloudron)
    • This is what the end user will see. The name should be something the user can relate to
  • Authorize url: https://meet.9wd.eu/signin/v1/identifier/_/authorize
    • Needs to match the domain the Meet app was installed on. Values can be retrieved from https://meet.9wd.eu/.well-known/openid-configuration
  • Token url: https://meet.9wd.eu/konnect/v1/token
  • User info URL (optional): https://meet.9wd.eu/konnect/v1/userinfo
  • Logout URL (optional): not required to be filled out
  • Client Id: cloud.9wd.eu
  • Client Secret: some-password
    • this value is not verified in the OpenID provider configuration, but needs to be specified anyways
  • Scope: openid profile email konnect/hashed_sub
  • Groups claim (optional): I have left this empty
  • Button style: OpenID
  • Default group: None

Once this is setup log out with your admin user account and you will see another login button on the Nextcloud login page titled "Kopano Konnect (Cloudron)".

Linking your Nextcloud user to oidc

Before the user can use oidc to log into Nextcloud, he need to link his existing Cloudron user to it. For this log into Nextcloud like you have done in the past and afterwards go into the settings of the user. Here you will now find an option called "social login" (the url will be similar to https://cloud.9wd.eu/settings/user/sociallogin).

Users need to manually connect their existing Nextcloud account with the oidc identity.

At this menu item you will find a section called "Available providers" with a button underneath that will read "Kopano Konnect (Cloudron)". Click this button once to link your Nextcloud account to your new OpenID identity. In case you have previously not been logged into Meet you will be asked for your credentials for this (which are your normal Cloudron credentials).

Once your Nextcloud account has been linked you can easily switch between Nextcloud and Kopano Meet without having to login again.