Nextcloud

This guide explains how to set up Single Sign-On (SSO) between SmartLink and Nextcloud using the Social Login plugin with OpenID Connect.

Prerequisites

• Nextcloud version 20 or higher
• Administrator access to Nextcloud
• Application configured in SmartLink with OpenID Connect
• Social Login plugin installed on Nextcloud

Installing the Social Login plugin

Via the Nextcloud interface

1. Log in to Nextcloud as an administrator
2. Go to Settings → Apps
3. Search for "Social Login" in the Integration category
4. Click on Download and enable

Via the command line

cd /var/www/nextcloud
sudo -u www-data php occ app:install sociallogin
sudo -u www-data php occ app:enable sociallogin

Configuration in SmartLink

1. Create the application

1. Log in to SmartLink as an administrator
2. Go to Applications → Add
3. Search for "Nextcloud" or create a custom application
4. Configure the basic information:
   • Name: Nextcloud
   • URL: https://your-nextcloud.example.com
   • Icon: Choose the Nextcloud icon

2. Configure OpenID Connect

1. In the Authentication tab of the application
2. Select OpenID Connect as the authentication type
3. Note the following information:
   • Client ID: nextcloud-xxxxxx
   • Client Secret: secret-xxxxxx
   • Issuer URL: https://your-smartlink.link.vaultys.org/api/oidc/[appid]
   • App ID: [appid] (unique identifier of the application in SmartLink)

3. Configure Redirect URLs

In the Allowed Redirect URLs section, add:

https://your-nextcloud.example.com/apps/sociallogin/custom_oidc/smartlink

Note: The [appid] will be automatically generated when creating the application in SmartLink.

4. Configure Scopes

Ensure the following scopes are enabled:

• openid
• profile
• email
• groups (optional, for group synchronization)

Configuration in Nextcloud

1. Accessing Social Login settings

1. Log in to Nextcloud as an administrator
2. Go to Settings → Administration → Social login

2. General Configuration

In the General Settings section:

• ✅ Allow self-registration: Enable if you want to automatically create accounts
• ✅ Create a new account if it does not exist: Recommended
• ✅ Update user profile on each login: To synchronize information
• ⬜ Disable Nextcloud authentication: Keep disabled to maintain local admin access
• ✅ Allow login with email: To facilitate user access

Login button: Log in with SmartLink

3. Add a Custom OpenID Connect provider

Click on + Custom OpenID Connect and configure:

• Internal Identifier: smartlink
• Display Name: SmartLink SSO
• Authorization URL: https://your-smartlink.link.vaultys.org/api/oidc/[appid]/authorize
• Token URL: https://your-smartlink.link.vaultys.org/api/oidc/[appid]/token
• User Info URL: https://your-smartlink.link.vaultys.org/api/oidc/[appid]/userinfo
• Logout URL: https://your-smartlink.link.vaultys.org/logout
• Client ID: [Copy from SmartLink]
• Client Secret: [Copy from SmartLink]
• Scope: openid profile email groups

4. Attribute Mapping

User field mapping configuration:

• User ID: sub or email
• Display Name: name
• Email: email
• Quota: Leave blank or configure as needed
• Groups: groups (if using group synchronization)

5. Advanced Settings (optional)

• Default Groups: Automatically assigned Nextcloud groups
• Button on login page: Button style (0 = standard button)
• Allow only specific groups: List of allowed SmartLink groups

Advanced Configuration

Group Synchronization

To automatically synchronize SmartLink groups with Nextcloud:

1. In SmartLink, enable the groups scope for the application
2. In Nextcloud Social Login, configure group mapping:

   Group claim: groups
3. Enable "Create groups if not existing"

Automatic Provisioning with SCIM (optional)

For complete user and group provisioning, you can also configure SCIM:

1. Install the User provisioning app on Nextcloud
2. Configure SCIM in SmartLink (see SCIM guide)
3. Nextcloud SCIM URL: https://your-nextcloud.example.com/apps/scimserviceprovider

Configuration via Environment Variables

For automated deployments, you can configure Social Login via config.php:

'sociallogin' => [
    'auto_create_groups' => true,
    'update_profile_on_login' => true,
    'providers' => [
        'smartlink' => [
            'displayName' => 'SmartLink SSO',
            'apiBaseUrl' => 'https://your-smartlink.link.vaultys.org',
            'authorizeUrl' => 'https://your-smartlink.link.vaultys.org/api/oidc/[appid]/authorize',
            'tokenUrl' => 'https://your-smartlink.link.vaultys.org/api/oidc/[appid]/token',
            'userInfoUrl' => 'https://your-smartlink.link.vaultys.org/api/oidc/[appid]/userinfo',
            'logoutUrl' => 'https://your-smartlink.link.vaultys.org/logout',
            'clientId' => 'nextcloud-xxxxxx',
            'clientSecret' => 'secret-xxxxxx',
            'scope' => 'openid profile email groups',
            'userMapping' => [
                'id' => 'sub',
                'name' => 'name',
                'email' => 'email',
                'groups' => 'groups'
            ]
        ]
    ]
],

Configuration Testing

1. Connection Test

1. Log out of Nextcloud
2. On the login page, click on "Log in with SmartLink"
3. You should be redirected to SmartLink
4. Authenticate with your SmartLink credentials
5. You should be redirected back to Nextcloud and automatically logged in

2. User Information Verification

1. Go to Settings → Personal Information
2. Verify that the information is correctly synchronized:
   • Display name
   • Email address
   • Groups (if configured)

3. Logout Test

1. Click on your profile → Logout
2. Verify that you are also logged out of SmartLink

Troubleshooting

"Invalid redirect URI" Error

Issue: The redirect URL is not correctly configured

Solution:

1. Verify that the URL in SmartLink matches exactly:

   https://your-nextcloud.example.com/apps/sociallogin/custom_oidc/smartlink
2. Pay attention to the protocol (http vs https) and trailing slash

"Invalid client credentials" Error

Issue: Incorrect client credentials

Solution:

1. Check the Client ID and Client Secret in SmartLink
2. Ensure there are no extra spaces during copy-pasting
3. Regenerate the secret if necessary

Groups Not Synchronized

Issue: SmartLink groups are not appearing in Nextcloud

Solution:

1. Check that the groups scope is enabled in SmartLink
2. In Social Login, ensure that group mapping is configured: groups
3. Enable "Create groups if not existing"
4. Verify that the user belongs to groups in SmartLink

"Could not fetch user info" Error

Issue: Nextcloud cannot retrieve user information

Solution:

1. Check the UserInfo URL: https://your-smartlink.link.vaultys.org/api/oidc/[appid]/userinfo
2. Test the endpoint with curl:

   curl -H "Authorization: Bearer TOKEN" https://your-smartlink.link.vaultys.org/api/oidc/[appid]/userinfo
3. Check SmartLink logs for authorization errors

User Created but Unable to Login

Issue: Account is created but user cannot log back in

Solution:

1. Verify the user ID mapping (using sub is recommended)
2. Ensure the ID is unique and stable
3. Check Nextcloud logs:

   tail -f /var/www/nextcloud/data/nextcloud.log | grep sociallogin

Security

Recommendations

1. Mandatory HTTPS: Always use HTTPS for Nextcloud and SmartLink
2. Secure Secrets: Store the Client Secret securely
3. IP Restriction: If possible, limit access to OAuth endpoints by IP
4. Secret Rotation: Regularly change the Client Secret
5. Audit Logs: Enable and monitor authentication logs

Disabling Local Authentication

To enforce the use of SSO only:

1. In Social Login, enable "Disable Nextcloud authentication"
2. ⚠️ Caution: Always keep a local admin account for emergencies:

   sudo -u www-data php occ user:add admin --password-from-env

Resources

• Social Login Documentation
• Nextcloud Forum