Hi all - I am interested in setting up a few small community sites with discourse plus nextcloud for document and media content sharing. It would be loverly and preferable to have SSO with discourse as SSO provider. If anyone has succeeded in doing this and can share a recipe here on how to do it I’d appreciate it. Thanks!
The communities I am looking at creating are for my own geographically dispersed family, my neighborhood, and my son’s school.
I might also be interested in setting up a nextcloud for the organization I work for that already has an active community website. Though my organization’s community uses discourse, it uses wordpress as SSO auth now. Down the pike I’m also interested in flipping that around so we can benefit from features reliant on discourse as SSO auth.
Edit: this seems to be the page - I will be exploring this today and will let others know what I come up with if anything. Any guidance along the way much appreciated.
Nice! I see discourse is not provided as a “builtin oauth provider” for the social login app in nextcloud. There are various ways to set this up using discourse - how did you do it? Would you mind providing a recipe?
I see also the app allows you to inherit groups from the auth provider, which is pretty neat. I’d love to be able to do this with my discourse/nextcloud setup.
There are also other nextcloud apps that appear to be relevant here but I have not tested them all. There’s OpenID Connect Login app. A Discourse SSO app also exists, but appears to be outdated/untested.
Thanks, Patrick! I installed the app now again and see the “Custom Discourse” option. It’s not yet explained in the documentation which is why I thought nothing had changed. Also on the https://apps.nextcloud.com/apps/sociallogin page there is a link to a broken link on the nextcloud support forum, so I am struggling to figure out where to talk about this app with the developers.
I have it working now, but the biggest problem I am having is that I cannot figure out how to enable this to be the only method for logging in for all existing users by default.
Second biggest problem is that the user details are not carrying over correctly from discourse to nextcloud. New users created in nextcloud get an automatically generated username in the form [internal name]-[userid] so in the case of my site e.g. kb2-3797. The name is carried over, but other profile details have to be fileld in again in nextcloud. Avatar is also not carried over.
I am also kind of wondering how the user will set up their username and password for the desktop or mobile client, when this is the only login method for the nextcloud web app. I guess they will have to know to go into their account prefs in the nextcloud web app to setup nextcloud login credentials.
Some other things I noticed:
app settings are not reached via the apps section but via the administration settings sidebar. took me a minute to find.
there are three sections in the admin settings for the app, and the top and bottom sections have save buttons but the middle one (for custom providers) does not. It’s not clear which one to use to save custom discourse settings. Answer: they both work the same way.
there are many app settings. these appear to work best for my setup:
disable auto create new users = allows new users to be created in nextcloud if they exist in discourse
create users with disabled account = do not disable newly created users
allow users to connect social logins with their account = lets existing users opt in to logging in via discourse ( not able to figure out how to default to allowing users to log in via discourse)
update user profile every login = syncs discourse groups with nextcloud groups each time they log in. ( does not correctly sync username, name, bio and other profile info)
do not prune not available user groups on login ( I don’t know what this does but enabled by default. I suspect it prevents removing the user from existing nextcloud groups if they are not mapped from discourse?)
automatically create groups if they do not exist = disabled because creates some fugly group names that replicate groups you do want (see below)
restrict login for users without mapped groups = disabled
restict login for users without assigned groups = disabled
disable notify admins about new users = disabled because helpful for me to see when new nextcloud users are created
hide default login = encourages users to login via discourse though still possible to log in directly with the nextcloud username/email and password.
I lost admin access immediately the first time I tried it, before creating group mappings. To get it back, I had to go to the command line and run occ group:adduser admin USERNAME
group mapping works super well! Most important was to add the mapping of admins → nextcloud admin so that admins in my forum have admin privs in nextcloud. I also was able to add mappings for groups used for secure categories, to also give access to secure folders in nextcloud related to those secure categories.
IMHO that’s the best way to implement it, since the id is used primarily internal and not visible in many places to normal users.
Nextcloud has no easy way to rename users, but Discourse has. Renaming a user in Discourse could lead to some strange behavior with Nextcloud if the names don’t match any more.
You should use device passwords instead. The Nextcloud password could be different from the Discourse password, which would lead to confusion and skips the SSO.
I think these are general issues with the Nextcloud UI and not app specific.
Set the social_login_auto_redirect option to true as described in the config section if you want hide the Nextcloud login completely.
Awesome! Thanks, Patrick! Really appreciate the guidance.
I’ve opened an issue over on github regarding my primary issue, which is that I’d like to make all users log in via discourse and currently cannot do it without giving the users instructions on how to switch over to discourse via the social login connect user preference.
I set social_login_auto_redirect now as you suggest and it will work well once everyone is set up to use discourse. As for now it works well for me personally but not for anyone else using these sites. They are not going to be allowed to log in.
I’m not 100% clear on what you mean by device passwords - I looked at the link you provided but the screenshots of user prefs on that page don’t look the same as my nextcloud instance. Maybe we’re on a different version? I am on 23.0.0, on the stable update channel. Or maybe there is an app I need to install?
The username, avatar and bio syncing is less urgent, though it would be nice to see it working properly. I don’t know why it shouldn’t be possible to update these details for the user upon each login. Maybe there are idiosyncracies with nextcloud that don’t play nicely with discourse in this case. For instance, discourse only allows one user per email address while it appears I am able to create a second nextcloud user with the same email address unless I prevent it using the Prevent creating an account if the email address exists in another account admin setting. Ideally it would just automatically connect these accounts based on the email address.
I’m not sure if I understand your current problem correctly, but I assume that your problem are the existing users, which have no “connected social login account”. When all users are connected everything would be fine?
As you wrote already yourself, the email is not unique in Nextcloud and therefore can not used safely for user mapping.
When I switched to the sociallogin app, I conencted the existing users with a simple SQL query. I exported the Discourse user list and inserted a mapping for the [internal name]-[userid] (e.g. kb2-3797) to the existing Nextcloud usernames into the sociallogin_connect table in the nextcloud database. What fields you use for mapping (e.g. username or email) depends on your setup.
The screenshot seams a little bit outdated, but I have a very similar table (including the “button to create a new device-specific password”) when I open /settings/user/security on my Nextcloud 23.0 stable instance. Can you post a screenshot of your page?
It will not take me long to fix my existing users - I only have a few of them on my site. But in terms of a long term, replicable solution that will work for everyone seeking to use discourse as auth provider to nextcloud, it seems that it would make sense to only allow one user per email address and to match them up automatically based on the email address. There should be no need for users to do anything to make this happen.
Here’s what my /settings/user/security page looks like.
Ok, that makes sense though the language is all a bit confusing. I think I get it now. For new users who have never logged in directly to nextcloud and want to install the app, they need to use the Create new app password button to create a new “app password” to use for it. This ideally would be one password per device but doesn’t have to be.
I’ll keep following up on github to see if I can help clarify the documentation and get some of the integration issues ironed out. But for now I’d say @paroga you have finally solved this support request from back in 2017!