Has anyone succeeded in using discourse as sso provider for nextcloud? Share recipe?

Hi all - I am interested in setting up a few small community sites with discourse plus nextcloud for document and media content sharing. It would be loverly and preferable to have SSO with discourse as SSO provider. If anyone has succeeded in doing this and can share a recipe here on how to do it I’d appreciate it. Thanks! :seedling:

The communities I am looking at creating are for my own geographically dispersed family, my neighborhood, and my son’s school.

I might also be interested in setting up a nextcloud for the organization I work for that already has an active community website. Though my organization’s community uses discourse, it uses wordpress as SSO auth now. Down the pike I’m also interested in flipping that around so we can benefit from features reliant on discourse as SSO auth.

Edit: this seems to be the page - I will be exploring this today and will let others know what I come up with if anything. :slight_smile: Any guidance along the way much appreciated.

https://docs.nextcloud.com/server/11/admin_manual/configuration_server/sso_configuration.html

1 Like

i’ve quite the same usecases, where i want to use discourse as the SSO provider for nextcloud.

are there any updates on this?

2 Likes

Not that I am aware of. Could you ask at the nextcloud community?

it’s not a perfect implementation, but it does its job for me:

https://github.com/paroga/user_discourse

6 Likes

The Social login app has discourse support starting with version 4.10.

3 Likes

Nice! I see discourse is not provided as a “builtin oauth provider” for the social login app in nextcloud. There are various ways to set this up using discourse - how did you do it? Would you mind providing a recipe?

I see also the app allows you to inherit groups from the auth provider, which is pretty neat. I’d love to be able to do this with my discourse/nextcloud setup.

There are also other nextcloud apps that appear to be relevant here but I have not tested them all. There’s OpenID Connect Login app. A Discourse SSO app also exists, but appears to be outdated/untested.

As written in my post you need version 4.10. Then there is a “Custom Discourse” option in the settings of social login.

It has only OpenID Connect support, which is not provided by Discourse.

That’s for the other direction, if you want do login into Discourse with your Nextcloud account.

3 Likes

Thanks, Patrick! I installed the app now again and see the “Custom Discourse” option. It’s not yet explained in the documentation which is why I thought nothing had changed. Also on the https://apps.nextcloud.com/apps/sociallogin page there is a link to a broken link on the nextcloud support forum, so I am struggling to figure out where to talk about this app with the developers.

I have it working now, but the biggest problem I am having is that I cannot figure out how to enable this to be the only method for logging in for all existing users by default.

Second biggest problem is that the user details are not carrying over correctly from discourse to nextcloud. New users created in nextcloud get an automatically generated username in the form [internal name]-[userid] so in the case of my site e.g. kb2-3797. The name is carried over, but other profile details have to be fileld in again in nextcloud. Avatar is also not carried over.

I am also kind of wondering how the user will set up their username and password for the desktop or mobile client, when this is the only login method for the nextcloud web app. I guess they will have to know to go into their account prefs in the nextcloud web app to setup nextcloud login credentials.

Some other things I noticed:

  • app settings are not reached via the apps section but via the administration settings sidebar. took me a minute to find. :slight_smile:
  • there are three sections in the admin settings for the app, and the top and bottom sections have save buttons but the middle one (for custom providers) does not. It’s not clear which one to use to save custom discourse settings. Answer: they both work the same way.
  • there are many app settings. these appear to work best for my setup:
    • disable auto create new users = allows new users to be created in nextcloud if they exist in discourse
    • create users with disabled account = do not disable newly created users
    • allow users to connect social logins with their account = lets existing users opt in to logging in via discourse (:warning: not able to figure out how to default to allowing users to log in via discourse)
    • update user profile every login = syncs discourse groups with nextcloud groups each time they log in. (:warning: does not correctly sync username, name, bio and other profile info)
    • do not prune not available user groups on login (:warning: I don’t know what this does but enabled by default. I suspect it prevents removing the user from existing nextcloud groups if they are not mapped from discourse?)
    • automatically create groups if they do not exist = disabled because creates some fugly group names that replicate groups you do want (see below)
    • restrict login for users without mapped groups = disabled
    • restict login for users without assigned groups = disabled
    • disable notify admins about new users = disabled because helpful for me to see when new nextcloud users are created
    • hide default login = encourages users to login via discourse though still possible to log in directly with the nextcloud username/email and password.
      Screen Shot 2022-01-09 at 12.21.50 PM
  • I lost admin access immediately the first time I tried it, before creating group mappings. To get it back, I had to go to the command line and run occ group:adduser admin USERNAME
  • group mapping works super well! Most important was to add the mapping of admins → nextcloud admin so that admins in my forum have admin privs in nextcloud. I also was able to add mappings for groups used for secure categories, to also give access to secure folders in nextcloud related to those secure categories.

Inching ever closer!

1 Like

I’d suggest GitHub.

IMHO that’s the best way to implement it, since the id is used primarily internal and not visible in many places to normal users.
Nextcloud has no easy way to rename users, but Discourse has. Renaming a user in Discourse could lead to some strange behavior with Nextcloud if the names don’t match any more.

The avatar_url from DiscourseConnect should get passed to Nextcloud and read there. If you want to pass the bio too, a few lines in in the branch responsible for the profile updates should do the job.

You should use device passwords instead. The Nextcloud password could be different from the Discourse password, which would lead to confusion and skips the SSO.

I think these are general issues with the Nextcloud UI and not app specific.

Set the social_login_auto_redirect option to true as described in the config section if you want hide the Nextcloud login completely.

2 Likes

Awesome! Thanks, Patrick! Really appreciate the guidance.

I’ve opened an issue over on github regarding my primary issue, which is that I’d like to make all users log in via discourse and currently cannot do it without giving the users instructions on how to switch over to discourse via the social login connect user preference.

I set social_login_auto_redirect now as you suggest and it will work well once everyone is set up to use discourse. :+1: As for now it works well for me personally but not for anyone else using these sites. They are not going to be allowed to log in. :sob:

I’m not 100% clear on what you mean by device passwords - I looked at the link you provided but the screenshots of user prefs on that page don’t look the same as my nextcloud instance. Maybe we’re on a different version? I am on 23.0.0, on the stable update channel. :thinking: Or maybe there is an app I need to install?

The username, avatar and bio syncing is less urgent, though it would be nice to see it working properly. I don’t know why it shouldn’t be possible to update these details for the user upon each login. Maybe there are idiosyncracies with nextcloud that don’t play nicely with discourse in this case. For instance, discourse only allows one user per email address while it appears I am able to create a second nextcloud user with the same email address unless I prevent it using the Prevent creating an account if the email address exists in another account admin setting. Ideally it would just automatically connect these accounts based on the email address.

1 Like

I’m not sure if I understand your current problem correctly, but I assume that your problem are the existing users, which have no “connected social login account”. When all users are connected everything would be fine?

As you wrote already yourself, the email is not unique in Nextcloud and therefore can not used safely for user mapping.

When I switched to the sociallogin app, I conencted the existing users with a simple SQL query. I exported the Discourse user list and inserted a mapping for the [internal name]-[userid] (e.g. kb2-3797) to the existing Nextcloud usernames into the sociallogin_connect table in the nextcloud database. What fields you use for mapping (e.g. username or email) depends on your setup.

The screenshot seams a little bit outdated, but I have a very similar table (including the “button to create a new device-specific password”) when I open /settings/user/security on my Nextcloud 23.0 stable instance. Can you post a screenshot of your page?

2 Likes

It will not take me long to fix my existing users - I only have a few of them on my site. But in terms of a long term, replicable solution that will work for everyone seeking to use discourse as auth provider to nextcloud, it seems that it would make sense to only allow one user per email address and to match them up automatically based on the email address. There should be no need for users to do anything to make this happen.

Here’s what my /settings/user/security page looks like.

1 Like

There is a “Create new app password” right at the end of the page. There you can create new credentials for e.g. desktop clients.

2 Likes

Ok, that makes sense though the language is all a bit confusing. I think I get it now. For new users who have never logged in directly to nextcloud and want to install the app, they need to use the Create new app password button to create a new “app password” to use for it. This ideally would be one password per device but doesn’t have to be.

I’ll keep following up on github to see if I can help clarify the documentation and get some of the integration issues ironed out. But for now I’d say @paroga you have finally solved this support request from back in 2017! :partying_face:

1 Like

I think you can have a look for the tutorial I have written.

I use this function to connect my NextCloud to my Discourse.

1 Like