Getting OpenCloud to work with External SSO/OIDC (Authentik)

[patchmonkey]

I've been working at this a couple weeks now, and I've blown away the configurations and rebuilt them several times. I've tried multiple things and have read through the relevant docs several times, but it's been a real uphill struggle. I am trying to modify the opencloud_full example to do behave the following way:

• Remove Traefik (and instead use my already-running caddy reverse proxy
• Configure SSO/OIDC to point to my Authentik instance
• Run an LDAP container and autoprovision Authentik SSO logins

Here the furthest I can get:

I really appreciate any help or insight anyone can offer. I apologize for the wall of text below, I wanted to ensure I provided all or as much of the relevant configuration files I could...hopefully someone can spot my mistake. (p.s. I replaced my domain name with example.com)

docker-compose.yml

---
services:
  opencloud:
    image: ${OC_DOCKER_IMAGE:-opencloudeu/opencloud-rolling}:${OC_DOCKER_TAG:-latest}
    # changelog: https://github.com/opencloud-eu/opencloud/tree/main/changelog
    # release notes: https://docs.opencloud.eu/opencloud_release_notes.html
    networks:
      opencloud-net:
    ports:
      - "9200:9200"
    entrypoint:
      - /bin/sh
    # run opencloud init to initialize a configuration file with random secrets
    # it will fail on subsequent runs, because the config file already exists
    # therefore we ignore the error and then start the opencloud server
    command: ["-c", "opencloud init || true; opencloud server"]
    environment:
      # enable services that are not started automatically
      OC_ADD_RUN_SERVICES: ${START_ADDITIONAL_SERVICES}
      OC_URL: https://${OC_DOMAIN:-cloud.opencloud.test}
      OC_LOG_LEVEL: ${LOG_LEVEL:-info}
      OC_LOG_COLOR: "${LOG_PRETTY:-false}"
      OC_LOG_PRETTY: "${LOG_PRETTY:-false}"
      # do not use SSL between Traefik and OpenCloud
      PROXY_TLS: "false"
      # make the REVA gateway accessible to the app drivers
      GATEWAY_GRPC_ADDR: 0.0.0.0:9142
      # INSECURE: needed if OpenCloud / Traefik is using self generated certificates
      OC_INSECURE: "${INSECURE:-false}"
      # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
      PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
      # admin user password
      IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD:-admin}" # this overrides the admin password from the configuration file
      # demo users
      IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
      # email server (if configured)
      NOTIFICATIONS_SMTP_HOST: "${SMTP_HOST}"
      NOTIFICATIONS_SMTP_PORT: "${SMTP_PORT}"
      NOTIFICATIONS_SMTP_SENDER: "${SMTP_SENDER:-OpenCloud notifications <notifications@${OC_DOMAIN:-cloud.opencloud.test}>}"
      NOTIFICATIONS_SMTP_USERNAME: "${SMTP_USERNAME}"
      NOTIFICATIONS_SMTP_PASSWORD: "${SMTP_PASSWORD}"
      NOTIFICATIONS_SMTP_INSECURE: "${SMTP_INSECURE}"
      NOTIFICATIONS_SMTP_AUTHENTICATION: "${SMTP_AUTHENTICATION}"
      NOTIFICATIONS_SMTP_ENCRYPTION: "${SMTP_TRANSPORT_ENCRYPTION:-none}"
      FRONTEND_ARCHIVER_MAX_SIZE: "10000000000"
      # make the registry available to the app provider containers
      MICRO_REGISTRY_ADDRESS: 127.0.0.1:9233
      NATS_NATS_HOST: 0.0.0.0
      NATS_NATS_PORT: 9233
      PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml
      # these three vars are needed to the csp config file to include the web office apps and the importer
      COLLABORA_DOMAIN: ${COLLABORA_DOMAIN:-collabora.opencloud.test}
      COMPANION_DOMAIN: ${COMPANION_DOMAIN:-companion.opencloud.test}
      # enable to allow using the banned passwords list
      OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: banned-password-list.txt
      PROXY_ACCESS_TOKEN_VERIFY_METHOD: none
      PROXY_USER_CS3_CLAIM: "username"
      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "groups"
      PROXY_AUTOPROVISION_ACCOUNT: true
      PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
      OC_OIDC_ISSUER: https://authentik.example.com/application/o/opencloud/
      PROXY_OIDC_REWRITE_WELLKNOWN: "true"
      OC_ADMIN_USER_ID: "admin@example.com"
      PROXY_USER_OIDC_CLAIM: preferred_username # this depends on your setup
      PROXY_AUTOPROVISION_CLAIM_USERNAME: preferred_username
      SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "true"
      WEB_OIDC_SCOPE: openid profile email groups
      OC_EXCLUDE_RUN_SERVICES: idp,idm
      GRAPH_USERNAME_MATCH: none
      GRAPH_ASSIGN_DEFAULT_USER_ROLE: true
    volumes:
      - ./config/opencloud/app-registry.yaml:/etc/opencloud/app-registry.yaml
      - ./config/opencloud/csp.yaml:/etc/opencloud/csp.yaml
      - ./config/opencloud/banned-password-list.txt:/etc/opencloud/banned-password-list.txt
      # configure the .env file to use own paths instead of docker internal volumes
      - ${OC_CONFIG_DIR:-opencloud-config}:/etc/opencloud
      - ${OC_DATA_DIR:-opencloud-data}:/var/lib/opencloud
    logging:
      driver: ${LOG_DRIVER:-local}
    restart: always

volumes:
  opencloud-config:
  opencloud-data:

.env

## Basic Settings ##
# Define the docker compose log driver used.
# Defaults to local
LOG_DRIVER=
# If you're on an internet facing server, comment out following line.
# It skips certificate validation for various parts of OpenCloud and is
# needed when self signed certificates are used.
INSECURE=true

## OIDC Settings ##
#PROXY_AUTOPROVISION_ACCOUNTS=true
#PROXY_ROLE_ASSIGNMENT_DRIVER="oidc"
#OC_OIDC_ISSUER=https://authentik.example.com/application/o/opencloud/
#PROXY_OIDC_REWRITE_WELLKNOWN="true"
#PROXY_USER_OIDC_CLAIM=preferred_username # this depends on your setup
#WEB_OIDC_SCOPE=openid profile email groups
#OC_EXCLUDE_RUN_SERVICES=idp
#GRAPH_USERNAME_MATCH=false
#GRAPH_ASSIGN_DEFAULT_USER_ROLE=false
## Traefik Settings ##
# Note: Traefik is always enabled and can't be disabled.
# Serve Traefik dashboard.
# Defaults to "false".
TRAEFIK_DASHBOARD=true
# Domain of Traefik, where you can find the dashboard.
# Defaults to "traefik.opencloud.test"
TRAEFIK_DOMAIN=traefik.example.com
# Basic authentication for the traefik dashboard.
# Defaults to user "admin" and password "admin" (written as: "admin:$2y$05$KDHu3xq92SPaO3G8Ybkc7edd51pPLJcG1nWk3lmlrIdANQ/B6r5pq").
# To create user:password pair, it's possible to use this command:
# echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g
TRAEFIK_BASIC_AUTH_USERS=
# Email address for obtaining LetsEncrypt certificates.
# Needs only be changed if this is a public facing server.
TRAEFIK_ACME_MAIL=
# Set to the following for testing to check the certificate process:
# "https://acme-staging-v02.api.letsencrypt.org/directory"
# With staging configured, there will be an SSL error in the browser.
# When certificates are displayed and are emitted by # "Fake LE Intermediate X1",
# the process went well and the envvar can be reset to empty to get valid certificates.
TRAEFIK_ACME_CASERVER=


## OpenCloud Settings ##
# Beside Traefik, this service must stay enabled.
# Disable only for testing purposes.
# Note: the leading colon is required to enable the service.
#OPENCLOUD=:opencloud.yml
# The opencloud container image.
# For production releases: "opencloudeu/opencloud"
# For rolling releases:    "opencloudeu/opencloud-rolling"
# Defaults to production if not set otherwise
OC_DOCKER_IMAGE=opencloudeu/opencloud-rolling
# The openCloud container version.
# Defaults to "latest" and points to the latest stable tag.
OC_DOCKER_TAG=
# Domain of openCloud, where you can find the frontend.
# Defaults to "cloud.opencloud.test"
OC_DOMAIN=cloud.example.com
# openCloud admin user password. Defaults to "admin".
ADMIN_PASSWORD=redacted
# Demo users should not be created on a production instance,
# because their passwords are public. Defaults to "false".
# If demo users is set to "true", the following user accounts are created automatically:
# alan, mary, margaret, dennis and lynn - the password is 'demo' for all.
DEMO_USERS=
# Define the openCloud loglevel used.
#
LOG_LEVEL=
# Define the kind of logging.
# The default log can be read by machines.
# Set this to true to make the log human readable.
# LOG_PRETTY=true
#
# Define the openCloud storage location. Set the paths for config and data to a local path.
# Ensure that the configuration and data directories are owned by the user and group with ID 1000:1000.
# This matches the default user inside the container and avoids permission issues when accessing files.
# Note that especially the data directory can grow big.
# Leaving it default stores data in docker internal volumes.
# OC_CONFIG_DIR=/your/local/opencloud/config
# OC_DATA_DIR=/your/local/opencloud/data

# S3 Storage configuration - optional
# OpenCloud supports S3 storage as primary storage.
# Per default, S3 storage is disabled and the decomposed storage driver is used.
# To enable S3 storage, uncomment the following line and configure the S3 storage.
# For more details see:
# https://docs.opencloud.eu/docs/admin/configuration/storage-decomposeds3
# Note: the leading colon is required to enable the service.
#DECOMPOSEDS3=:decomposeds3.yml
# Configure the S3 storage endpoint. Defaults to "http://minio:9000" for testing purposes.
DECOMPOSEDS3_ENDPOINT=
# S3 region. Defaults to "default".
DECOMPOSEDS3_REGION=
# S3 access key. Defaults to "opencloud"
DECOMPOSEDS3_ACCESS_KEY=
# S3 secret. Defaults to "opencloud-secret-key"
DECOMPOSEDS3_SECRET_KEY=
# S3 bucket. Defaults to "opencloud"
DECOMPOSEDS3_BUCKET=
#
# For testing purposes, add local minio S3 storage to the docker-compose file.
# The leading colon is required to enable the service.
#DECOMPOSEDS3_MINIO=:minio.yml
# Minio domain. Defaults to "minio.opencloud.test".
MINIO_DOMAIN=

# OpenCloud uses POSIX storage as the default primary storage.
# By default, Decomposed storage is disabled, and the POSIX storage driver is used.
# To enable Decomposed storage, uncomment the following line.
# Note: the leading colon is required to enable the service.
#DECOMPOSED=:decomposed.yml

# Define SMTP settings if you would like to send OpenCloud email notifications.
#
# NOTE: when configuring Inbucket, these settings have no effect, see inbucket.yml for details.
# SMTP host to connect to.
SMTP_HOST=
# Port of the SMTP host to connect to.
SMTP_PORT=
# An eMail address that is used for sending OpenCloud notification eMails
# like "opencloud notifications <noreply@yourdomain.com>".
SMTP_SENDER=
# Username for the SMTP host to connect to.
SMTP_USERNAME=
# Password for the SMTP host to connect to.
SMTP_PASSWORD=
# Authentication method for the SMTP communication.
SMTP_AUTHENTICATION=
# Encryption method for the SMTP communication. Possible values are 'starttls', 'ssltls' and 'none'
SMTP_TRANSPORT_ENCRYPTION=
# Allow insecure connections to the SMTP server. Defaults to false.
SMTP_INSECURE=

# Addititional services to be started on opencloud startup
# The following list of services is not startet automatically and must be
# manually defined for startup:
# IMPORTANT: The notification service is MANDATORY, do not delete!
# IMPORTANT: Add any services to the startup list comma separated like "notifications,antivirus" etc.
START_ADDITIONAL_SERVICES="notifications"


## openCloud Web Extensions ##
# It is possible to use the openCloud Web Extensions to add custom functionality to the openCloud frontend.
# For more details see https://github.com/opencloud-eu/web-extensions/blob/main/README.md
# Note: the leading colon is required to enable the service.
# Enable this to create a new named volume
EXTENSIONS=:web_extensions/extensions.yml
# Enable the desired extensions by uncommenting the following lines.
# Note: the leading colon is required to enable the service.
# Note: if you want to remove a web extension, you must delete the opencloud-apps volume. It will be properly recreated on docker compose startup.
UNZIP=:web_extensions/unzip.yml
DRAWIO=:web_extensions/drawio.yml
JSONVIEWER=:web_extensions/jsonviewer.yml
PROGRESSBARS=:web_extensions/progressbars.yml
EXTERNALSITES=:web_extensions/externalsites.yml
# External Sites needs additional config, see the following files for more details.
# - config/opencloud/apps.yaml
# - config/opencloud/csp.yaml
#IMPORTER=:web_extensions/importer.yml
# The importer needs additional config, see the following lines for more details.
## The docker image to be used for uppy companion.
COMPANION_IMAGE=
# Domain of Uppy Companion. Defaults to "companion.opencloud.test".
COMPANION_DOMAIN=
# Provider settings, see https://uppy.io/docs/companion/#provideroptions for reference.
# Empty by default, which disables providers.
COMPANION_ONEDRIVE_KEY=
COMPANION_ONEDRIVE_SECRET=


## Default Enabled Services ##

### Apache Tika Content Analysis Toolkit ###
# Tika (search) is disabled by default due to performance reasons.
# Note: the leading colon is required to enable the service.
#TIKA=:tika.yml
# Set the desired docker image tag or digest.
# Defaults to "latest"
TIKA_IMAGE=

### IMPORTANT Note for Online Office Apps ###
# To avoid app interlocking issues, you should select only one app to be active/configured.
# This is due the fact that there is currently no app interlocking for the same file and one
# has to wait for a lock release to open the file with another app.

### Collabora Settings ###
# Collabora web office is default enabled, comment if not required.
# Note: the leading colon is required to enable the service.
COLLABORA=:collabora.yml
# Domain of Collabora, where you can find the frontend.
# Defaults to "collabora.opencloud.test"
COLLABORA_DOMAIN=collabora.example.com
# Domain of the wopiserver which handles Collabora.
# Defaults to "wopiserver.opencloud.test"
WOPISERVER_DOMAIN=wopiserver.example.com
# Admin user for Collabora.
# Defaults to "admin".
# Collabora Admin Panel URL:
# https://{COLLABORA_DOMAIN}/browser/dist/admin/admin.html
COLLABORA_ADMIN_USER=
# Admin password for Collabora.
# Defaults to "admin".
COLLABORA_ADMIN_PASSWORD=
# Set to true to enable SSL handling in Collabora Online, this is only required if you are not using a reverse proxy.
# Default is true if not specified.
COLLABORA_SSL_ENABLE=false
# If you're on an internet-facing server, enable SSL verification for Collabora Online.
# Please comment out the following line:
COLLABORA_SSL_VERIFICATION=false


## Supplemental Configurations ##
# If you want to use supplemental configurations,
# you need to uncomment lines containing :path/file.yml
# and configure the service as required.


### Debugging - Monitoring ###
# Note: the leading colon is required to enable the service.
#MONITORING=:monitoring_tracing/monitoring.yml


### Virusscanner Settings ###
# IMPORTANT: If you enable antivirus, you also MUST configure the START_ADDITIONAL_SERVICES
# envvar in the OpenCloud Settings above by adding 'antivirus' to the list.
# Note: the leading colon is required to enable the service.
#CLAMAV=:clamav.yml
# The maximum scan size the virus scanner can handle, needs adjustment in the scanner config as well.
# Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB.
# Defaults to "100MB"
#ANTIVIRUS_MAX_SCAN_SIZE=
# Usable modes: partial, skip.
# Defaults to "partial"
#ANTIVIRUS_MAX_SCAN_SIZE_MODE=
# Image version of the ClamAV container.
# Defaults to "latest"y
CLAMAV_DOCKER_TAG=


### Inbucket Settings ###
# Inbucket is a mail catcher tool for testing purposes.
# DO NOT use in Production.
# Note: the leading colon is required to enable the service.
#INBUCKET=:inbucket.yml
# email server (in this case inbucket acts as mail catcher).
# Domain for Inbucket. Defaults to "mail.opencloud.test".
INBUCKET_DOMAIN=

### Compose Configuration ###
# Path separator for supplemental compose files specified in COMPOSE_FILE.
COMPOSE_PATH_SEPARATOR=:

### Ldap Settings ###
# LDAP is always needed for OpenCloud to store user data as there is no relational database.
# The built-in LDAP server should used for testing purposes or small installations only.
# For production installations, it is recommended to use an external LDAP server.
# We are using OpenLDAP as the default LDAP server because it is proven to be stable and reliable.
# This LDAP configuration is known to work with OpenCloud and provides a blueprint for
# configuring an external LDAP server based on other products like Microsoft Active Directory or other LDAP servers.
#
# Note: the leading colon is required to enable the service.
LDAP=:ldap.yml
# Password of LDAP user "cn=admin,dc=opencloud,dc=eu". Defaults to "admin"
LDAP_ADMIN_PASSWORD=
# LDAP manager
# login with uid ldapadmin and password
#LDAP_MANAGER=:../shared/config/ldap/docker-compose.yml
# LDAP manager domain. Defaults to "ldap.opencloud.test"
LDAP_MANAGER_DOMAIN=
### Keycloak Settings ###
# Keycloak is an open-source identity and access management solution.
# We are using Keycloak as the default identity provider on production installations.
# It can be used to federate authentication with other identity providers like
# Microsoft Entra ID, ADFS or other SAML/OIDC providers.
# The use of Keycloak as bridge between OpenCloud and other identity providers creates more control over the
# authentication process, the allowed clients and the session management.
# Keycloak also manages the Role Based Access Control (RBAC) for OpenCloud.
# Keycloak can be used in two different modes:
# 1. Autoprovisioning: New are automatically created in openCloud when they log in for the first time.
# 2. Shared User Directory: Users are created in Keycloak and can be used in OpenCloud immediately
# because the LDAP server is connected to both Keycloak and OpenCloud.
# Note: the leading colon is required to enable the service.
#KEYCLOAK=:keycloak.yml
# Domain for Keycloak. Defaults to "keycloak.opencloud.test".
KEYCLOAK_DOMAIN=
# Realm which to be used with OpenCloud. Defaults to "OpenCloud"
KEYCLOAK_REALM=
# Admin user login name. Defaults to "admin"
KEYCLOAK_ADMIN_USER=
# Admin user login password. Defaults to "admin"
KEYCLOAK_ADMIN_PASSWORD=
# Autoprovisioning mode. Defaults to "true"
AUTOPROVISIONING=:autoprovisioning.yml

### Radicale Setting ###
# Radicale is a small open-source CalDAV (calendars, to-do lists) and CardDAV (contacts) server.
# When enabled OpenCloud is configured as a reverse proxy for Radicale, providing all authenticated
# OpenCloud users access to a Personal Calendar and Addressbook
RADICALE=:radicale.yml
# Docker image to use for the Radicale Container
RADICALE_DOCKER_IMAGE=opencloudeu/radicale
# Docker tag to pull for the Radicale Container
RADICALE_DOCKER_TAG=latest
# Define the storage location for the Radicale data. Set the path to a local path.
# Ensure that the configuration and data directories are owned by the user and group with ID 1000:1000.
# This matches the default user inside the container and avoids permission issues when accessing files.
# Leaving it default stores data in docker internal volumes.
RADICALE_DATA_DIR=/naspool/opencloud/radicale/
#TRAEFIK=docker-compose.yml
## IMPORTANT ##
# This MUST be the last line as it assembles the supplemental compose files to be used.
# ALL supplemental configs must be added here, whether commented or not.
# Each var must either be empty or contain :path/file.yml
COMPOSE_FILE=docker-compose.yml${TRAEFIK:-}${OPENCLOUD:-}${TIKA:-}${DECOMPOSEDS3:-}${DECOMPOSEDS3_MINIO:-}${DECOMPOSED:-}${COLLABORA:-}${MONITORING:-}${IMPORTER:-}${CLAMAV:-}${INBUCKET:-}${EXTENSIONS:-}${UNZIP:-}${DRAWIO:-}${JSONVIEWER:-}${PROGRESSBARS:-}${EXTERNALSITES:-}${KEYCLOAK:-}${LDAP:-}${AUTOPROVISIONING:-}${LDAP_MANAGER:-}${RADICALE:-}

ldap.yaml

---
services:
#  traefik:
#    networks:
#      opencloud-net:

  opencloud:
    environment:
      # Ldap IDP specific configuration
      OC_LDAP_URI: ldaps://ldap-server:1636
      OC_LDAP_INSECURE: "true"
      OC_LDAP_BIND_DN: "cn=admin,dc=opencloud,dc=eu"
      OC_LDAP_BIND_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
      OC_LDAP_GROUP_BASE_DN: "ou=groups,dc=opencloud,dc=eu"
      OC_LDAP_GROUP_SCHEMA_ID: "entryUUID"
      OC_LDAP_USER_BASE_DN: "ou=users,dc=opencloud,dc=eu"
      OC_LDAP_USER_FILTER: "(objectclass=inetOrgPerson)"
      OC_LDAP_USER_SCHEMA_ID: "entryUUID"
      OC_LDAP_DISABLE_USER_MECHANISM: "none"
      GRAPH_LDAP_SERVER_UUID: "false"
      GRAPH_LDAP_GROUP_CREATE_BASE_DN: "ou=custom,ou=groups,dc=opencloud,dc=eu"
      GRAPH_LDAP_REFINT_ENABLED: "true" # osixia has refint enabled.
      FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments"
      OC_LDAP_SERVER_WRITE_ENABLED: "false" # assuming the external ldap is not writable
      # OC_RUN_SERVICES specifies to start all services except glauth, idm and accounts. These are replaced by external services
      #OC_EXCLUDE_RUN_SERVICES: idm

  ldap-server:
    image: bitnami/openldap:2.6
    networks:
      opencloud-net:
    entrypoint: ["/bin/sh", "/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh", "/opt/bitnami/scripts/openldap/run.sh" ]
    environment:
      BITNAMI_DEBUG: true
      LDAP_TLS_VERIFY_CLIENT: never
      LDAP_ENABLE_TLS: "yes"
      LDAP_TLS_CA_FILE: /opt/bitnami/openldap/share/openldap.crt
      LDAP_TLS_CERT_FILE: /opt/bitnami/openldap/share/openldap.crt
      LDAP_TLS_KEY_FILE: /opt/bitnami/openldap/share/openldap.key
      LDAP_ROOT: "dc=opencloud,dc=eu"
      LDAP_ADMIN_PASSWORD: ${LDAP_ADMIN_PASSWORD:-admin}
    ports:
      - "389:1389"
      - "636:1636"
    volumes:
      - ./config/ldap/ldif:/ldifs
      - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
      - ldap-certs:/opt/bitnami/openldap/share
      - ldap-data:/bitnami/openldap
    logging:
      driver: ${LOG_DRIVER:-local}
    restart: always

volumes:
  ldap-certs:
  ldap-data:

networks:
  opencloud-net:

proxy.yaml

# This adds four additional routes to the proxy. Forwarding
# request on '/carddav/', '/caldav/' and the respective '/.well-knwown'
# endpoints to the radicale container and setting the required headers.
additional_policies:
  - name: default
    routes:
      - endpoint: /caldav/
        backend: http://radicale:5232
        remote_user_header: X-Remote-User
        skip_x_access_token: true
        additional_headers:
          - X-Script-Name: /caldav
      - endpoint: /.well-known/caldav
        backend: http://radicale:5232
        remote_user_header: X-Remote-User
        skip_x_access_token: true
        additional_headers:
          - X-Script-Name: /caldav
      - endpoint: /carddav/
        backend: http://radicale:5232
        remote_user_header: X-Remote-User
        skip_x_access_token: true
        additional_headers:
          - X-Script-Name: /carddav
      - endpoint: /.well-known/carddav
        backend: http://radicale:5232
        remote_user_header: X-Remote-User
        skip_x_access_token: true
        additional_headers:
          - X-Script-Name: /carddav
# To enable the radicale web UI add this rule.
# "unprotected" is True because the Web UI itself ask for
# the password.
# Also set "type" to "internal" in the config/radicale/config
#      - endpoint: /caldav/.web/
#        backend: http://radicale:5232/
#        unprotected: true
#        skip_x_access_token: true
#        additional_headers:
#          - X-Script-Name: /caldav
role_assignment:
    driver: oidc
    oidc_role_mapper:
        role_claim: groups
        role_mapping:
            - role_name: admin    # Opencloud role name
              claim_value: admins # Authentik group name

autoprovisioning.yaml

services:
  opencloud:
    environment:
      # Keycloak IDP specific configuration for auto-provisioning
      OC_LDAP_SERVER_WRITE_ENABLED: "true"
      PROXY_AUTOPROVISION_ACCOUNTS: "true"
      FRONTEND_READONLY_USER_ATTRIBUTES: "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.memberOf"
  ldap-server:
    volumes:
      # Use an empty named volume to overwrite the inherited values
      - empty-dir:/ldifs
      # Only use the base ldif file to create the base structure
      - ./config/ldap/ldif/10_base.ldif:/ldifs/10_base.ldif
      # Use the custom schema from opencloud because we are in full control of the ldap server
      - ../shared/config/ldap/schemas/10_opencloud_schema.ldif:/schemas/10_opencloud_schema.ldif
      - ./config/ldap/docker-entrypoint-override.sh:/opt/bitnami/scripts/openldap/docker-entrypoint-override.sh
      - ldap-certs:/opt/bitnami/openldap/share
      - ldap-data:/bitnami/openldap
volumes:
  empty-dir:

[micbar]

Hi @patchmonkey

I see that many people have issues, especially with Authentik. It seems, that Authentik is somehow implementing OIDC in a different way.

Please be aware of that discussion opencloud-eu/desktop#246
That leads to that upstream issue goauthentik/authentik#7251

Impact on this use case

It seems that Authentik creates its own Issuer per client. In your case I see https://authentik.example.com/application/o/opencloud/

Is opencloud the client ID for your configuration? Then you need to set WEB_OIDC_CLIENT_ID: opencloud on your opencloud container.

BUT: This leads to a new problem. If you add more clients like Desktop and iOS you may run into opencloud-eu/desktop#246

[micbar]

I can help you if you would like to post the logs.

Please only send me the logs from opencloud container exactly for the moment when you click the login button.

That would be really helpful.

[patchmonkey]

Thank you, and sure. I only grabbed the logs from the "openoffice-openoffice-1" container:

{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"56bc8213acb8/M9fXucGlvc-000035","traceid":"4c588e14446dd64a810daf08ed07b728","remote-addr":"192.168.1.50","method":"GET","status":200,"path":"/","duration":0.874205,"bytes":3290,"time":"2025-05-14T00:14:49Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"39290164-a0ba-4303-a120-9be67ba94b54","traceid":"469ce7d5dc2fe972a55d30c78940bcbd","remote-addr":"192.168.1.50","method":"GET","status":200,"path":"/config.json","duration":0.339066,"bytes":542,"time":"2025-05-14T00:14:49Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"dbe8dfc4-f74b-415c-80fd-36c58f5a5cec","traceid":"e62de14360c46bf301f2ac107f47aa11","remote-addr":"192.168.1.50","method":"GET","status":200,"path":"/themes/opencloud/theme.json","duration":0.555365,"bytes":5493,"time":"2025-05-14T00:14:49Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}
{"level":"info","service":"frontend","pkg":"rhttp","traceid":"19576fbc6a1c902f908cc95a149fb451","time":"2025-05-14T00:14:49Z","line":"github.com/opencloud-eu/reva/v2@v2.29.3/internal/http/interceptors/auth/auth.go:195","message":"skipping auth check for: /app/list"}
{"level":"warn","service":"frontend","pkg":"rhttp","traceid":"19576fbc6a1c902f908cc95a149fb451","time":"2025-05-14T00:14:49Z","line":"github.com/opencloud-eu/reva/v2@v2.29.3/internal/http/interceptors/auth/auth.go:248","message":"core access token not set"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"222a98de-df1c-4f97-9d14-e65d95291e6b","traceid":"610b71ccace3880cfe856add302858f1","remote-addr":"192.168.1.50","method":"GET","status":200,"path":"/app/list","duration":0.873711,"bytes":17,"time":"2025-05-14T00:14:49Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is unverifiable: error while executing keyfunc: the JWT has an invalid kid: could not find kid in JWT header","authenticator":"oidc","path":"/ocs/v1.php/cloud/capabilities","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0","client.address":"192.168.1.50","network.peer.address":"","network.peer.port":"","time":"2025-05-14T00:14:49Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/oidc_auth.go:198","message":"failed to authenticate the request"}
{"level":"info","service":"frontend","pkg":"rhttp","traceid":"20dc9c4ed420d73f2dcab2bc87897d09","time":"2025-05-14T00:14:49Z","line":"github.com/opencloud-eu/reva/v2@v2.29.3/internal/http/interceptors/auth/auth.go:195","message":"skipping auth check for: /ocs/v1.php/cloud/capabilities"}
{"level":"warn","service":"frontend","pkg":"rhttp","traceid":"20dc9c4ed420d73f2dcab2bc87897d09","time":"2025-05-14T00:14:49Z","line":"github.com/opencloud-eu/reva/v2@v2.29.3/internal/http/interceptors/auth/auth.go:248","message":"core access token not set"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"9958e1ee-94c8-4172-a8fd-171df1d3e943","traceid":"9798dea9b0499ac8517329d909bf06a7","remote-addr":"192.168.1.50","method":"GET","status":200,"path":"/ocs/v1.php/cloud/capabilities","duration":0.462597,"bytes":3280,"time":"2025-05-14T00:14:49Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is unverifiable: error while executing keyfunc: the JWT has an invalid kid: could not find kid in JWT header","authenticator":"oidc","path":"/api/v0/settings/roles-list","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0","client.address":"192.168.1.50","network.peer.address":"","network.peer.port":"","time":"2025-05-14T00:14:49Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/oidc_auth.go:198","message":"failed to authenticate the request"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is unverifiable: error while executing keyfunc: the JWT has an invalid kid: could not find kid in JWT header","authenticator":"oidc","path":"/graph/v1.0/me","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0","client.address":"192.168.1.50","network.peer.address":"","network.peer.port":"","time":"2025-05-14T00:14:49Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/oidc_auth.go:198","message":"failed to authenticate the request"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"e024aa15-8014-43da-9c0e-c11dd2e31314","traceid":"9877e721b9045f96f77011b1b901147f","remote-addr":"192.168.1.50","method":"GET","status":401,"path":"/graph/v1.0/me","duration":0.170784,"bytes":0,"time":"2025-05-14T00:14:49Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"9cac27af-401d-49cd-bd30-ceb757429cc6","traceid":"ecce37edad2848fabd410c592d2f2253","remote-addr":"192.168.1.50","method":"POST","status":401,"path":"/api/v0/settings/roles-list","duration":0.716622,"bytes":0,"time":"2025-05-14T00:14:49Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"56bc8213acb8/M9fXucGlvc-000037","traceid":"018afe15f91e156d209ec08a31767b35","remote-addr":"192.168.1.50","method":"GET","status":200,"path":"/oidc-callback.html","duration":0.388847,"bytes":380,"time":"2025-05-14T00:14:50Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"56bc8213acb8/M9fXucGlvc-000039","traceid":"fa5a7edff13cf2346f0bf89d577d6047","remote-addr":"192.168.1.50","method":"GET","status":200,"path":"/web-oidc-callback","duration":0.729667,"bytes":3290,"time":"2025-05-14T00:14:50Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"c1458aba-daae-4af1-a166-ef7338a073e1","traceid":"bdd27a8195e8cd6c84fd93fd949d4be1","remote-addr":"192.168.1.50","method":"GET","status":200,"path":"/config.json","duration":0.41611,"bytes":542,"time":"2025-05-14T00:14:50Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"8ed28dbc-b09f-425b-aeea-ec310b870a24","traceid":"c8a6c07a3486a3b64bf2ff1142c41d1b","remote-addr":"192.168.1.50","method":"GET","status":200,"path":"/themes/opencloud/theme.json","duration":0.572017,"bytes":5493,"time":"2025-05-14T00:14:50Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}
{"level":"info","service":"frontend","pkg":"rhttp","traceid":"f6489c735573711aa00bf20e7bff2883","time":"2025-05-14T00:14:50Z","line":"github.com/opencloud-eu/reva/v2@v2.29.3/internal/http/interceptors/auth/auth.go:195","message":"skipping auth check for: /app/list"}
{"level":"warn","service":"frontend","pkg":"rhttp","traceid":"f6489c735573711aa00bf20e7bff2883","time":"2025-05-14T00:14:50Z","line":"github.com/opencloud-eu/reva/v2@v2.29.3/internal/http/interceptors/auth/auth.go:248","message":"core access token not set"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"f5b2c541-8107-4467-8f4a-6a39ed57e5f7","traceid":"bcc88be9e6e8b7ca644c90c689940ba6","remote-addr":"192.168.1.50","method":"GET","status":200,"path":"/app/list","duration":0.655208,"bytes":17,"time":"2025-05-14T00:14:50Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}
{"level":"error","service":"proxy","remoteAddr":"192.168.1.50","request-id":"","proto":"HTTP/1.1","method":"GET","path":"/themes/opencloud/assets/logo.svg","query":"","fragment":"","error":"context canceled","time":"2025-05-14T00:14:50Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/proxy/proxy.go:52","message":"error happened in MultiHostReverseProxy"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"56bc8213acb8/M9fXucGlvc-000041","traceid":"d61bca8e1a644d2c66fbb5932e207507","remote-addr":"192.168.1.50","method":"GET","status":502,"path":"/themes/opencloud/assets/logo.svg","duration":0.07663,"bytes":0,"time":"2025-05-14T00:14:50Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is unverifiable: error while executing keyfunc: the JWT has an invalid kid: could not find kid in JWT header","authenticator":"oidc","path":"/ocs/v1.php/cloud/capabilities","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0","client.address":"192.168.1.50","network.peer.address":"","network.peer.port":"","time":"2025-05-14T00:14:50Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/oidc_auth.go:198","message":"failed to authenticate the request"}
{"level":"info","service":"frontend","pkg":"rhttp","traceid":"f0020adea037119d63a705c38ba89c32","time":"2025-05-14T00:14:50Z","line":"github.com/opencloud-eu/reva/v2@v2.29.3/internal/http/interceptors/auth/auth.go:195","message":"skipping auth check for: /ocs/v1.php/cloud/capabilities"}
{"level":"warn","service":"frontend","pkg":"rhttp","traceid":"f0020adea037119d63a705c38ba89c32","time":"2025-05-14T00:14:50Z","line":"github.com/opencloud-eu/reva/v2@v2.29.3/internal/http/interceptors/auth/auth.go:248","message":"core access token not set"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"0cd83770-ef37-4e04-a193-24f03f13e10f","traceid":"800c431e3ceec0cb14969b8c979759d2","remote-addr":"192.168.1.50","method":"GET","status":200,"path":"/ocs/v1.php/cloud/capabilities","duration":0.647536,"bytes":3280,"time":"2025-05-14T00:14:50Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is unverifiable: error while executing keyfunc: the JWT has an invalid kid: could not find kid in JWT header","authenticator":"oidc","path":"/graph/v1.0/me","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0","client.address":"192.168.1.50","network.peer.address":"","network.peer.port":"","time":"2025-05-14T00:14:50Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/oidc_auth.go:198","message":"failed to authenticate the request"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"8627b973-2f07-4f86-917f-16bd5a463dc7","traceid":"62846bd316502d86ff069c8846a2f316","remote-addr":"192.168.1.50","method":"GET","status":401,"path":"/graph/v1.0/me","duration":0.119337,"bytes":0,"time":"2025-05-14T00:14:50Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}
{"level":"error","service":"proxy","error":"failed to verify access token: token is unverifiable: error while executing keyfunc: the JWT has an invalid kid: could not find kid in JWT header","authenticator":"oidc","path":"/api/v0/settings/roles-list","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:138.0) Gecko/20100101 Firefox/138.0","client.address":"192.168.1.50","network.peer.address":"","network.peer.port":"","time":"2025-05-14T00:14:50Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/oidc_auth.go:198","message":"failed to authenticate the request"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"2d9fcbdf-d799-42ad-be86-99baf6d5243c","traceid":"509ac35cf58f7e2f3504b976ea61385e","remote-addr":"192.168.1.50","method":"POST","status":401,"path":"/api/v0/settings/roles-list","duration":0.177454,"bytes":0,"time":"2025-05-14T00:14:50Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}

[micbar]

Seems that the access token is not jwt. Do you know which format authentic tokens have?

[patchmonkey]

It appears to be JWT:

Please note I tried with HS256 and RS256 Signed JWTs (I switched back to HS256 because it was decode-able to show the screenshot. Both fail to log me in, though.

[patchmonkey]

Does that mean that Authentik is providing a JWT, but for some reason OpenCloud doesn't think it's a JWT?

[ghostklart]

to add few cents in the future to be documentation on how to run authentik alongside opencloud

this is my oidc specific env vars:

---
apiVersion: v1
kind: Secret
metadata:
  name: oidc
  namespace: opencloud
stringData:
  # some proxy settings
  PROXY_USER_OIDC_CLAIM: "preferred_username"
  PROXY_USER_CS3_CLAIM: "username"
  PROXY_AUTOPROVISION_ACCOUNTS: "true"
  PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
  PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: "none"
  PROXY_OIDC_REWRITE_WELLKNOWN: "true"
  PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "groups"
  PROXY_CSP_CONFIG_FILE_LOCATION: "/etc/opencloud/csp.yaml"
  # oidc
  OC_OIDC_ISSUER: "https://authentik.mydomain.com/application/o/opencloud-slug/"
  OC_KEYCLOAK_CLIENT_ID: "<GUID specified by authentik>" # OC_OIDC_CLIENT_ID
  OC_KEYCLOAK_CLIENT_SECRET: "secret" # but not really used in main manifest
  OC_ADMIN_USER_ID: "<username>"
  OC_EXCLUDE_RUN_SERVICES: "idp" # leaving idm for ldap part
  WEB_OIDC_SCOPE: "openid profile email groups"
  # updated
  GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
  GRAPH_USERNAME_MATCH: "none"

used vars for authentik oidc

this is part of opencloud main manifest (commented parts are commented and not used by deploy)

        # # #
        # oidc envs
        # # #
        - name: OC_OIDC_ISSUER
          valueFrom:
            secretKeyRef:
              name: oidc
              key: OC_OIDC_ISSUER
        #- name: PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD
        #  valueFrom:
        #    secretKeyRef:
        #      name: oidc
        #      key: PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD
        - name: PROXY_AUTOPROVISION_ACCOUNTS
          valueFrom:
            secretKeyRef:
              name: oidc
              key: PROXY_AUTOPROVISION_ACCOUNTS
        - name: PROXY_ROLE_ASSIGNMENT_DRIVER
          valueFrom:
            secretKeyRef:
              name: oidc
              key: PROXY_ROLE_ASSIGNMENT_DRIVER
        - name: PROXY_USER_OIDC_CLAIM
          valueFrom:
            secretKeyRef:
              name: oidc
              key: PROXY_USER_OIDC_CLAIM
        - name: PROXY_USER_CS3_CLAIM
          valueFrom:
            secretKeyRef:
              name: oidc
              key: PROXY_USER_CS3_CLAIM
        - name: PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM
          valueFrom:
            secretKeyRef:
              name: oidc
              key: PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM
        #- name: OC_OIDC_CLIENT_ID
        #  valueFrom:
        #    secretKeyRef:
        #      name: oidc
        #      key: OC_KEYCLOAK_CLIENT_ID
        #- name: OC_OIDC_CLIENT_SECRET
        #  valueFrom:
        #    secretKeyRef:
        #      name: oidc
        #      key: OC_KEYCLOAK_CLIENT_SECRET
        #- name: OC_ADMIN_USER_ID
        #  valueFrom:
        #    secretKeyRef:
        #      name: oidc
        #      key: OC_ADMIN_USER_ID
        - name: WEB_OIDC_CLIENT_ID
          valueFrom:
            secretKeyRef:
              name: oidc
              key: OC_KEYCLOAK_CLIENT_ID
        - name: WEB_OIDC_SCOPE
          valueFrom:
            secretKeyRef:
              name: oidc
              key: WEB_OIDC_SCOPE
        - name: GRAPH_ASSIGN_DEFAULT_USER_ROLE
          valueFrom:
            secretKeyRef:
              name: oidc
              key: GRAPH_ASSIGN_DEFAULT_USER_ROLE
        #- name: GRAPH_USERNAME_MATCH
        #  valueFrom:
        #    secretKeyRef:
        #      name: oidc
        #      key: GRAPH_USERNAME_MATCH
        - name: OC_EXCLUDE_RUN_SERVICES
          valueFrom:
            secretKeyRef:
              name: oidc
              key: OC_EXCLUDE_RUN_SERVICES
        - name: PROXY_OIDC_REWRITE_WELLKNOWN
          valueFrom:
            secretKeyRef:
              name: oidc
              key: PROXY_OIDC_REWRITE_WELLKNOWN
        - name: PROXY_CSP_CONFIG_FILE_LOCATION
          valueFrom:
            secretKeyRef:
              name: oidc
              key: PROXY_CSP_CONFIG_FILE_LOCATION

and settings in authentik for opencloud oauth2 provider:

1. name - opencloud
2. authorization flow - explicit consent
3. client type - Public
4. Redirect URIs:
   4.1) (Strict) https://
   4.2) (Strict) https:///oidc-callback.html
   4.3) (Strict) https:///oidc-silent-redirect.html
   4.4) (Regex) https:///web-oidc-callback
5. Signing Key - authentik self signed key (as it is RSA)

Radicale: default config file

proxy.yaml

proxy.yaml: |
    additional_policies:
      - name: default
        routes:
          - endpoint: /caldav/
            backend: http://radicale.opencloud.svc.cluster.local:5232
            remote_user_header: X-Remote-User
            skip_x_access_token: true
            additional_headers:
              - X-Script-Name: /caldav
          - endpoint: /.well-known/caldav
            backend: http://radicale.opencloud.svc.cluster.local:5232
            remote_user_header: X-Remote-User
            skip_x_access_token: true
            additional_headers:
              - X-Script-Name: /caldav
          - endpoint: /carddav/
            backend: http://radicale.opencloud.svc.cluster.local:5232
            remote_user_header: X-Remote-User
            skip_x_access_token: true
            additional_headers:
              - X-Script-Name: /carddav
          - endpoint: /.well-known/carddav
            backend: http://radicale.opencloud.svc.cluster.local:5232
            remote_user_header: X-Remote-User
            skip_x_access_token: true
            additional_headers:
              - X-Script-Name: /carddav
    role_assignment:
      driver: oidc
      oidc_role_mapper:
        role_claim: groups
        role_mapping:
          - role_name: admin
            claim_value: "authentik Admins"
          - role_name: spaceadmin
            claim_value: "authentik Admins"
          - role_name: user
            claim_value: "authentik Users"
          - role_name: guest
            claim_value: myGuestRole

[ghostklart]

and well it started working

[patchmonkey]

Thanks, The first two files don't look familiar to the example I'm using, can you tell me what those filepaths are?

[ghostklart]

1st file is Kubernets-specific way of passing the ENVs. You could treat it as .env file.

2nd one is part of Kubernetes manifest for the app deployment (it maps the containers VARS to the VARS inside Kubernetes secret, which is like .env file).

I'm using Kubernetes instead of Docker for my home infra.

[patchmonkey]

Gotcha, thanks. I haven't played with Kube yet so it didn't look familiar...I'll see if I can adapt some of your settings and see if it changes anything, although, judging by @micbar's response it might be some setting in Authentik or something else related to how authentik is presenting data

[patchmonkey]

Unfortunately, no luck. I can't seem to make this work. No idea what's causing the error, but considering how many other services are using my Authentik installation without issue, OpenCloud seems to be the most likely culprit.

[micbar]

@patchmonkey

Did you really set

  GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
  GRAPH_USERNAME_MATCH: "none"

[patchmonkey]

Yes, A screenshot from my vscode:

I've also tried OC_EXCLUDE_RUN_SERVICES with both idp and idp,idm.

[micbar]

We need some logs.

[patchmonkey]

Understood. I am happy to provide logs. Can I ask which logs in particular:

• docker logs (if so, which containers)
• opencloud specific logs from within containers (can you point me to the right direction
• Authentik logs

Also, would you like me to send them to you directly or post them here?

[patchmonkey]

Well apparently, nevermind. After weeks of tinkering I finally got it working. There were just a lot of moving parts that had to be just so, and a lack of documentation around all of the possible configuration variables made that really difficult. Combined with the fact that it seems that OpenCloud is extremely particular about integrating with Authentik and what settings need to be had in Authentik, it was quite the struggle.

[hasdf]

I got some results but without role mapping. Maybe it helps. Right now I don't have time but if I get it to work in the next few weeks I will happliy provide better documentation.

The following I added to my opencloud_full/opencloud.yml. With PROXY_ROLE_ASSIGNMENT_DRIVER: "default" setting all Users to default User role.

      PROXY_USER_OIDC_CLAIM: "preferred_username"
      PROXY_USER_CS3_CLAIM: "username"
      PROXY_AUTOPROVISION_ACCOUNTS: "true"
      PROXY_ROLE_ASSIGNMENT_DRIVER: "default"
      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: "none"
      PROXY_OIDC_REWRITE_WELLKNOWN: "true"
      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "groups"
      PROXY_AUTOPROVISION_CLAIM_USERNAME: preferred_username
      OC_OIDC_ISSUER: "https://auth.example.tld/application/o/opencloud/"
      OC_KEYCLOAK_CLIENT_ID: "web" # OC_OIDC_CLIENT_ID
      #OC_KEYCLOAK_CLIENT_SECRET: "example-secret" # 
      OC_ADMIN_USER_ID: "admin"
      OC_EXCLUDE_RUN_SERVICES: "idp" # leaving idm for ldap part
      WEB_OIDC_SCOPE: "openid profile email groups roles"
      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
      GRAPH_USERNAME_MATCH: "none"
      PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml

I've added my role mapping to opencloud_full/config/opencloud/proxy.yaml - not sure if that's the right place.

In opencloud_full/config/opencloud/csp.yaml I've added my Authentik Domain https://auth.domain.tld under connect-src as well as frame-src.

What I couldn't get to function properly as of now:

• Configuring Authentik Provider in "Confidential" Mode and set the Secret in opencloud environmentals
• Using another Client ID as "web". Everything else just errors with Authentik showing "Client ID Error". Is this somehow hard-coded?
• Role Mapping. But I think it can be done in Authentik with Property Mappings / Scope Mappings and adding the Scope Mapping to the Provider. See Screenshots attached.
  
  

[patchmonkey]

Thanks, I nearly tried this, but honestly it would have failed for me. There were other settings I needed to tweak and adjust. I got it working using the regular group mappings.

[patchmonkey]

Finally figured this out. There were too many individual changes that needed to occur to put a useful update here. If I get some time in the near future I'll try to post a start-to-finish how to and focus on the items in particular that needed to be carefully set.

[hasdf]

Cloud you post your config files in the meantime?

[patchmonkey]

Sure. Hopefully this helps you and other in the future while waiting for more complete "how to" docs.

https://github.com/patchmonkey/opencloud-authentik-specific-config/tree/main

I tried to only include values I've changed and files that were relevant to getting authentik working. For me, the big things were:

• Adding authentik url to csp.yaml
• Adding role assignment with correct values to the proxy.yaml file and enabling radicale
• Understanding that I needed autoprovisioning mode (opencloud needs an ldap dir to store users always, and if you haven't provided that explicitly, you need to configure your docker files to spin up the ldap server AND make sure you have the correct parameters set for autoprovisioning
• Getting the Authentik Provider and Application settings just right (I've included screenshots)

[tomorrow-nf]

This has been a huge help and I got it working for both web view and the desktop app. However, seems like the mobile apps force different Client_IDs - have you found a way around this? The hardcoded OpenCloudDesktop/OpenCloudAndroid client_ids certainly make OICD a pain.