Nextlcloud with Solid WebID login


#1

I’m a happy user of Nextcloud (https://nextcloud.com), a private cloud solution, and this weekend I decided to try something I’ve wanted for a while - enabling OIDC WebID login to nextcloud. And got it working, almost out of the box - but had to tweak the nextcloud account creating code a little bit. So here’s a brief howto, for those who might be interested - just be aware it’s not security checked or supported, so be careful and only for testing. This is experimental - at your own risk!

This was tested with Nextcloud 15, Solid 5.0.0 beta 4, and only works for new accounts with Nextcloud auto account creation enabled.

  1. In Nextcloud, install the Social Login App (https://github.com/zorn-v/nextcloud-social-login)
  2. Register a new OIDC RP client for nextcloud on your Solid server (https://your.solid.server/register)
  3. Open the Social Login settings in Nextcloud Admin, add a new Custom OpenID Connect, and enter the clientID and secret you got from the Solid registration service. Fill out the other fields as well - the name must match with the internalname you used for RP registration.
  4. Then the tricky part - as nextcloud need a valid account name, and the social login app only sees the webID, which includes illegal characters for nextcloud account names, I had to strip those. I’ll show an example below that will strip them and also some other parts of the webID to make it “prettier” - it will transform the webID from https://name.your.solid.server/profile#me to name.your.solid.server. Dirty trick for now, but not quite sure what’s the best way to solve it yet:

LoginController.php.org 2019-01-13 18:59:41.000000000 +0100
+++ LoginController.php 2019-01-14 19:52:00.471833671 +0100
-$profileId = preg_replace(’#.*/#’, ‘’, rtrim($profile->identifier, ‘/’));
+ $profileId = preg_replace(array (’/https/’,’/[#:/]/’,’/profile/’,’/card/’,’/me/’),’’, rtrim($profile->identifier,

  1. Now go to your nextcloud server, and click the new OpenID login button. It will redirect to the Solid login prompt (unless you’re already logged into Solid), then redirect back to your nextcloud server, create the new account - and voila, you got a new Solid WebID authorized Nextcloud account :slight_smile:

Now this is only useful for the authentication part, it’s not interacting with the Solid Pod storage itself - and it could probably be done in a better way. For example, it might be more useful if you could just “link” your existing account to your webID provider.

Nextcloud 15 also adds support fo decentralized social networks, it’s in alpha stage but it’s interesting to see it coming - I haven’t looked into that part yet, but I wonder if it could be useful to combine it with Solid somehow - for example, by making a solid app for nextcloud, so you could easily share files from your nextcloud server via your Solid Pod. Read more about it here:


#2

This is great. Do you want to open an issue at github.com/nextcloud/server/issues ? We can include your change or implement full solid compatibility as an app/plugin. What do you think?

Cheers
Frank from Nextcloud


#3

Hi Frank, and thanks for the suggestion! I would like to wait a little bit more though, before we do some Solid specific changes for Nextcloud - the howto above was more like a proof of concept, and I already see a couple of weaknesses in my patch. Also, as the Solid server is currently in a heavy transition from it’s 4 to 5 version, we should wait for a more stable version of 5. And we should think a bit on how to best do it for a long-term solution!

However, I have a couple of suggestions for the generic part of the custom OIDC part of the social login app:

  1. There should be a regexp in the login app that convert illegal characters in the profileID to underscores or something before it’s sent to the Nexcloud core account or authentication process. This should make it easier for any type of OIDC provider to connect accounts to Nextcloud.

  2. This is more food for thought, but - I tried to enable the “allow users to connect to their social login” in the social login app. But, it looks like it’s more about connecting out to a social account, and it’s not possible to edit the exact id as a user. But, I was thinking - what if it was allowed for Nextcloud users to add a profile id for any specified OIDC provider, and say that “enable this provider to use this profileID to login to my Nextcloud account” ? This is something I would love to see for any service - as a replacement for the “login with facebook etc” that you currently see on most systems.

I can raise these issues in Nextcloud later if needed, just wanted to suggest it to you for now :slight_smile:

IMHO, moving over to the decentralized networks is actually 2 things- moving the storage, and moving the authentication. And right now, moving the authentication seems like a good start - OIDC looks great for this, especially if we can get autudiscovery of WebID providers working. But I believe it’s some work left there, also on the Solid side :slight_smile:


#4

Fantastic work, @ztein! I’ve been meaning to check out the latest versions of Nextcloud, and this is even more incentive!


#5

Hi Dimitri, I’m happy to see another user with interest in nextcloud + solid! I have a couple of updates since last time I wrote on this issue - one good and one bad:

  1. The good news - it is possible (and quite easy) to connect an existing Nextcloud account to Solid, so you can login with your Solid provided WebID. This is a feature I really like, but you have to be very careful for now, due to the next issue:

  2. The bad news - you currently MUST patch the sociallogin app to do it safely. I did some tests with the unpatched socialogin app, and was first happy to see that it was still possible to connect an existing Nextcloud account with Solid. But, as the app do some profile tweaking on it’s own, it seems to remove everything except card#me from the profileID - which means that any user from your Solid domain, will be able to login to the same account…

I’m still not sure how to handle this in a good way, but haven’t had time to dig into it yet. So feel to try it out, and maybe we could figure something out to solve this - it might help with a fresh pair of eyes on the problem.