I’m a happy user of Nextcloud (https://nextcloud.com), a private cloud solution, and this weekend I decided to try something I’ve wanted for a while - enabling OIDC WebID login to nextcloud. And got it working, almost out of the box - but had to tweak the nextcloud account creating code a little bit. So here’s a brief howto, for those who might be interested - just be aware it’s not security checked or supported, so be careful and only for testing. This is experimental - at your own risk!
This was tested with Nextcloud 15, Solid 5.0.0 beta 4, and only works for new accounts with Nextcloud auto account creation enabled.
Open the Social Login settings in Nextcloud Admin, add a new Custom OpenID Connect, and enter the clientID and secret you got from the Solid registration service. Fill out the other fields as well - the name must match with the internalname you used for RP registration.
Then the tricky part - as nextcloud need a valid account name, and the social login app only sees the webID, which includes illegal characters for nextcloud account names, I had to strip those. I’ll show an example below that will strip them and also some other parts of the webID to make it “prettier” - it will transform the webID from https://name.your.solid.server/profile#me to name.your.solid.server. Dirty trick for now, but not quite sure what’s the best way to solve it yet:
Now go to your nextcloud server, and click the new OpenID login button. It will redirect to the Solid login prompt (unless you’re already logged into Solid), then redirect back to your nextcloud server, create the new account - and voila, you got a new Solid WebID authorized Nextcloud account
Now this is only useful for the authentication part, it’s not interacting with the Solid Pod storage itself - and it could probably be done in a better way. For example, it might be more useful if you could just “link” your existing account to your webID provider.
Nextcloud 15 also adds support fo decentralized social networks, it’s in alpha stage but it’s interesting to see it coming - I haven’t looked into that part yet, but I wonder if it could be useful to combine it with Solid somehow - for example, by making a solid app for nextcloud, so you could easily share files from your nextcloud server via your Solid Pod. Read more about it here:
This is great. Do you want to open an issue at github.com/nextcloud/server/issues ? We can include your change or implement full solid compatibility as an app/plugin. What do you think?
Hi Frank, and thanks for the suggestion! I would like to wait a little bit more though, before we do some Solid specific changes for Nextcloud - the howto above was more like a proof of concept, and I already see a couple of weaknesses in my patch. Also, as the Solid server is currently in a heavy transition from it’s 4 to 5 version, we should wait for a more stable version of 5. And we should think a bit on how to best do it for a long-term solution!
However, I have a couple of suggestions for the generic part of the custom OIDC part of the social login app:
There should be a regexp in the login app that convert illegal characters in the profileID to underscores or something before it’s sent to the Nexcloud core account or authentication process. This should make it easier for any type of OIDC provider to connect accounts to Nextcloud.
This is more food for thought, but - I tried to enable the “allow users to connect to their social login” in the social login app. But, it looks like it’s more about connecting out to a social account, and it’s not possible to edit the exact id as a user. But, I was thinking - what if it was allowed for Nextcloud users to add a profile id for any specified OIDC provider, and say that “enable this provider to use this profileID to login to my Nextcloud account” ? This is something I would love to see for any service - as a replacement for the “login with facebook etc” that you currently see on most systems.
I can raise these issues in Nextcloud later if needed, just wanted to suggest it to you for now
IMHO, moving over to the decentralized networks is actually 2 things- moving the storage, and moving the authentication. And right now, moving the authentication seems like a good start - OIDC looks great for this, especially if we can get autudiscovery of WebID providers working. But I believe it’s some work left there, also on the Solid side
Hi Dimitri, I’m happy to see another user with interest in nextcloud + solid! I have a couple of updates since last time I wrote on this issue - one good and one bad:
The good news - it is possible (and quite easy) to connect an existing Nextcloud account to Solid, so you can login with your Solid provided WebID. This is a feature I really like, but you have to be very careful for now, due to the next issue:
The bad news - you currently MUST patch the sociallogin app to do it safely. I did some tests with the unpatched socialogin app, and was first happy to see that it was still possible to connect an existing Nextcloud account with Solid. But, as the app do some profile tweaking on it’s own, it seems to remove everything except card#me from the profileID - which means that any user from your Solid domain, will be able to login to the same account…
I’m still not sure how to handle this in a good way, but haven’t had time to dig into it yet. So feel to try it out, and maybe we could figure something out to solve this - it might help with a fresh pair of eyes on the problem.
Hi @zorn-v, yeah I was a bit confused when I wrote that, but think I understand it a bit better now
And the social-login plugin has worked pretty well for me, using OpenID Connect auth with Solid as the provider, as long as I only use it for connecting existing nextcloud accounts to Solid. I tried for a while to figure out a better and more generic way to integrate the Solid/webID accounts with Nextcloud/social-login, but gave up after a while, as Solid still miss some features that would make it more useful I think - like userinfo, for email/name/picture etc.
I’m also unsure if it is okay to transform the webID to account.solid.domain style of account names, for use in other services like nextcloud - for me it looks more natural, but it would maybe be better if Solid could suggest a local account name - the “sub” part (if I understand it correctly now).
Well I don’t know if it’s possible, or how hard it would be - but it would still be awesome if we could have some kind of generic support for Solid servers in social-login. I’m happy to help testing if you’ve been considering something like that - I’ve had your git repo cloned for a while, for local testing and patching on my own server. (but haven’t looked at the latest versions though - suddenly there was a rush of new versions)
Seems you try to use OpenID, not OpenID connect. I check OpenID when add it only with one provider wargaming.net, and seems it is not avail anymore. More of then, regards to issues, nobody use it
May be I’m wrong, and solid use “sub” like in OpenID.
PS: Well, “url” as identifier I saw only one time - when add openid provider. Seems “solid” (I don’t know what is it BTW) make “sub” like in openid. Is it possible to gi me some preconfigured server (maybe in docker) that I can test for ?
