From fc86d1537a4cff563f39900e14bb92fdf2a5bc38 Mon Sep 17 00:00:00 2001 From: Martin Mattel Date: Thu, 9 Jul 2026 11:58:06 +0200 Subject: [PATCH 1/9] docs: post fixes for oc11 --- .../pages/configuration/envvars/envvars.adoc | 8 ++ .../configuration/user/custom_groups_app.adoc | 19 ++--- .../configuration/user/login_policies.adoc | 32 +++----- .../user/user_auth_ftp_smb_imap.adoc | 74 ++++++------------- .../general_troubleshooting.adoc | 57 +------------- 5 files changed, 49 insertions(+), 141 deletions(-) diff --git a/modules/admin_manual/pages/configuration/envvars/envvars.adoc b/modules/admin_manual/pages/configuration/envvars/envvars.adoc index 741bd87de..2688e32b6 100644 --- a/modules/admin_manual/pages/configuration/envvars/envvars.adoc +++ b/modules/admin_manual/pages/configuration/envvars/envvars.adoc @@ -72,6 +72,10 @@ Override the desktop client download URL shown in the first-run wizard (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-firstrunwizard[documentation]). - `OWNCLOUD_CUSTOMCLIENT_IOS=` + Override the iOS client download URL shown in the first-run wizard (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-firstrunwizard[documentation]). +- `OWNCLOUD_CUSTOMGROUPS_DISALLOWED_GROUPS=` + + Groups whose members have the Custom Groups app hidden from their personal settings. Comma-separated list of group names (see xref:configuration/user/custom_groups_app.adoc#overriding-default-behavior)[documentation]). +- `OWNCLOUD_CUSTOMGROUPS_DISALLOW_ADMIN_ACCESS_ALL=` + + When set to `true`, ownCloud admins are denied access to custom groups they are not a member of (see xref:configuration/user/custom_groups_app.adoc#overriding-default-behavior[documentation]). - `OWNCLOUD_DAV_CHUNK_BASE_DIR=` + Define the DAV chunk base directory (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-dav-chunk-base-directory[documentation]). - `OWNCLOUD_DAV_ENABLE_ASYNC=` + @@ -164,6 +168,8 @@ ownCloud Enterprise License Key (see xref:installation/installing_with_docker.adoc#enterprise-license-keys[documentation]). - `OWNCLOUD_LOGIN_ALTERNATIVES=` + Define additional login buttons on the logon screen (see xref:configuration/server/config_sample_php_parameters.adoc#define-additional-login-buttons-on-the-logon-screen[documentation]). +- `OWNCLOUD_LOGIN_POLICY_GROUP_FORBID_MAP=` + + Group login policy rules as a JSON-encoded map keyed by login type (e.g. `password`, `token`), each holding `allowOnly`/`reject` lists of group names, e.g. `{"password":{"reject":["admin"]}}`. Requires the group login policy in `OWNCLOUD_LOGIN_POLICY_ORDER` (see xref:configuration/user/login_policies.adoc[documentation]). - `OWNCLOUD_LOGIN_POLICY_ORDER=` + Ordered list of login policy class names. Comma-separated (see xref:configuration/server/config_sample_php_parameters.adoc#order-of-login-policies[documentation]). - `OWNCLOUD_LOG_CONDITIONS=` + @@ -442,6 +448,8 @@ Define whether or not to enable automatic update of market apps (see xref:configuration/server/config_sample_php_parameters.adoc#define-whether-or-not-to-enable-automatic-update-of-market-apps[documentation]). - `OWNCLOUD_USE_RELATIVE_DOMAIN_NAME=` + Use only the short hostname (no FQDN) in `status.php` (see xref:configuration/server/config_sample_php_parameters.adoc#show-or-hide-the-server-hostname-in-status-php[documentation]). +- `OWNCLOUD_USER_BACKENDS=` + + External user authentication backends as a JSON-encoded list of `{"class":..., "arguments":[...]}` objects (provided by the `user_external` app), e.g. `[{"class":"OC_User_IMAP","arguments":["{imap.example.com:993/imap/ssl}"]}]` (see xref:configuration/user/user_auth_ftp_smb_imap.adoc[documentation]). - `OWNCLOUD_USER_LDAP_ENABLE_MEDIAL_SEARCH=` + Enable medial search in the LDAP user backend (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-ldap[documentation]). - `OWNCLOUD_USER_SEARCH_MIN_LENGTH=` + diff --git a/modules/admin_manual/pages/configuration/user/custom_groups_app.adoc b/modules/admin_manual/pages/configuration/user/custom_groups_app.adoc index e8e45494f..769c40c18 100644 --- a/modules/admin_manual/pages/configuration/user/custom_groups_app.adoc +++ b/modules/admin_manual/pages/configuration/user/custom_groups_app.adoc @@ -1,15 +1,15 @@ = Custom Groups App :toc: right - +:toclevels: 3 :description: With Custom Groups, users are able to define their own groups and manage contributing users themselves. == Introduction {description} When the xref:configuration/user/guests_app.adoc[Guest App] has been enabled, you can also add external guests to custom groups. -== Installation +== Enable the App -Enable the `Custom Groups` app if not already done so. The Custom Groups app requires the email settings to be configured in your ownCloud setup, because you need to be able to invite the group members by email. +If not already done so, enable the `Custom Groups` app. This app requires you to configure the email settings in your ownCloud setup because you need to be able to invite group members by email. == Configuration @@ -29,21 +29,18 @@ Depending on your custom groups and ownCloud's global settings, configured by th * Disable administration of custom groups by ownCloud administrators: + -[source,php] +[source,.env] ---- -'customgroups.disallow-admin-access-all' => true, +OWNCLOUD_CUSTOMGROUPS_DISALLOW_ADMIN_ACCESS_ALL=true ---- ==== Hide Custom Groups App Based on Group Membership -The app can be hidden from a user's personal settings page if the user belongs to one or more disallowed groups. -To specify the disallowed groups, list them against the `customgroups.disallowed-groups` key in `config/config.php` as in the following example. +If the user belongs to one or more disallowed groups, the app can be hidden from their personal settings page. The disallowed groups can be specified by listing them against the `OWNCLOUD_CUSTOMGROUPS_DISALLOWED_GROUPS` environment variable, as shown in the following example, which hides the Custom Groups app for users in the groups `'no_guest_app_users'` and `'project5'`: -[source,php] +[source,.env] ---- -// Hide the Custom Groups app for users in the -// 'no_guest_app_users' and 'project5' group. -'customgroups.disallowed-groups' => ['no_guest_app_users', 'project5'], +OWNCLOUD_CUSTOMGROUPS_DISALLOWED_GROUPS='no_guest_app_users','project5' ---- ==== Set Custom Group Admins diff --git a/modules/admin_manual/pages/configuration/user/login_policies.adoc b/modules/admin_manual/pages/configuration/user/login_policies.adoc index 899a30812..aa0a8d340 100644 --- a/modules/admin_manual/pages/configuration/user/login_policies.adoc +++ b/modules/admin_manual/pages/configuration/user/login_policies.adoc @@ -9,8 +9,6 @@ Login policies will emit a `failed login` event if the user isn't allowed to log in. -// if there will be no one envvar for loginPolicy.groupLoginPolicy.forbidMap , we need to add: include::partial$manual_config_file.adoc[] - == Use Cases Login policies can be used to restrict members of particular groups to use only particular login types. This is especially true for guest users as they do not have an ownCloud account and cannot be validated via OpenID Connect but can log in using their email and password. @@ -30,16 +28,11 @@ To enable login policies, use the following example. Multiple values are comma s OWNCLOUD_LOGIN_POLICY_ORDER='OC\Authentication\LoginPolicies\GroupLoginPolicy' ---- -After enabling the `loginPolicy.order`, the configuration of the `groupLoginPolicy` can be made. The key definition below must be set according to the needs and the description in xref:configuration/server/config_sample_php_parameters.adoc#configuration-of-the-group-login-policy[Configuration of the Group Login Policy]: +After enabling the `loginPolicy.order`, the configuration of the `groupLoginPolicy` can be made. The value definition below must be set according to the needs and the description in xref:configuration/server/config_sample_php_parameters.adoc#configuration-of-the-group-login-policy[Configuration of the Group Login Policy]: -[source,php] +[source,.env] ---- -'loginPolicy.groupLoginPolicy.forbidMap' => [ - '' => [ - 'allowOnly' => ['', ......, ''], - 'reject' => ['', ........, ''], - ], -], +OWNCLOUD_LOGIN_POLICY_GROUP_FORBID_MAP={"":{"allowOnly|reject":["","]}} ---- The following example gives an idea of how to configure the `Group Login Policy`: @@ -49,18 +42,11 @@ The following example gives an idea of how to configure the `Group Login Policy` * If a user is a member of both an allowOnly group and a reject group, rejection will take priority. This means that even if user1 is a member of group1 he won't be able to access if he's also a member of group3. * Only members of group4 can log in using OIDC. -[source,php] +[source,.env] ---- -loginPolicy.groupLoginPolicy.forbidMap => [ - 'password' => [ - 'allowOnly' => ['group1, group2'], - 'reject' => ['group3'], - ], - 'token' => [ - 'reject' => ['admin'], - ], - 'OCA\OpenIdConnect\OpenIdConnectAuthModule' => [ - 'allowOnly' => ['group4'], - ], -] +OWNCLOUD_LOGIN_POLICY_GROUP_FORBID_MAP={\ + "password":{"allowOnly":["group1","group2"],reject:["group3"]},\ + "token":{"reject":["admin"]},\ + "OCA\OpenIdConnect\OpenIdConnectAuthModule":{"allowOnly:["group4"]}\ + } ---- diff --git a/modules/admin_manual/pages/configuration/user/user_auth_ftp_smb_imap.adoc b/modules/admin_manual/pages/configuration/user/user_auth_ftp_smb_imap.adoc index e735d91c1..3878ed4a4 100644 --- a/modules/admin_manual/pages/configuration/user/user_auth_ftp_smb_imap.adoc +++ b/modules/admin_manual/pages/configuration/user/user_auth_ftp_smb_imap.adoc @@ -1,25 +1,18 @@ = User Authentication with IMAP, SMB, and FTP :toc: right -:toclevels: 1 +:description: With opwnCloud, additional user backends can be configured. == Introduction +{description} + NOTE: The described configurations are examples, see the xref:installation/configuration_notes.adoc[Configuration Notes] documentation for more options. -You may configure additional user backends in ownCloud’s configuration file (`config/config.php`) using the following syntax: +The value definition below must be set according to the needs and the description in xref:configuration/server/config_sample_php_parameters.adoc#define-the-user_backends-app[Define the user_backends app]: -[source,php] +[source,.env] ---- - [ - 0 => [ - "class" => ..., - "arguments" => [ - 0 => ... - ], - ], -], +OWNCLOUD_USER_BACKENDS={"class":..., "arguments":[...]} ---- Currently the https://github.com/owncloud/user_external[External user support app] (user_external), _which is not enabled by default_, provides three backends. These are: @@ -52,27 +45,21 @@ Provides authentication against IMAP servers. === Example -[source,php] +[source,.env] ---- - [ - 0 => [ - "class" => "OC_User_IMAP", - "arguments" => [ - // The IMAP server to authenticate against - '{imap.gmail.com:993/imap/ssl}', - // The domain to send email from - 'example.com' - ], - ], -], +OWNCLOUD_USER_BACKENDS=[{"class":"OC_User_IMAP","arguments":["{imap.example.com:993/imap/ssl}","example.com"]}] ---- +Please note the following in the example above: + +* "{imap.example.com:993/imap/ssl}" + +The IMAP server to authenticate against. +* "example.com" + +The domain to send the email from. + IMPORTANT: The second `arguments` parameter ensures that only users from that domain are allowed to login. When set, after a successful login, the domain will be stripped from the email address and the rest used as an ownCloud username. For example, if the email address is `guest.user@example.com`, then `guest.user` will be the username used by ownCloud. -SMB ---- +== SMB Provides authentication against Samba servers. @@ -93,22 +80,12 @@ Provides authentication against Samba servers. === Example -[source,php] +[source,.env] ---- - [ - [ - "class" => "OC_User_SMB", - "arguments" => [ - 'localhost' - ], - ], -], +OWNCLOUD_USER_BACKENDS=[{"class":"OC_User_SMB","arguments":["localhost"]}] ---- -FTP ---- +== FTP Provides authentication against FTP servers. @@ -127,16 +104,7 @@ Provides authentication against FTP servers. === Example -[source,php] +[source,.env] ---- - [ - [ - "class" => "OC_User_FTP", - "arguments" => [ - 'localhost' - ], - ], -], +OWNCLOUD_USER_BACKENDS=[{"class":"OC_User_FTP","arguments":["localhost"]}] ---- diff --git a/modules/admin_manual/pages/troubleshooting/general_troubleshooting.adoc b/modules/admin_manual/pages/troubleshooting/general_troubleshooting.adoc index e14f4d172..c015499a8 100644 --- a/modules/admin_manual/pages/troubleshooting/general_troubleshooting.adoc +++ b/modules/admin_manual/pages/troubleshooting/general_troubleshooting.adoc @@ -163,66 +163,15 @@ The windows native WebDAV client might fail with the following error message: Error 0x80070043 "The network name cannot be found." while adding a network drive ---- -A known workaround for this issue is to update your web server configuration. - -*Apache* - -You need to add the following rule set to your main web server or virtual host configuration, or the `.htaccess` file in your document -root. - -NOTE: Please keep in mind that the `.htaccess` file in the ownCloud directory will be overwritten on update. Post upgrading ownCloud, you need to manually restore these changes. See the section xref:maintenance/upgrading/manual_upgrade.adoc#backup-manual-changes-in-htaccess[Backup Manual Changes in .htaccess] for details. - -[source,apache] ----- -# Fixes Windows WebDav client error 0x80070043 "The network name cannot be found." -RewriteEngine On -RewriteCond %{HTTP_USER_AGENT} ^(DavClnt)$ -RewriteCond %{REQUEST_METHOD} ^(OPTIONS)$ -RewriteRule .* - [R=401,L] ----- +Please open an issue in the https://github.com/owncloud/core/issues[ownCloud Classic repo]. == Troubleshooting Contacts & Calendar === Service Discovery -Some clients - especially on iOS/Mac OS X - have problems finding the proper sync URL, even when explicitly configured to use it. - -If you want to use CalDAV or CardDAV clients together with ownCloud, it is important to have a correct working setup of the following URLs: - -[verse] --- -`\https://example.com/.well-known/carddav` -`\https://example.com/.well-known/caldav` --- - -Those need to be redirecting your clients to the correct DAV endpoints. If running ownCloud at the document root of your Web server the correct -URL is: - -`\https://example.com/remote.php/dav` - -and if running in a subfolder like `owncloud`: - -`\https://example.com/owncloud/remote.php/dav` - -For the first case the `.htaccess` file shipped with ownCloud should do this work. - -If your ownCloud instance is installed in a subfolder called `owncloud`, edit the `.htaccess` file and add the following lines: - -[source,apache] ----- -Redirect 301 /.well-known/carddav /owncloud/remote.php/dav -Redirect 301 /.well-known/caldav /owncloud/remote.php/dav ----- - -Now change the URL in the client settings to just use: - -`\https://example.com` - -instead of e.g. - -`\https://example.com/owncloud/remote.php/dav/principals/username`. +Some clients - especially on iOS or macOS - may have problems finding the proper sync URL, even when explicitly configured to use it. -There are also several techniques to remedy this, which are described extensively at the http://sabre.io/dav/service-discovery/[Sabre DAV website]. +If problems raise while using CalDAV or CardDAV clients together with ownCloud, open an issue in the https://github.com/owncloud/core/issues[ownCloud Classic repo]. === Unable to update Contacts or Events From d5d94c0f65d4d142dc6076e5074a5551fb3574d8 Mon Sep 17 00:00:00 2001 From: Martin Mattel Date: Thu, 9 Jul 2026 13:04:05 +0200 Subject: [PATCH 2/9] remove oidc and related references --- .../pages/configuration/envvars/envvars.adoc | 2 - .../core_commands/_config_commands.adoc | 1 - .../configuration/server/security/oauth2.adoc | 2 +- .../configuration/user/oidc/kopano-setup.adoc | 89 ------ .../user/oidc/ms-azure-setup.adoc | 154 ---------- .../pages/configuration/user/oidc/oidc.adoc | 271 ------------------ .../user/oidc/onelogin-setup.adoc | 108 ------- modules/admin_manual/partials/nav.adoc | 1 - 8 files changed, 1 insertion(+), 627 deletions(-) delete mode 100644 modules/admin_manual/pages/configuration/user/oidc/kopano-setup.adoc delete mode 100644 modules/admin_manual/pages/configuration/user/oidc/ms-azure-setup.adoc delete mode 100644 modules/admin_manual/pages/configuration/user/oidc/oidc.adoc delete mode 100644 modules/admin_manual/pages/configuration/user/oidc/onelogin-setup.adoc diff --git a/modules/admin_manual/pages/configuration/envvars/envvars.adoc b/modules/admin_manual/pages/configuration/envvars/envvars.adoc index 2688e32b6..9c814471e 100644 --- a/modules/admin_manual/pages/configuration/envvars/envvars.adoc +++ b/modules/admin_manual/pages/configuration/envvars/envvars.adoc @@ -118,8 +118,6 @@ Allow the configuration of system-wide trusted certificates (see xref:configuration/server/config_sample_php_parameters.adoc#allow-the-configuration-of-system-wide-trusted-certificates[documentation]). - `OWNCLOUD_ENABLE_PREVIEWS=` + Enable preview generation (see xref:configuration/server/config_sample_php_parameters.adoc#enable-preview-generation[documentation]). -- `OWNCLOUD_ENABLE_OIDC_REWRITE_URL=false` + - Rewrites OpenID Connect wellknown URL `.well-known/openid-configuration` to the ownCloud OIDC configuration endpoint (see xref:configuration/user/oidc/oidc.adoc#set-up-service-discovery[documentation]). - `OWNCLOUD_ENTRYPOINT_INITIALIZED=true` + Enable or disable loading of files from `/etc/entrypoint.d`. It is recommended to keep the default. - `OWNCLOUD_ERRORLOG_LOCATION=/dev/stderr` + diff --git a/modules/admin_manual/pages/configuration/server/occ_commands/core_commands/_config_commands.adoc b/modules/admin_manual/pages/configuration/server/occ_commands/core_commands/_config_commands.adoc index bfcc16182..6b6ecd030 100644 --- a/modules/admin_manual/pages/configuration/server/occ_commands/core_commands/_config_commands.adoc +++ b/modules/admin_manual/pages/configuration/server/occ_commands/core_commands/_config_commands.adoc @@ -34,7 +34,6 @@ The following apps, core functions or documents use/refer to `config:app` settin * xref:configuration/server/legal_settings_configuration.adoc[Legal Settings Configuration] * xref:configuration/files/manual_file_locking.adoc[Manual File Locking] * xref:maintenance/manually-moving-data-folders.adoc[Manually Move a Data Directory] -* xref:configuration/user/oidc/oidc.adoc[OpenID Connect (OIDC)] * xref:configuration/server/ui-configuration.adoc[UI Configuration] * xref:configuration/server/virus-scanner-support.adoc[Virus Scanner Support] diff --git a/modules/admin_manual/pages/configuration/server/security/oauth2.adoc b/modules/admin_manual/pages/configuration/server/security/oauth2.adoc index 97193937a..9f0a9e847 100644 --- a/modules/admin_manual/pages/configuration/server/security/oauth2.adoc +++ b/modules/admin_manual/pages/configuration/server/security/oauth2.adoc @@ -103,7 +103,7 @@ If you want to mark an existing client as trusted, you have to: * Copy the `Client Identifier (ID)` and the `Client Secret`. * Then delete the existing entry either in the UI or via the xref:configuration/server/occ_command.adoc#oauth2[occ oauth2 remove command]. * And finally add it again with the xref:configuration/server/occ_command.adoc#oauth2[occ oauth2 add command] with the trusted setting enabled. + -When deleting in the web UI, you might need to scroll horizontally to see the delete buttons. Follow this link regarding xref:configuration/user/oidc/oidc.adoc#client-ids-secrets-and-redirect-uris[Client IDs, Secrets and Redirect URIs] for ownCloud clients. +When deleting in the web UI, you might need to scroll horizontally to see the delete buttons. ==== Restricting Usage diff --git a/modules/admin_manual/pages/configuration/user/oidc/kopano-setup.adoc b/modules/admin_manual/pages/configuration/user/oidc/kopano-setup.adoc deleted file mode 100644 index c76d35c46..000000000 --- a/modules/admin_manual/pages/configuration/user/oidc/kopano-setup.adoc +++ /dev/null @@ -1,89 +0,0 @@ -= Example Setup Using Kopano Konnect -:toc: right -:toclevels: 2 -:openid-connect-frontchannel-logout-url: https://openid.net/specs/openid-connect-frontchannel-1_0.html -:konnect-url: https://github.com/Kopano-dev/konnect -:konnect-docs-url: https://github.com/kopano-dev/konnect#running-konnect -:konnect-webserver-url: https://documentation.kopano.io/kopanocore_administrator_manual/configure_kc_components.html#configure-a-webserver-for-konnect - -== Introduction - -Kopano Konnect is an OpenID Connect provider (IdP) that directly integrates a Web login and consent form. It brings support for both OpenID Connect (OIDC) and Open Authentication (OAuth 2.0). In addition to the easier integration with third-party applications, Kopano Konnect will also provide the authentication part for the Kopano RestAPI and clients consuming it. - -== Setup and Configuration - -The sections below will explain these areas and provide configuration examples using {konnect-url}[Kopano Konnect] as the external identity provider. - -For the configuration examples, let's assume we have: - -- ownCloud Classic available as `+https://cloud.example.com+` -- Kopano Konnect available as `+https://idp.example.com+` - -=== Set Up and Configure Kopano - -To get your identity provider running and ready to be used with ownCloud, you have to obtain Kopano Konnect and run it with a set of configuration values which can be provided as environment variables. See the {konnect-docs-url}[Kopano Konnect documentation] for details. - -Specifically, you have to: - -- Provide basic configuration. -- Set up a reverse proxy to expose the routes required to connect to Kopano Konnect. You'll find instructions in the {konnect-webserver-url}[Kopano Konnect documentation]. -- Register the ownCloud clients. - -TIP: Kopano Konnect can be set up via Docker. Images are available on Docker Hub (`kopano/konnectd`). - -=== Configure ownCloud Classic - -To set up ownCloud Classic to work with OpenID Connect, you have to: - -1. Enable the OpenID Connect App -2. Configure via environment variables -3. Set up service discovery - -TIP: It is recommended to first figure out all configurations on a test system and to bring it to the production system once it's proven to work. Enabling the OpenID Connect app on the production system should be the last step in this process as it will then advertise OpenID Connect to all clients. - -==== List of OpenID Connect config.php Parameters - -Follow this link to read more about the xref:configuration/server/config_apps_sample_php_parameters.adoc#app-openid-connect-oidc[OIDC config.php parameters] available to configure OpenID Connect on ownCloud Classic. - -==== Example config.php - -An example snippet that can be added to `config.php` is shown below. - -[source,php] ----- -'openid-connect' => [ - 'provider-url' => 'https://idp.example.com', - 'client-id' => '', - 'client-secret' => '', - 'loginButtonName' => 'Kopano', - 'autoRedirectOnLoginPage' => false, - // change this to 'email' if necessary (see identity provider configuration) - 'mode' => 'userid', - // change this to suit your environment (see identity provider configuration) - 'search-attribute' => 'preferred_username' -], ----- - -=== Register ownCloud Mobile and Desktop App - -To allow the ownCloud apps (Web/Desktop/Android/iOS) to interact with the identity provider, you have to register them as clients. In the case of Kopano Konnect, you can do this using Konnect's `identifier-registration.yaml`. The default values for the regular ownCloud clients are shown below. Other environments might require a different set of values. - -[TIP] -==== -* When registering ownCloud as an OpenID Client, use the following redirect URL: -+ -[source,url] ----- -https://cloud.example.com/index.php/apps/openidconnect/redirect ----- -* If {openid-connect-frontchannel-logout-url}[OpenID Connect Front-Channel Logout 1.0] is supported, enter the following as the logout URL within the client registration of the OpenID Provider: -+ -[source,url] ----- -https://cloud.example.com/index.php/apps/openidconnect/logout ----- -==== - -=== Client IDs, Secrets and Redirect URIs - -Use the data provided in the xref:configuration/user/oidc/oidc.adoc#client-ids-secrets-and-redirect-uris[ownCloud Desktop and Mobile Clients] section. diff --git a/modules/admin_manual/pages/configuration/user/oidc/ms-azure-setup.adoc b/modules/admin_manual/pages/configuration/user/oidc/ms-azure-setup.adoc deleted file mode 100644 index f63324c3b..000000000 --- a/modules/admin_manual/pages/configuration/user/oidc/ms-azure-setup.adoc +++ /dev/null @@ -1,154 +0,0 @@ -= Example Setup Using Microsoft Azure -:toc: right -:toclevels: 2 -:ms-azure-ad: Microsoft Azure Active Directory (Azure AD) -:login-azure-url: https://portal.azure.com/#home -:openid-connect-frontchannel-logout-url: https://openid.net/specs/openid-connect-frontchannel-1_0.html -:ms-configure-openid-settings-url: https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings -:ms-ad-redir-url: https://docs.microsoft.com/en-us/azure/active-directory/develop/reply-url#prefer-127001-over-localhost - -== Introduction - -{ms-azure-ad} is Microsoft’s multi-tenant cloud-based directory and identity management service. This document describes how to integrate Microsoft Azure Active Directory (Azure AD) as an identity provider (IdP) by configuring OpenID Connect (OIDC) in both Single Sign‑On and Azure AD. - -== Setup and Configuration - -The sections below will explain these areas and provide configuration examples using {ms-azure-ad} as the external Identity Provider. - -=== Configure Microsoft Azure AD - -Follow these steps to configure Microsoft Azure AD for use with OpenID Connect (OIDC): - -. Login to {login-azure-url}[Azure]. -+ -image:configuration/user/oidc/ms-azure-ad/login-with-ms-azure.png[width=200] - -. Go to menu:Manage Azure Active Directory[]. -+ -image:configuration/user/oidc/ms-azure-ad/select-manag-azure-ad.png[width=350] - -. Then go to menu:Properties[Tenant ID] and note your [#tenant-id]#`tenant ID`# for later use. -+ -image:configuration/user/oidc/ms-azure-ad/portal-tenant-id-ms-azure-ad.png[width=350] - -. Then go to menu:App registrations[New registration]. -+ -image:configuration/user/oidc/ms-azure-ad/new-registration-ms-azure-ad.png[width=350] - -. Provide all required information. -+ -image:configuration/user/oidc/ms-azure-ad/provide-required-information-ms-azure-ad.png[width=350] - -. Go to menu:Authentication[Add a platform] and select btn:[Web] in Configure Platforms. -+ -image:configuration/user/oidc/ms-azure-ad/setup-web-application-ms-azure-ad.png[width=350] - -. Go to menu:Authentication[Configure Web > Redirect URI] and setup your btn:[Redirect URI]. -+ -image:configuration/user/oidc/ms-azure-ad/setup-redirect-url-ms-azure-ad.png[width=350] - -. Go to menu:Certificates & secrets[Add a client secret] and setup the [#client-secret]#`client secret`# for your app. -+ -image:configuration/user/oidc/ms-azure-ad/setup-client-secret-ms-azure-ad.png[width=350] - -. Go to menu:Token configuration[Add optional claim] and setup the claims. -+ -image:configuration/user/oidc/ms-azure-ad/setup-claims-ms-azure-ad.png[width=350] - -. Go to menu:API permissions[Configured permissions > Add a permission] and add delegated permissions. -+ -image:configuration/user/oidc/ms-azure-ad/graph-permission-ms-azure-ad.png[width=350] - -. On the same page, do not forget to set menu:Grant admin consent[] to all permissions. -+ -image:configuration/user/oidc/ms-azure-ad/admin-consent-ms-azure-ad.png[width=350] - -. Go to menu:Expose an API[Set the App ID URI] and set the btn:[Application ID URI]. -+ -image:configuration/user/oidc/ms-azure-ad/app-id-uri-ms-azure-ad.png[width=350] - -. Then on the same page: -.. menu:Add a scope[Scope name] give the scope a meaningful name like *owncloud* and -.. menu:Add a scope[Who can consent] allow *Admins and users* to consent. You will see the full api [#api-scope]#`scope name`# below your entered scope name. -+ -image:configuration/user/oidc/ms-azure-ad/scope-consent-ms-azure-ad.png[width=350] - -. You get the [#client-id]#`CLIENT-ID`# after you have completed the Microsoft Azure setup process. On the following screen, you find an overview of most settings made. You can get there by clicking on menu:Overview[]. -+ -image:configuration/user/oidc/ms-azure-ad/overview-screen-ms-azure.png[width=350] - -=== Microsoft Azure AD and RedirectURI - -When it comes to use `127.0.0.1` instead of `localhost` as Redirect URI, the task is not straight forward. Microsoft has an own documentation for this describing a workaround, see {ms-ad-redir-url}[Prefer 127.0.0.1 over localhost]. In summary, you have to select in your app menu:Manifest[Manage], then search for `replyUrlsWithType` and either add a new entry with `127.0.0.1` or modify an existing one. - -image:configuration/user/oidc/ms-azure-ad/ms-azure-manifest.png[width=350] - -=== Configure ownCloud Classic - -To set up ownCloud Classic to work with OpenID Connect, you have to: - -1. Install the {oc-marketplace-url}/apps/openidconnect[OpenID Connect App]. -2. Configure `config.php`. -3. Set up service discovery. - -TIP: It is recommended to first figure out all configurations on a test system and to bring it to the production system once it's proven to work. Enabling the OpenID Connect App on the production system should be the last step in this process as it will then advertise OpenID Connect to all clients. - -==== List of OpenID Connect config.php Parameters - -Follow this link to read more about the -xref:configuration/server/config_apps_sample_php_parameters.adoc#app-openid-connect-oidc[OIDC config.php parameters] available to configure OpenID Connect on ownCloud Classic. - -==== Example config.php Setup - -An example snippet that can be added to `config.php` is shown below. You need to add both config values as listed below. The example expects that login users have already been created in ownCloud. - -Use these links to see the corresponding configuration section for: - -* xref:tenant-id[YOUR-DIRECTORY-TENANT-ID] -* xref:client-secret[YOUR-CLIENT-SECRET] -* xref:api-scope[YOUR-APPLICATION-ID-SCOPE-URI/owncloud] -* xref:client-id[YOUR-CLIENT-ID] - -[source,php] ----- -'http.cookie.samesite' => 'None', - -'openid-connect' => [ - 'auto-provision' => ['enabled' => false], - 'provider-url' => 'https://login.microsoftonline.com/YOUR-DIRECTORY-TENANT-ID/v2.0/', - 'client-id' => 'YOUR-CLIENT-ID', - 'client-secret' => 'YOUR-CLIENT-SECRET', - 'loginButtonName' => 'Azure AD', - 'autoRedirectOnLoginPage' => false, - 'scopes' => [ - 'openid', - 'api://YOUR-APPLICATION-ID-SCOPE-URI/owncloud', - 'profile', 'email', 'offline_access', - ], - 'mode' => 'email', - 'search-attribute' => 'unique_name', - 'use-access-token-payload-for-user-info' => true, -], ----- - -If you want to let ownCloud create users which are not present during a OIDC authentication, replace + -`'auto-provision' => ['enabled' => false],` with: - -[source,php] ----- - 'auto-provision' => [ - 'enabled' => true, - 'email-claim' => 'email', - 'display-name-claim' => 'name', - ], ----- - -=== Use oAuth2 authentication for ownCloud Desktop and Mobile Clients - -To allow the ownCloud clients (ownCloud Web, Desktop, Android and iOS) to interact with the ownCloud Classic server, you have to install and enable the oAuth2 app. Please see the xref:configuration/server/security/oauth2.adoc[Open Authentication (OAuth2)] for more details. In this setup, your ownCloud Clients will work without extra hassles, but please be advised that the ownCloud Classic server is acting as identity provider for the clients and you will not be able to delete those clients directly from your identity management solution. - -=== Register ownCloud Desktop and Mobile Clients with Azure AD - -To allow the ownCloud clients (ownCloud Web, Desktop, Android and iOS) to interact directly with the identity provider, you have to register them as clients. - -Only branded ownCloud desktop and mobile clients can be registered with Azure AD, because they need to be built with customized `scope` and `prompt` parameters. As prerequisite, an ownCloud full branding subscription is needed. For more details get in touch with {oc-support-url}[ownCloud Support]. diff --git a/modules/admin_manual/pages/configuration/user/oidc/oidc.adoc b/modules/admin_manual/pages/configuration/user/oidc/oidc.adoc deleted file mode 100644 index e95e27db1..000000000 --- a/modules/admin_manual/pages/configuration/user/oidc/oidc.adoc +++ /dev/null @@ -1,271 +0,0 @@ -= OpenID Connect (OIDC) -:toc: right -:toclevels: 2 -:page-aliases: configuration/user/oidc/index.adoc -:openid-connect-url: https://openid.net/connect/ -:schemeful-samesite-url: https://web.dev/schemeful-samesite/ -:ms-azure-ad-url: https://azure.microsoft.com/en-us/services/active-directory/ -:ms-adfs-url: https://docs.microsoft.com/en-us/windows-server/identity/active-directory-federation-services -:ping-identity-url: https://developer.pingidentity.com/en/cloud-software/pingfederate.html -:cidaas-url: https://www.cidaas.com/ -:keycloak-url: https://www.keycloak.org/ -:kopano-konnect-github-url: https://github.com/Kopano-dev/konnect - -== Introduction - -{openid-connect-url}[OpenID Connect] is an open standard for single sign-on, identity and access management. With ownCloud it can be used for user authentication and client authorization against an external identity provider(IdP). - -**Benefits of using ownCloud with OpenID Connect** - -- Increased security by shifting user authentication to an external identity provider. -- Seamless integration into single sign-on (SSO) environments as well as with third party products. -- Centralized client management within the identity provider. -- Enterprise-grade security through the use of authentication security features (e.g., multi-factor authentication) and policies (e.g., automatic token expiration on certain conditions) provided by identity providers. - -NOTE: ownCloud only supports one configured identity provider which is then valid for all requests. - -Click on the xref:attachment$/configuration/user/oidc/OAuth-code-flow-sequence-diagram.png[OAuth code flow sequence diagram] link to get more details on the flow sequence. - -== Supported Identity Providers - -ownCloud Classic can work with identity providers (IdP) that support OpenID Connect. There are many identity providers available and the OpenID Connect implementations vary a lot in terms of supported features as well as configuration needs. - -The currently supported products are - -- {ms-azure-ad-url}[Microsoft Azure AD] -- {ms-adfs-url}[Microsoft ADFS] ^1^ -- {ping-identity-url}[PingIdentity PingFederate] -- {cidaas-url}[cidaas] -- {keycloak-url}[Keycloak] -- {kopano-konnect-github-url}[Kopano Konnect] - -(1) ... Note that ADFS does not support client-secrets that contain an `_` (underscore). - -Please get in touch with ownCloud Consulting if you need help with a specific identity provider product. - -== Prerequisites - -Setting up ownCloud Classic to work with OpenID Connect requires a couple of components to work together: - -* An external identity provider configured to work with the ownCloud components -* A distributed memcache setup - such as Redis or Memcached - is required to operate this app. Follow the xref:configuration/server/caching_configuration.adoc[caching documentation] on how to set it up. -* The `OpenID Connect` app enabled on ownCloud Classic. -* Set the environment variable: -+ --- -`OWNCLOUD_HTTP_COOKIE_SAMESITE=None` - -See xref:configuration/server/config_sample_php_parameters.adoc#define-how-to-relax-the-same-site-cookie-settings[config.sample.php] and {schemeful-samesite-url}[Schemeful Same-Site] for examples and details. --- - -* Settings for the OpenID Connect App -+ -See xref:configuration/server/config_apps_sample_php_parameters.adoc#app-openid-connect-oidc[config.apps.sample.php] for examples and details or see section xref:save-settings-in-the-database[Save Settings in the Database] below when running clustered setups. - -* Service discovery for the xref:owncloud-desktop-and-mobile-clients[ownCloud Desktop and Mobile Apps] - -=== Save Settings in the Database - -If you run a clustered setup, the following method configuring the OpenID Connect app is preferred, because it is stateless. The app checks for settings in the database first. If none are found, it falls back to the settings stored in `config.php`. The settings are stored as a JSON formatted string with the following keys and values: - -[width="50%",cols="40%,50%",options="header"] -|=== -| Key -| Value - -| appid -| 'openidconnect' - -| configkey -| 'openid-connect' - -| configvalue -| _JSON-String_ -|=== - -If a malformed JSON string is found, an error is logged. The _key->value_ pairs are the same as when storing them to the `config.php` file. This task has to be done by invoking an occ command, see the following example. Use the occ commands `config:app:get` to view the current setting or `config:app:delete` to delete it. See the xref:configuration/server/occ_command.adoc#config-commands[Config Command Set] for more details. - -[source,bash,subs="attributes+"] ----- -{occ-command-example-prefix-docker} config:app:set \ - openidconnect \ - openid-connect \ - --value='{"provider-url":"https:\/\/idp.example.net","client-id":"fc9b5c78-ec73-47bf-befc-59d4fe780f6f","client-secret":"e3e5b04a-3c3c-4f4d-b16c-2a6e9fdd3cd1","loginButtonName":"Login via OpenId Connect"}' ----- - -NOTE: Only set either the database or the config.php keys but not both for the OpenID Connect app. - -== Set Up Service Discovery - -. Webserver Service Discovery Information -+ -In order to allow the ownCloud Clients (Desktop/Android/iOS) to make use of OpenID Connect, the webserver serving ownCloud Classic needs to _provide service discovery information_ under the following static path: -+ -[source,url] ----- -https://cloud.example.com/.well-known/openid-configuration ----- - -. App Service Discovery Information -+ -When enabled, the OpenID Connect App provides the service discovery information on the endpoint: -+ -[source,url] ----- -https://cloud.example.com/index.php/apps/openidconnect/config ----- - -. Webserver Rewrite Rule -+ --- -To make the endpoint available under the static service discovery path, it is recommended to set the following environment variable: - -[source,.env] ----- -OWNCLOUD_ENABLE_OIDC_REWRITE_URL=true ----- - -This variable sets the following rule in the embedded `.htaccess` file: - -`RewriteRule ^/.well-known/openid-configuration /index.php/apps/openidconnect/config` - -TIP: Depending on the respective infrastructure setup there can be other ways to solve this. In any case, please make sure _not to use redirect rules_ as this will violate the OpenID Connect specification. - -IMPORTANT: If you use the `.htaccess` file in the ownCloud web root, you have to manually add that rewrite rule again after any ownCloud upgrade. --- - -. Once service discovery is available as described above, the ownCloud clients will attempt to connect via OpenID Connect. - -== General Example Setup - -All IdPs have their own setup, but often share common ways of configuring things. Although not identical, the xref:example-setup-using-kopano-konnect[Kopano Konnect] example may be a good starting point for the specific configuration of your setup. As Microsoft with Azure AD is different, it has its own example section. - -== Example Setup Using Kopano Konnect - -Follow this link to see -xref:configuration/user/oidc/kopano-setup.adoc[Example Setup Using Kopano Konnect]. - -== Example Setup Using Microsoft Azure AD - -Follow this link to see -xref:configuration/user/oidc/ms-azure-setup.adoc[Example Setup Using Microsoft Azure AD]. - -== Example Setup Using OneLogin - -Follow this link to see -xref:configuration/user/oidc/onelogin-setup.adoc[Example Setup Using OneLogin]. - -== ownCloud Desktop and Mobile Apps - -ownCloud Desktop and Mobile Apps detect whether OIDC is available (service discovery) and use this login method when a new account is created. - -NOTE: The Desktop and Mobile apps have a default client ID and secret hard-coded, which are used for ownCloud's oauth2 app. When using Kopano as IdP, it does not pre-define a client ID and secret. You can use the default ones of the client to configure Kopano properly. With some IdPs like MS-Azure, these and other required parameters come from the IdP and must be coded into the client. Note that each IdP has different requirements. Get in touch with ownCloud for a branding subscription to customize the clients according to your needs. - -=== Client IDs, Secrets and Redirect URIs - -All IdPs can use ownCloud's default _client IDs, secrets and redirect URIs_ with the exception of Microsoft Azure AD, which uses a different approach. Here is the data necessary for the configuration. - -==== Client ID - -[width="80%",cols="35%,90%",options="header"] -|=== -| Source -| Key - -| Server/Web -| as specified via environment variables - -| Desktop -| `xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69` - -| Android -| `e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD` - -| iOS -| `mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1` -|=== - -==== Client Secret - -[width="80%",cols="35%,90%",options="header"] -|=== -| Source -| Key - -| Server/Web -| as specified via environment variables - -| Desktop -| `UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh` - -| Android -| `dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD` - -| iOS -| `KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx` -|=== - -==== Redirect URIs - -[width="60%",cols="50%,85%",options="header"] -|=== -| Source -| Redirect URI ^1^ - -| Desktop ≤ 2.8 -| `\http://localhost` - -| Desktop ≥ 2.9 -| `\http://127.0.0.1` - -| Android -| `oc://android.owncloud.com` - -| iOS -| `oc://ios.owncloud.com` -|=== - -(1) See the xref:configuration/user/oidc/ms-azure-setup.adoc#microsoft-azure-ad-and-redirecturi[following note] when using Microsoft Azure AD and 127.0.0.1 as redirect URI. - -=== Default Scope and Prompt Parameters - -ownCloud desktop and mobile apps come with default `scope` and `prompt` parameters. These parameters can be modified in custom branded builds. See the https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest[OIDC Authentication Request specs] for more details about the parameters. - -[width="60%",cols="50%,100%",options="header"] -|=== -| Parameter -| Default value - -| `scope` -| `openid offline_access email profile` - -| `prompt` -| `select_account consent` + -(for Android you need app version 4.0+) -|=== - -=== Migrate Clients from Basic Authentication to OIDC - -If your users are logged in to their desktop and mobile clients via basic authentication (username/password) against ownCloud Classic and you are not using OAuth2 to authorize the ownCloud clients, a migration to OIDC can be conducted as follows: - -1. Make sure you have a working OIDC configuration based on the above sections. -2. Enable the OpenID Connect App. -3. Enable xref:configuration/server/config_sample_php_parameters.adoc#enforce-token-only-authentication-for-apps-and-clients-connecting-to-owncloud[token-only authentication]. - -Once the OpenID Connect App is enabled, token-only authentication is enforced and service discovery is properly set up, the ownCloud clients will ask the users to re-authenticate. After a successful re-authentication, the migration is done. - -To connect legacy clients, users have to generate xref:classic_ui:personal_settings/security.adoc#app-passwords-tokens[special app passwords (tokens)]. - -=== Migrate Clients from OAuth2 to OIDC - -If you use OAuth2 for client authorization, a migration to OIDC can be conducted as follows: - -1. Make sure you have a working configuration based on the above sections. -2. Enable the OpenID Connect App (while having the OAuth2 App still enabled). -3. Disable the OAuth2 App. - -Once the OAuth2 App is disabled and service discovery is properly set up, the ownCloud Clients will ask the users to re-authenticate. After a successful re-authentication, the migration is done. - -== Migrate Web Login (and Client Login) from SAML to OIDC - -If you are using SAML/SSO, a migration to OIDC depends on your identity provider and is not straight forward. Please get in touch with ownCloud Consulting to plan the migration. diff --git a/modules/admin_manual/pages/configuration/user/oidc/onelogin-setup.adoc b/modules/admin_manual/pages/configuration/user/oidc/onelogin-setup.adoc deleted file mode 100644 index 2f34b5a04..000000000 --- a/modules/admin_manual/pages/configuration/user/oidc/onelogin-setup.adoc +++ /dev/null @@ -1,108 +0,0 @@ -= Example Setup Using OneLogin -:toc: right -:toclevels: 2 -:openid-connect-frontchannel-logout-url: https://openid.net/specs/openid-connect-frontchannel-1_0.html -:onelogin-url: https://www.onelogin.com -:description: OneLogin is a cloud-based identity and access management provider. This document describes how to integrate OneLogin as an identity provider (IdP) by configuring OpenID Connect (OIDC). - -== Introduction - -{description} See {onelogin-url}[OneLogin] for details about the service. - -IMPORTANT: At the moment, ownCloud clients don't work with OneLogin as IdP which is a known issue. - -== Setup and Configuration - -The sections below will explain these areas and provide configuration examples using OneLogin as the external Identity Provider. - -=== Configure OneLogin - -Follow these steps to configure OneLogin for use with OpenID Connect (OIDC): - -. Login to OneLogin via your domain login `\https://.onelogin.com/admin2`. - -. Go to menu:Applications[Applications] to manage the registered applications. -+ -image:configuration/user/oidc/onelogin/onelogin-select-application.png[width=350] - -. Click on btn:[Add App] in the upper right corner. - -. Search for `openid` and select the `OpenId Connect (OIDC)` app -+ -image:configuration/user/oidc/onelogin/onelogin-select-openid-app.png[width=350] - -. Provide a name and configure images if needed. - -. Hit btn:[Save] - -. Go to menu:Configuration[] and enter values for `Login Url` which points to you system and the `Redirect URI's`, which is the url of you system followed by `/index.php/apps/openidconnect/redirect` -+ -image:configuration/user/oidc/onelogin/onelogin-oidc-configuration.png[width=350] - -. Go to menu:SSO[] and note the values for [#client-id]#Client ID#, [#client-secret]#Client Secret# and [#issuer-url]#Issuer URL# for later use. -+ -image:configuration/user/oidc/onelogin/onelogin-oidc-sso.png[width=350] - -=== Configure ownCloud Classic - -These are the generic steps to set up ownCloud Classic to work with OpenID Connect, for details see the sections below: - -1. Install the {oc-marketplace-url}/apps/openidconnect[OpenID Connect App]. -2. Configure `config.php`. -3. Set up service discovery. - -TIP: It is recommended to first figure out all configurations on a test system and to bring it to the production system once it's proven to work. Enabling the OpenID Connect App on the production system should be the last step in this process as it will then advertise OpenID Connect to all clients. - -==== List of OpenID Connect config.php Parameters - -Follow this link to read more about the -xref:configuration/server/config_apps_sample_php_parameters.adoc#app-openid-connect-oidc[OIDC config.php parameters] available to configure OpenID Connect on ownCloud Classic. - -==== Example config.php Setup - -An example snippet that can be added to `config.php` is shown below. You need to add both config values as listed below. The example expects that login users have already been created in ownCloud. - -Use these links to see the corresponding configuration section for: - -* xref:client-secret[YOUR-CLIENT-SECRET] -* xref:client-id[YOUR-CLIENT-ID] -* xref:issuer-url[YOUR-ISSUER-URL] - -[source,php] ----- -'http.cookie.samesite' => 'None', - -'openid-connect' => [ - 'auto-provision' => ['enabled' => false], - 'provider-url' => 'YOUR-ISSUER-URL', - 'client-id' => 'YOUR-CLIENT-ID', - 'client-secret' => 'YOUR-CLIENT-SECRET', - 'loginButtonName' => 'OneLogin', - 'autoRedirectOnLoginPage' => false, - 'mode' => 'email', - 'scopes' => [], - 'use-access-token-payload-for-user-info' => false, -], ----- - -If you want to let ownCloud create users which are not present during a OIDC authentication, replace + -`'auto-provision' => ['enabled' => false],` with: - -[source,php] ----- - 'auto-provision' => [ - 'enabled' => true, - 'email-claim' => 'email', - 'display-name-claim' => 'name', - ], ----- - -==== Service Discovery Setup - -For details see xref:configuration/user/oidc/oidc.adoc#set-up-service-discovery[Set Up Service Discovery]. - -//// -=== Register ownCloud Clients - -To allow the ownCloud clients (Web/desktop/Android/iOS) to interact with the identity provider, you have to register them as clients. -//// diff --git a/modules/admin_manual/partials/nav.adoc b/modules/admin_manual/partials/nav.adoc index 86c025994..770b55b3d 100644 --- a/modules/admin_manual/partials/nav.adoc +++ b/modules/admin_manual/partials/nav.adoc @@ -105,7 +105,6 @@ **** xref:admin_manual:configuration/user/user_provisioning_api.adoc[User Provisioning API] **** xref:admin_manual:configuration/user/custom_groups_app.adoc[Custom Groups App] **** xref:admin_manual:configuration/user/guests_app.adoc[Guests App] -**** xref:admin_manual:configuration/user/oidc/oidc.adoc[OpenID Connect (OIDC)] **** xref:admin_manual:configuration/user/login_policies.adoc[Login Policies] ** Maintenance From a660ee25ec8d4f9552fa3bbf6d8a20acf002fdbe Mon Sep 17 00:00:00 2001 From: Martin Mattel Date: Fri, 10 Jul 2026 09:19:39 +0200 Subject: [PATCH 3/9] Revert "remove oidc and related references" This reverts commit d5d94c0f65d4d142dc6076e5074a5551fb3574d8. --- .../pages/configuration/envvars/envvars.adoc | 2 + .../core_commands/_config_commands.adoc | 1 + .../configuration/server/security/oauth2.adoc | 2 +- .../configuration/user/oidc/kopano-setup.adoc | 89 ++++++ .../user/oidc/ms-azure-setup.adoc | 154 ++++++++++ .../pages/configuration/user/oidc/oidc.adoc | 271 ++++++++++++++++++ .../user/oidc/onelogin-setup.adoc | 108 +++++++ modules/admin_manual/partials/nav.adoc | 1 + 8 files changed, 627 insertions(+), 1 deletion(-) create mode 100644 modules/admin_manual/pages/configuration/user/oidc/kopano-setup.adoc create mode 100644 modules/admin_manual/pages/configuration/user/oidc/ms-azure-setup.adoc create mode 100644 modules/admin_manual/pages/configuration/user/oidc/oidc.adoc create mode 100644 modules/admin_manual/pages/configuration/user/oidc/onelogin-setup.adoc diff --git a/modules/admin_manual/pages/configuration/envvars/envvars.adoc b/modules/admin_manual/pages/configuration/envvars/envvars.adoc index 9c814471e..2688e32b6 100644 --- a/modules/admin_manual/pages/configuration/envvars/envvars.adoc +++ b/modules/admin_manual/pages/configuration/envvars/envvars.adoc @@ -118,6 +118,8 @@ Allow the configuration of system-wide trusted certificates (see xref:configuration/server/config_sample_php_parameters.adoc#allow-the-configuration-of-system-wide-trusted-certificates[documentation]). - `OWNCLOUD_ENABLE_PREVIEWS=` + Enable preview generation (see xref:configuration/server/config_sample_php_parameters.adoc#enable-preview-generation[documentation]). +- `OWNCLOUD_ENABLE_OIDC_REWRITE_URL=false` + + Rewrites OpenID Connect wellknown URL `.well-known/openid-configuration` to the ownCloud OIDC configuration endpoint (see xref:configuration/user/oidc/oidc.adoc#set-up-service-discovery[documentation]). - `OWNCLOUD_ENTRYPOINT_INITIALIZED=true` + Enable or disable loading of files from `/etc/entrypoint.d`. It is recommended to keep the default. - `OWNCLOUD_ERRORLOG_LOCATION=/dev/stderr` + diff --git a/modules/admin_manual/pages/configuration/server/occ_commands/core_commands/_config_commands.adoc b/modules/admin_manual/pages/configuration/server/occ_commands/core_commands/_config_commands.adoc index 6b6ecd030..bfcc16182 100644 --- a/modules/admin_manual/pages/configuration/server/occ_commands/core_commands/_config_commands.adoc +++ b/modules/admin_manual/pages/configuration/server/occ_commands/core_commands/_config_commands.adoc @@ -34,6 +34,7 @@ The following apps, core functions or documents use/refer to `config:app` settin * xref:configuration/server/legal_settings_configuration.adoc[Legal Settings Configuration] * xref:configuration/files/manual_file_locking.adoc[Manual File Locking] * xref:maintenance/manually-moving-data-folders.adoc[Manually Move a Data Directory] +* xref:configuration/user/oidc/oidc.adoc[OpenID Connect (OIDC)] * xref:configuration/server/ui-configuration.adoc[UI Configuration] * xref:configuration/server/virus-scanner-support.adoc[Virus Scanner Support] diff --git a/modules/admin_manual/pages/configuration/server/security/oauth2.adoc b/modules/admin_manual/pages/configuration/server/security/oauth2.adoc index 9f0a9e847..97193937a 100644 --- a/modules/admin_manual/pages/configuration/server/security/oauth2.adoc +++ b/modules/admin_manual/pages/configuration/server/security/oauth2.adoc @@ -103,7 +103,7 @@ If you want to mark an existing client as trusted, you have to: * Copy the `Client Identifier (ID)` and the `Client Secret`. * Then delete the existing entry either in the UI or via the xref:configuration/server/occ_command.adoc#oauth2[occ oauth2 remove command]. * And finally add it again with the xref:configuration/server/occ_command.adoc#oauth2[occ oauth2 add command] with the trusted setting enabled. + -When deleting in the web UI, you might need to scroll horizontally to see the delete buttons. +When deleting in the web UI, you might need to scroll horizontally to see the delete buttons. Follow this link regarding xref:configuration/user/oidc/oidc.adoc#client-ids-secrets-and-redirect-uris[Client IDs, Secrets and Redirect URIs] for ownCloud clients. ==== Restricting Usage diff --git a/modules/admin_manual/pages/configuration/user/oidc/kopano-setup.adoc b/modules/admin_manual/pages/configuration/user/oidc/kopano-setup.adoc new file mode 100644 index 000000000..c76d35c46 --- /dev/null +++ b/modules/admin_manual/pages/configuration/user/oidc/kopano-setup.adoc @@ -0,0 +1,89 @@ += Example Setup Using Kopano Konnect +:toc: right +:toclevels: 2 +:openid-connect-frontchannel-logout-url: https://openid.net/specs/openid-connect-frontchannel-1_0.html +:konnect-url: https://github.com/Kopano-dev/konnect +:konnect-docs-url: https://github.com/kopano-dev/konnect#running-konnect +:konnect-webserver-url: https://documentation.kopano.io/kopanocore_administrator_manual/configure_kc_components.html#configure-a-webserver-for-konnect + +== Introduction + +Kopano Konnect is an OpenID Connect provider (IdP) that directly integrates a Web login and consent form. It brings support for both OpenID Connect (OIDC) and Open Authentication (OAuth 2.0). In addition to the easier integration with third-party applications, Kopano Konnect will also provide the authentication part for the Kopano RestAPI and clients consuming it. + +== Setup and Configuration + +The sections below will explain these areas and provide configuration examples using {konnect-url}[Kopano Konnect] as the external identity provider. + +For the configuration examples, let's assume we have: + +- ownCloud Classic available as `+https://cloud.example.com+` +- Kopano Konnect available as `+https://idp.example.com+` + +=== Set Up and Configure Kopano + +To get your identity provider running and ready to be used with ownCloud, you have to obtain Kopano Konnect and run it with a set of configuration values which can be provided as environment variables. See the {konnect-docs-url}[Kopano Konnect documentation] for details. + +Specifically, you have to: + +- Provide basic configuration. +- Set up a reverse proxy to expose the routes required to connect to Kopano Konnect. You'll find instructions in the {konnect-webserver-url}[Kopano Konnect documentation]. +- Register the ownCloud clients. + +TIP: Kopano Konnect can be set up via Docker. Images are available on Docker Hub (`kopano/konnectd`). + +=== Configure ownCloud Classic + +To set up ownCloud Classic to work with OpenID Connect, you have to: + +1. Enable the OpenID Connect App +2. Configure via environment variables +3. Set up service discovery + +TIP: It is recommended to first figure out all configurations on a test system and to bring it to the production system once it's proven to work. Enabling the OpenID Connect app on the production system should be the last step in this process as it will then advertise OpenID Connect to all clients. + +==== List of OpenID Connect config.php Parameters + +Follow this link to read more about the xref:configuration/server/config_apps_sample_php_parameters.adoc#app-openid-connect-oidc[OIDC config.php parameters] available to configure OpenID Connect on ownCloud Classic. + +==== Example config.php + +An example snippet that can be added to `config.php` is shown below. + +[source,php] +---- +'openid-connect' => [ + 'provider-url' => 'https://idp.example.com', + 'client-id' => '', + 'client-secret' => '', + 'loginButtonName' => 'Kopano', + 'autoRedirectOnLoginPage' => false, + // change this to 'email' if necessary (see identity provider configuration) + 'mode' => 'userid', + // change this to suit your environment (see identity provider configuration) + 'search-attribute' => 'preferred_username' +], +---- + +=== Register ownCloud Mobile and Desktop App + +To allow the ownCloud apps (Web/Desktop/Android/iOS) to interact with the identity provider, you have to register them as clients. In the case of Kopano Konnect, you can do this using Konnect's `identifier-registration.yaml`. The default values for the regular ownCloud clients are shown below. Other environments might require a different set of values. + +[TIP] +==== +* When registering ownCloud as an OpenID Client, use the following redirect URL: ++ +[source,url] +---- +https://cloud.example.com/index.php/apps/openidconnect/redirect +---- +* If {openid-connect-frontchannel-logout-url}[OpenID Connect Front-Channel Logout 1.0] is supported, enter the following as the logout URL within the client registration of the OpenID Provider: ++ +[source,url] +---- +https://cloud.example.com/index.php/apps/openidconnect/logout +---- +==== + +=== Client IDs, Secrets and Redirect URIs + +Use the data provided in the xref:configuration/user/oidc/oidc.adoc#client-ids-secrets-and-redirect-uris[ownCloud Desktop and Mobile Clients] section. diff --git a/modules/admin_manual/pages/configuration/user/oidc/ms-azure-setup.adoc b/modules/admin_manual/pages/configuration/user/oidc/ms-azure-setup.adoc new file mode 100644 index 000000000..f63324c3b --- /dev/null +++ b/modules/admin_manual/pages/configuration/user/oidc/ms-azure-setup.adoc @@ -0,0 +1,154 @@ += Example Setup Using Microsoft Azure +:toc: right +:toclevels: 2 +:ms-azure-ad: Microsoft Azure Active Directory (Azure AD) +:login-azure-url: https://portal.azure.com/#home +:openid-connect-frontchannel-logout-url: https://openid.net/specs/openid-connect-frontchannel-1_0.html +:ms-configure-openid-settings-url: https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings +:ms-ad-redir-url: https://docs.microsoft.com/en-us/azure/active-directory/develop/reply-url#prefer-127001-over-localhost + +== Introduction + +{ms-azure-ad} is Microsoft’s multi-tenant cloud-based directory and identity management service. This document describes how to integrate Microsoft Azure Active Directory (Azure AD) as an identity provider (IdP) by configuring OpenID Connect (OIDC) in both Single Sign‑On and Azure AD. + +== Setup and Configuration + +The sections below will explain these areas and provide configuration examples using {ms-azure-ad} as the external Identity Provider. + +=== Configure Microsoft Azure AD + +Follow these steps to configure Microsoft Azure AD for use with OpenID Connect (OIDC): + +. Login to {login-azure-url}[Azure]. ++ +image:configuration/user/oidc/ms-azure-ad/login-with-ms-azure.png[width=200] + +. Go to menu:Manage Azure Active Directory[]. ++ +image:configuration/user/oidc/ms-azure-ad/select-manag-azure-ad.png[width=350] + +. Then go to menu:Properties[Tenant ID] and note your [#tenant-id]#`tenant ID`# for later use. ++ +image:configuration/user/oidc/ms-azure-ad/portal-tenant-id-ms-azure-ad.png[width=350] + +. Then go to menu:App registrations[New registration]. ++ +image:configuration/user/oidc/ms-azure-ad/new-registration-ms-azure-ad.png[width=350] + +. Provide all required information. ++ +image:configuration/user/oidc/ms-azure-ad/provide-required-information-ms-azure-ad.png[width=350] + +. Go to menu:Authentication[Add a platform] and select btn:[Web] in Configure Platforms. ++ +image:configuration/user/oidc/ms-azure-ad/setup-web-application-ms-azure-ad.png[width=350] + +. Go to menu:Authentication[Configure Web > Redirect URI] and setup your btn:[Redirect URI]. ++ +image:configuration/user/oidc/ms-azure-ad/setup-redirect-url-ms-azure-ad.png[width=350] + +. Go to menu:Certificates & secrets[Add a client secret] and setup the [#client-secret]#`client secret`# for your app. ++ +image:configuration/user/oidc/ms-azure-ad/setup-client-secret-ms-azure-ad.png[width=350] + +. Go to menu:Token configuration[Add optional claim] and setup the claims. ++ +image:configuration/user/oidc/ms-azure-ad/setup-claims-ms-azure-ad.png[width=350] + +. Go to menu:API permissions[Configured permissions > Add a permission] and add delegated permissions. ++ +image:configuration/user/oidc/ms-azure-ad/graph-permission-ms-azure-ad.png[width=350] + +. On the same page, do not forget to set menu:Grant admin consent[] to all permissions. ++ +image:configuration/user/oidc/ms-azure-ad/admin-consent-ms-azure-ad.png[width=350] + +. Go to menu:Expose an API[Set the App ID URI] and set the btn:[Application ID URI]. ++ +image:configuration/user/oidc/ms-azure-ad/app-id-uri-ms-azure-ad.png[width=350] + +. Then on the same page: +.. menu:Add a scope[Scope name] give the scope a meaningful name like *owncloud* and +.. menu:Add a scope[Who can consent] allow *Admins and users* to consent. You will see the full api [#api-scope]#`scope name`# below your entered scope name. ++ +image:configuration/user/oidc/ms-azure-ad/scope-consent-ms-azure-ad.png[width=350] + +. You get the [#client-id]#`CLIENT-ID`# after you have completed the Microsoft Azure setup process. On the following screen, you find an overview of most settings made. You can get there by clicking on menu:Overview[]. ++ +image:configuration/user/oidc/ms-azure-ad/overview-screen-ms-azure.png[width=350] + +=== Microsoft Azure AD and RedirectURI + +When it comes to use `127.0.0.1` instead of `localhost` as Redirect URI, the task is not straight forward. Microsoft has an own documentation for this describing a workaround, see {ms-ad-redir-url}[Prefer 127.0.0.1 over localhost]. In summary, you have to select in your app menu:Manifest[Manage], then search for `replyUrlsWithType` and either add a new entry with `127.0.0.1` or modify an existing one. + +image:configuration/user/oidc/ms-azure-ad/ms-azure-manifest.png[width=350] + +=== Configure ownCloud Classic + +To set up ownCloud Classic to work with OpenID Connect, you have to: + +1. Install the {oc-marketplace-url}/apps/openidconnect[OpenID Connect App]. +2. Configure `config.php`. +3. Set up service discovery. + +TIP: It is recommended to first figure out all configurations on a test system and to bring it to the production system once it's proven to work. Enabling the OpenID Connect App on the production system should be the last step in this process as it will then advertise OpenID Connect to all clients. + +==== List of OpenID Connect config.php Parameters + +Follow this link to read more about the +xref:configuration/server/config_apps_sample_php_parameters.adoc#app-openid-connect-oidc[OIDC config.php parameters] available to configure OpenID Connect on ownCloud Classic. + +==== Example config.php Setup + +An example snippet that can be added to `config.php` is shown below. You need to add both config values as listed below. The example expects that login users have already been created in ownCloud. + +Use these links to see the corresponding configuration section for: + +* xref:tenant-id[YOUR-DIRECTORY-TENANT-ID] +* xref:client-secret[YOUR-CLIENT-SECRET] +* xref:api-scope[YOUR-APPLICATION-ID-SCOPE-URI/owncloud] +* xref:client-id[YOUR-CLIENT-ID] + +[source,php] +---- +'http.cookie.samesite' => 'None', + +'openid-connect' => [ + 'auto-provision' => ['enabled' => false], + 'provider-url' => 'https://login.microsoftonline.com/YOUR-DIRECTORY-TENANT-ID/v2.0/', + 'client-id' => 'YOUR-CLIENT-ID', + 'client-secret' => 'YOUR-CLIENT-SECRET', + 'loginButtonName' => 'Azure AD', + 'autoRedirectOnLoginPage' => false, + 'scopes' => [ + 'openid', + 'api://YOUR-APPLICATION-ID-SCOPE-URI/owncloud', + 'profile', 'email', 'offline_access', + ], + 'mode' => 'email', + 'search-attribute' => 'unique_name', + 'use-access-token-payload-for-user-info' => true, +], +---- + +If you want to let ownCloud create users which are not present during a OIDC authentication, replace + +`'auto-provision' => ['enabled' => false],` with: + +[source,php] +---- + 'auto-provision' => [ + 'enabled' => true, + 'email-claim' => 'email', + 'display-name-claim' => 'name', + ], +---- + +=== Use oAuth2 authentication for ownCloud Desktop and Mobile Clients + +To allow the ownCloud clients (ownCloud Web, Desktop, Android and iOS) to interact with the ownCloud Classic server, you have to install and enable the oAuth2 app. Please see the xref:configuration/server/security/oauth2.adoc[Open Authentication (OAuth2)] for more details. In this setup, your ownCloud Clients will work without extra hassles, but please be advised that the ownCloud Classic server is acting as identity provider for the clients and you will not be able to delete those clients directly from your identity management solution. + +=== Register ownCloud Desktop and Mobile Clients with Azure AD + +To allow the ownCloud clients (ownCloud Web, Desktop, Android and iOS) to interact directly with the identity provider, you have to register them as clients. + +Only branded ownCloud desktop and mobile clients can be registered with Azure AD, because they need to be built with customized `scope` and `prompt` parameters. As prerequisite, an ownCloud full branding subscription is needed. For more details get in touch with {oc-support-url}[ownCloud Support]. diff --git a/modules/admin_manual/pages/configuration/user/oidc/oidc.adoc b/modules/admin_manual/pages/configuration/user/oidc/oidc.adoc new file mode 100644 index 000000000..e95e27db1 --- /dev/null +++ b/modules/admin_manual/pages/configuration/user/oidc/oidc.adoc @@ -0,0 +1,271 @@ += OpenID Connect (OIDC) +:toc: right +:toclevels: 2 +:page-aliases: configuration/user/oidc/index.adoc +:openid-connect-url: https://openid.net/connect/ +:schemeful-samesite-url: https://web.dev/schemeful-samesite/ +:ms-azure-ad-url: https://azure.microsoft.com/en-us/services/active-directory/ +:ms-adfs-url: https://docs.microsoft.com/en-us/windows-server/identity/active-directory-federation-services +:ping-identity-url: https://developer.pingidentity.com/en/cloud-software/pingfederate.html +:cidaas-url: https://www.cidaas.com/ +:keycloak-url: https://www.keycloak.org/ +:kopano-konnect-github-url: https://github.com/Kopano-dev/konnect + +== Introduction + +{openid-connect-url}[OpenID Connect] is an open standard for single sign-on, identity and access management. With ownCloud it can be used for user authentication and client authorization against an external identity provider(IdP). + +**Benefits of using ownCloud with OpenID Connect** + +- Increased security by shifting user authentication to an external identity provider. +- Seamless integration into single sign-on (SSO) environments as well as with third party products. +- Centralized client management within the identity provider. +- Enterprise-grade security through the use of authentication security features (e.g., multi-factor authentication) and policies (e.g., automatic token expiration on certain conditions) provided by identity providers. + +NOTE: ownCloud only supports one configured identity provider which is then valid for all requests. + +Click on the xref:attachment$/configuration/user/oidc/OAuth-code-flow-sequence-diagram.png[OAuth code flow sequence diagram] link to get more details on the flow sequence. + +== Supported Identity Providers + +ownCloud Classic can work with identity providers (IdP) that support OpenID Connect. There are many identity providers available and the OpenID Connect implementations vary a lot in terms of supported features as well as configuration needs. + +The currently supported products are + +- {ms-azure-ad-url}[Microsoft Azure AD] +- {ms-adfs-url}[Microsoft ADFS] ^1^ +- {ping-identity-url}[PingIdentity PingFederate] +- {cidaas-url}[cidaas] +- {keycloak-url}[Keycloak] +- {kopano-konnect-github-url}[Kopano Konnect] + +(1) ... Note that ADFS does not support client-secrets that contain an `_` (underscore). + +Please get in touch with ownCloud Consulting if you need help with a specific identity provider product. + +== Prerequisites + +Setting up ownCloud Classic to work with OpenID Connect requires a couple of components to work together: + +* An external identity provider configured to work with the ownCloud components +* A distributed memcache setup - such as Redis or Memcached - is required to operate this app. Follow the xref:configuration/server/caching_configuration.adoc[caching documentation] on how to set it up. +* The `OpenID Connect` app enabled on ownCloud Classic. +* Set the environment variable: ++ +-- +`OWNCLOUD_HTTP_COOKIE_SAMESITE=None` + +See xref:configuration/server/config_sample_php_parameters.adoc#define-how-to-relax-the-same-site-cookie-settings[config.sample.php] and {schemeful-samesite-url}[Schemeful Same-Site] for examples and details. +-- + +* Settings for the OpenID Connect App ++ +See xref:configuration/server/config_apps_sample_php_parameters.adoc#app-openid-connect-oidc[config.apps.sample.php] for examples and details or see section xref:save-settings-in-the-database[Save Settings in the Database] below when running clustered setups. + +* Service discovery for the xref:owncloud-desktop-and-mobile-clients[ownCloud Desktop and Mobile Apps] + +=== Save Settings in the Database + +If you run a clustered setup, the following method configuring the OpenID Connect app is preferred, because it is stateless. The app checks for settings in the database first. If none are found, it falls back to the settings stored in `config.php`. The settings are stored as a JSON formatted string with the following keys and values: + +[width="50%",cols="40%,50%",options="header"] +|=== +| Key +| Value + +| appid +| 'openidconnect' + +| configkey +| 'openid-connect' + +| configvalue +| _JSON-String_ +|=== + +If a malformed JSON string is found, an error is logged. The _key->value_ pairs are the same as when storing them to the `config.php` file. This task has to be done by invoking an occ command, see the following example. Use the occ commands `config:app:get` to view the current setting or `config:app:delete` to delete it. See the xref:configuration/server/occ_command.adoc#config-commands[Config Command Set] for more details. + +[source,bash,subs="attributes+"] +---- +{occ-command-example-prefix-docker} config:app:set \ + openidconnect \ + openid-connect \ + --value='{"provider-url":"https:\/\/idp.example.net","client-id":"fc9b5c78-ec73-47bf-befc-59d4fe780f6f","client-secret":"e3e5b04a-3c3c-4f4d-b16c-2a6e9fdd3cd1","loginButtonName":"Login via OpenId Connect"}' +---- + +NOTE: Only set either the database or the config.php keys but not both for the OpenID Connect app. + +== Set Up Service Discovery + +. Webserver Service Discovery Information ++ +In order to allow the ownCloud Clients (Desktop/Android/iOS) to make use of OpenID Connect, the webserver serving ownCloud Classic needs to _provide service discovery information_ under the following static path: ++ +[source,url] +---- +https://cloud.example.com/.well-known/openid-configuration +---- + +. App Service Discovery Information ++ +When enabled, the OpenID Connect App provides the service discovery information on the endpoint: ++ +[source,url] +---- +https://cloud.example.com/index.php/apps/openidconnect/config +---- + +. Webserver Rewrite Rule ++ +-- +To make the endpoint available under the static service discovery path, it is recommended to set the following environment variable: + +[source,.env] +---- +OWNCLOUD_ENABLE_OIDC_REWRITE_URL=true +---- + +This variable sets the following rule in the embedded `.htaccess` file: + +`RewriteRule ^/.well-known/openid-configuration /index.php/apps/openidconnect/config` + +TIP: Depending on the respective infrastructure setup there can be other ways to solve this. In any case, please make sure _not to use redirect rules_ as this will violate the OpenID Connect specification. + +IMPORTANT: If you use the `.htaccess` file in the ownCloud web root, you have to manually add that rewrite rule again after any ownCloud upgrade. +-- + +. Once service discovery is available as described above, the ownCloud clients will attempt to connect via OpenID Connect. + +== General Example Setup + +All IdPs have their own setup, but often share common ways of configuring things. Although not identical, the xref:example-setup-using-kopano-konnect[Kopano Konnect] example may be a good starting point for the specific configuration of your setup. As Microsoft with Azure AD is different, it has its own example section. + +== Example Setup Using Kopano Konnect + +Follow this link to see +xref:configuration/user/oidc/kopano-setup.adoc[Example Setup Using Kopano Konnect]. + +== Example Setup Using Microsoft Azure AD + +Follow this link to see +xref:configuration/user/oidc/ms-azure-setup.adoc[Example Setup Using Microsoft Azure AD]. + +== Example Setup Using OneLogin + +Follow this link to see +xref:configuration/user/oidc/onelogin-setup.adoc[Example Setup Using OneLogin]. + +== ownCloud Desktop and Mobile Apps + +ownCloud Desktop and Mobile Apps detect whether OIDC is available (service discovery) and use this login method when a new account is created. + +NOTE: The Desktop and Mobile apps have a default client ID and secret hard-coded, which are used for ownCloud's oauth2 app. When using Kopano as IdP, it does not pre-define a client ID and secret. You can use the default ones of the client to configure Kopano properly. With some IdPs like MS-Azure, these and other required parameters come from the IdP and must be coded into the client. Note that each IdP has different requirements. Get in touch with ownCloud for a branding subscription to customize the clients according to your needs. + +=== Client IDs, Secrets and Redirect URIs + +All IdPs can use ownCloud's default _client IDs, secrets and redirect URIs_ with the exception of Microsoft Azure AD, which uses a different approach. Here is the data necessary for the configuration. + +==== Client ID + +[width="80%",cols="35%,90%",options="header"] +|=== +| Source +| Key + +| Server/Web +| as specified via environment variables + +| Desktop +| `xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69` + +| Android +| `e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD` + +| iOS +| `mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1` +|=== + +==== Client Secret + +[width="80%",cols="35%,90%",options="header"] +|=== +| Source +| Key + +| Server/Web +| as specified via environment variables + +| Desktop +| `UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh` + +| Android +| `dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD` + +| iOS +| `KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx` +|=== + +==== Redirect URIs + +[width="60%",cols="50%,85%",options="header"] +|=== +| Source +| Redirect URI ^1^ + +| Desktop ≤ 2.8 +| `\http://localhost` + +| Desktop ≥ 2.9 +| `\http://127.0.0.1` + +| Android +| `oc://android.owncloud.com` + +| iOS +| `oc://ios.owncloud.com` +|=== + +(1) See the xref:configuration/user/oidc/ms-azure-setup.adoc#microsoft-azure-ad-and-redirecturi[following note] when using Microsoft Azure AD and 127.0.0.1 as redirect URI. + +=== Default Scope and Prompt Parameters + +ownCloud desktop and mobile apps come with default `scope` and `prompt` parameters. These parameters can be modified in custom branded builds. See the https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest[OIDC Authentication Request specs] for more details about the parameters. + +[width="60%",cols="50%,100%",options="header"] +|=== +| Parameter +| Default value + +| `scope` +| `openid offline_access email profile` + +| `prompt` +| `select_account consent` + +(for Android you need app version 4.0+) +|=== + +=== Migrate Clients from Basic Authentication to OIDC + +If your users are logged in to their desktop and mobile clients via basic authentication (username/password) against ownCloud Classic and you are not using OAuth2 to authorize the ownCloud clients, a migration to OIDC can be conducted as follows: + +1. Make sure you have a working OIDC configuration based on the above sections. +2. Enable the OpenID Connect App. +3. Enable xref:configuration/server/config_sample_php_parameters.adoc#enforce-token-only-authentication-for-apps-and-clients-connecting-to-owncloud[token-only authentication]. + +Once the OpenID Connect App is enabled, token-only authentication is enforced and service discovery is properly set up, the ownCloud clients will ask the users to re-authenticate. After a successful re-authentication, the migration is done. + +To connect legacy clients, users have to generate xref:classic_ui:personal_settings/security.adoc#app-passwords-tokens[special app passwords (tokens)]. + +=== Migrate Clients from OAuth2 to OIDC + +If you use OAuth2 for client authorization, a migration to OIDC can be conducted as follows: + +1. Make sure you have a working configuration based on the above sections. +2. Enable the OpenID Connect App (while having the OAuth2 App still enabled). +3. Disable the OAuth2 App. + +Once the OAuth2 App is disabled and service discovery is properly set up, the ownCloud Clients will ask the users to re-authenticate. After a successful re-authentication, the migration is done. + +== Migrate Web Login (and Client Login) from SAML to OIDC + +If you are using SAML/SSO, a migration to OIDC depends on your identity provider and is not straight forward. Please get in touch with ownCloud Consulting to plan the migration. diff --git a/modules/admin_manual/pages/configuration/user/oidc/onelogin-setup.adoc b/modules/admin_manual/pages/configuration/user/oidc/onelogin-setup.adoc new file mode 100644 index 000000000..2f34b5a04 --- /dev/null +++ b/modules/admin_manual/pages/configuration/user/oidc/onelogin-setup.adoc @@ -0,0 +1,108 @@ += Example Setup Using OneLogin +:toc: right +:toclevels: 2 +:openid-connect-frontchannel-logout-url: https://openid.net/specs/openid-connect-frontchannel-1_0.html +:onelogin-url: https://www.onelogin.com +:description: OneLogin is a cloud-based identity and access management provider. This document describes how to integrate OneLogin as an identity provider (IdP) by configuring OpenID Connect (OIDC). + +== Introduction + +{description} See {onelogin-url}[OneLogin] for details about the service. + +IMPORTANT: At the moment, ownCloud clients don't work with OneLogin as IdP which is a known issue. + +== Setup and Configuration + +The sections below will explain these areas and provide configuration examples using OneLogin as the external Identity Provider. + +=== Configure OneLogin + +Follow these steps to configure OneLogin for use with OpenID Connect (OIDC): + +. Login to OneLogin via your domain login `\https://.onelogin.com/admin2`. + +. Go to menu:Applications[Applications] to manage the registered applications. ++ +image:configuration/user/oidc/onelogin/onelogin-select-application.png[width=350] + +. Click on btn:[Add App] in the upper right corner. + +. Search for `openid` and select the `OpenId Connect (OIDC)` app ++ +image:configuration/user/oidc/onelogin/onelogin-select-openid-app.png[width=350] + +. Provide a name and configure images if needed. + +. Hit btn:[Save] + +. Go to menu:Configuration[] and enter values for `Login Url` which points to you system and the `Redirect URI's`, which is the url of you system followed by `/index.php/apps/openidconnect/redirect` ++ +image:configuration/user/oidc/onelogin/onelogin-oidc-configuration.png[width=350] + +. Go to menu:SSO[] and note the values for [#client-id]#Client ID#, [#client-secret]#Client Secret# and [#issuer-url]#Issuer URL# for later use. ++ +image:configuration/user/oidc/onelogin/onelogin-oidc-sso.png[width=350] + +=== Configure ownCloud Classic + +These are the generic steps to set up ownCloud Classic to work with OpenID Connect, for details see the sections below: + +1. Install the {oc-marketplace-url}/apps/openidconnect[OpenID Connect App]. +2. Configure `config.php`. +3. Set up service discovery. + +TIP: It is recommended to first figure out all configurations on a test system and to bring it to the production system once it's proven to work. Enabling the OpenID Connect App on the production system should be the last step in this process as it will then advertise OpenID Connect to all clients. + +==== List of OpenID Connect config.php Parameters + +Follow this link to read more about the +xref:configuration/server/config_apps_sample_php_parameters.adoc#app-openid-connect-oidc[OIDC config.php parameters] available to configure OpenID Connect on ownCloud Classic. + +==== Example config.php Setup + +An example snippet that can be added to `config.php` is shown below. You need to add both config values as listed below. The example expects that login users have already been created in ownCloud. + +Use these links to see the corresponding configuration section for: + +* xref:client-secret[YOUR-CLIENT-SECRET] +* xref:client-id[YOUR-CLIENT-ID] +* xref:issuer-url[YOUR-ISSUER-URL] + +[source,php] +---- +'http.cookie.samesite' => 'None', + +'openid-connect' => [ + 'auto-provision' => ['enabled' => false], + 'provider-url' => 'YOUR-ISSUER-URL', + 'client-id' => 'YOUR-CLIENT-ID', + 'client-secret' => 'YOUR-CLIENT-SECRET', + 'loginButtonName' => 'OneLogin', + 'autoRedirectOnLoginPage' => false, + 'mode' => 'email', + 'scopes' => [], + 'use-access-token-payload-for-user-info' => false, +], +---- + +If you want to let ownCloud create users which are not present during a OIDC authentication, replace + +`'auto-provision' => ['enabled' => false],` with: + +[source,php] +---- + 'auto-provision' => [ + 'enabled' => true, + 'email-claim' => 'email', + 'display-name-claim' => 'name', + ], +---- + +==== Service Discovery Setup + +For details see xref:configuration/user/oidc/oidc.adoc#set-up-service-discovery[Set Up Service Discovery]. + +//// +=== Register ownCloud Clients + +To allow the ownCloud clients (Web/desktop/Android/iOS) to interact with the identity provider, you have to register them as clients. +//// diff --git a/modules/admin_manual/partials/nav.adoc b/modules/admin_manual/partials/nav.adoc index 770b55b3d..86c025994 100644 --- a/modules/admin_manual/partials/nav.adoc +++ b/modules/admin_manual/partials/nav.adoc @@ -105,6 +105,7 @@ **** xref:admin_manual:configuration/user/user_provisioning_api.adoc[User Provisioning API] **** xref:admin_manual:configuration/user/custom_groups_app.adoc[Custom Groups App] **** xref:admin_manual:configuration/user/guests_app.adoc[Guests App] +**** xref:admin_manual:configuration/user/oidc/oidc.adoc[OpenID Connect (OIDC)] **** xref:admin_manual:configuration/user/login_policies.adoc[Login Policies] ** Maintenance From 7c980ca335dfcaf2e4dbe40506c0dc98e5ec925c Mon Sep 17 00:00:00 2001 From: Martin Mattel Date: Fri, 10 Jul 2026 10:12:07 +0200 Subject: [PATCH 4/9] update memchaced configuration --- .../pages/configuration/envvars/envvars.adoc | 2 ++ .../server/caching_configuration.adoc | 16 ++++++++-------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/modules/admin_manual/pages/configuration/envvars/envvars.adoc b/modules/admin_manual/pages/configuration/envvars/envvars.adoc index 2688e32b6..38ffd3c61 100644 --- a/modules/admin_manual/pages/configuration/envvars/envvars.adoc +++ b/modules/admin_manual/pages/configuration/envvars/envvars.adoc @@ -226,6 +226,8 @@ Define connection options for memcached (see xref:configuration/server/config_sample_php_parameters.adoc#define-connection-options-for-memcached[documentation]). - `OWNCLOUD_MEMCACHED_PORT=11211` + Defines the ports for memcached (see xref:configuration/server/config_sample_php_parameters.adoc#define-server-details-for-memcached-servers-to-use-for-memory-caching[documentation]). +- `OWNCLOUD_MEMCACHED_SERVERS=` + + Define multiple memcached servers as a JSON-encoded list of `[host, port]` or `[host, port, weight]` tuples, e.g. `[["mem1",11211,33],["mem2",11211]]`. Overrides the single-server `OWNCLOUD_MEMCACHED_HOST`/`OWNCLOUD_MEMCACHED_PORT` pair when set (see xref:configuration/server/config_sample_php_parameters.adoc#define-server-details-for-memcached-servers-to-use-for-memory-caching[documentation]). - `OWNCLOUD_MEMCACHED_STARTUP_TIMEOUT=180` + Time to wait for a successful connection to the memcached service on container startup. - `OWNCLOUD_MEMCACHE_LOCAL=${OWNCLOUD_CACHING_CLASS:-\\OC\\Memcache\\APCu}` + diff --git a/modules/admin_manual/pages/configuration/server/caching_configuration.adoc b/modules/admin_manual/pages/configuration/server/caching_configuration.adoc index 4d8c6a4c8..c8bc92cc9 100644 --- a/modules/admin_manual/pages/configuration/server/caching_configuration.adoc +++ b/modules/admin_manual/pages/configuration/server/caching_configuration.adoc @@ -169,7 +169,7 @@ CAUTION: ownCloud provides many configuration options for Redis, including enhan === Memcached Configuration -If you select Memcached, you must enable it via environment variables. The example value for the host setting assumes that you have used the ownCloud Docker Compose deployment example. Adapt this value for your setup. +If you select Memcached, you must enable it via environment variables. The example value for the host setting assumes that you have used the ownCloud Docker Compose deployment example. Adapt the values for your setup. Note that this example assumes you only have one Memcached server: [source,.env] ---- @@ -178,14 +178,14 @@ OWNCLOUD_MEMCACHED_HOST=memcached OWNCLOUD_MEMCACHED_PORT=11211 ---- -//// -[NOTE] -==== -If you are using multiple memcached servers, omit `OWNCLOUD_MEMCACHED_PORT` and use the following notation: +If you need to configure multiple Memcached servers, use the following example. Compared to the above example, you need to configure a tuple in the following format for each server `[host, port, weight]`: -`OWNCLOUD_MEMCACHED_HOST="'host_1',port_1,'host_2',port_2"` -==== -//// +[source,.env] +---- +OWNCLOUD_MEMCACHED_SERVERS=[["memcached_1",11211,33],["memcached_2",11211,34]] +---- + +NOTE: Only one of the two configuration options must be used. Additional memcached options can be set with the environment variable `OWNCLOUD_MEMCACHED_OPTIONS`. From 4f3331343acd2fb03ff8bc0b77d6faa43445b418 Mon Sep 17 00:00:00 2001 From: Martin Mattel Date: Fri, 10 Jul 2026 15:47:12 +0200 Subject: [PATCH 5/9] update oidc docs --- .../pages/configuration/envvars/envvars.adoc | 2 + .../configuration/user/oidc/kopano-setup.adoc | 11 ++++- .../user/oidc/ms-azure-setup.adoc | 12 ++++- .../pages/configuration/user/oidc/oidc.adoc | 46 +++---------------- .../user/oidc/onelogin-setup.adoc | 12 ++++- 5 files changed, 38 insertions(+), 45 deletions(-) diff --git a/modules/admin_manual/pages/configuration/envvars/envvars.adoc b/modules/admin_manual/pages/configuration/envvars/envvars.adoc index 38ffd3c61..65e098a35 100644 --- a/modules/admin_manual/pages/configuration/envvars/envvars.adoc +++ b/modules/admin_manual/pages/configuration/envvars/envvars.adoc @@ -274,6 +274,8 @@ Maximum number of concurrent UploadPart operations allowed during the multipart upload (see xref:configuration/files/external_storage/s3_compatible_object_storage_as_primary.adoc[documentation]). - `OWNCLOUD_OBJECTSTORE_AVAILABLE_STORAGE=` + Indicates available storage size in the objectstore in bytes (see xref:configuration/files/external_storage/s3_compatible_object_storage_as_primary.adoc[documentation]). +- `OWNCLOUD_OPENID_CONNECT=` + + OpenID Connect (`openid-connect`) app configuration as a JSON-encoded object, e.g. `{"provider-url":"https://idp.example.net","client-id":"...","client-secret":"...","loginButtonName":"OpenID Connect"}`. Supports the full nested structure (`provider-params`, `auto-provision`, ...) (see configuration/server/config_apps_sample_php_parameters.adoc#app-openid-connect-oidc[documentation]). - `OWNCLOUD_OPENSSL_CONFIG=` + Path to a custom `openssl.cnf` file, e.g. when using a custom PKI or CA in the container (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-default-cipher-for-encrypting-files[documentation]). - `OWNCLOUD_OPERATION_MODE=` + diff --git a/modules/admin_manual/pages/configuration/user/oidc/kopano-setup.adoc b/modules/admin_manual/pages/configuration/user/oidc/kopano-setup.adoc index c76d35c46..615b36953 100644 --- a/modules/admin_manual/pages/configuration/user/oidc/kopano-setup.adoc +++ b/modules/admin_manual/pages/configuration/user/oidc/kopano-setup.adoc @@ -45,9 +45,16 @@ TIP: It is recommended to first figure out all configurations on a test system a Follow this link to read more about the xref:configuration/server/config_apps_sample_php_parameters.adoc#app-openid-connect-oidc[OIDC config.php parameters] available to configure OpenID Connect on ownCloud Classic. -==== Example config.php +==== Example Setup -An example snippet that can be added to `config.php` is shown below. +The example snippet below can be added to the environment variables. Both environment variables listed below need to be added. + +The following environment variable is used as template. It must be adapted according to the classic key scheme shown one step below. + +[source,.env] +---- +OWNCLOUD_OPENID_CONNECT={"provider-url":"https://idp.example.net","client-id":"...","client-secret":"...","loginButtonName":"OpenID Connect"} +---- [source,php] ---- diff --git a/modules/admin_manual/pages/configuration/user/oidc/ms-azure-setup.adoc b/modules/admin_manual/pages/configuration/user/oidc/ms-azure-setup.adoc index f63324c3b..ff811d377 100644 --- a/modules/admin_manual/pages/configuration/user/oidc/ms-azure-setup.adoc +++ b/modules/admin_manual/pages/configuration/user/oidc/ms-azure-setup.adoc @@ -98,9 +98,9 @@ TIP: It is recommended to first figure out all configurations on a test system a Follow this link to read more about the xref:configuration/server/config_apps_sample_php_parameters.adoc#app-openid-connect-oidc[OIDC config.php parameters] available to configure OpenID Connect on ownCloud Classic. -==== Example config.php Setup +==== Example Setup -An example snippet that can be added to `config.php` is shown below. You need to add both config values as listed below. The example expects that login users have already been created in ownCloud. +The example snippet below can be added to the environment variables. Both environment variables listed below need to be added. The example assumes that login users have already been created in ownCloud. Use these links to see the corresponding configuration section for: @@ -109,6 +109,14 @@ Use these links to see the corresponding configuration section for: * xref:api-scope[YOUR-APPLICATION-ID-SCOPE-URI/owncloud] * xref:client-id[YOUR-CLIENT-ID] +The following environment variables are used as templates. They must be adapted according to the classic key scheme shown one step below. + +[source,.env] +---- +OWNCLOUD_HTTP_COOKIE_SAMESITE=None +OWNCLOUD_OPENID_CONNECT={"provider-url":"https://idp.example.net","client-id":"...","client-secret":"...","loginButtonName":"OpenID Connect"} +---- + [source,php] ---- 'http.cookie.samesite' => 'None', diff --git a/modules/admin_manual/pages/configuration/user/oidc/oidc.adoc b/modules/admin_manual/pages/configuration/user/oidc/oidc.adoc index e95e27db1..9c55cb604 100644 --- a/modules/admin_manual/pages/configuration/user/oidc/oidc.adoc +++ b/modules/admin_manual/pages/configuration/user/oidc/oidc.adoc @@ -64,37 +64,6 @@ See xref:configuration/server/config_apps_sample_php_parameters.adoc#app-openid- * Service discovery for the xref:owncloud-desktop-and-mobile-clients[ownCloud Desktop and Mobile Apps] -=== Save Settings in the Database - -If you run a clustered setup, the following method configuring the OpenID Connect app is preferred, because it is stateless. The app checks for settings in the database first. If none are found, it falls back to the settings stored in `config.php`. The settings are stored as a JSON formatted string with the following keys and values: - -[width="50%",cols="40%,50%",options="header"] -|=== -| Key -| Value - -| appid -| 'openidconnect' - -| configkey -| 'openid-connect' - -| configvalue -| _JSON-String_ -|=== - -If a malformed JSON string is found, an error is logged. The _key->value_ pairs are the same as when storing them to the `config.php` file. This task has to be done by invoking an occ command, see the following example. Use the occ commands `config:app:get` to view the current setting or `config:app:delete` to delete it. See the xref:configuration/server/occ_command.adoc#config-commands[Config Command Set] for more details. - -[source,bash,subs="attributes+"] ----- -{occ-command-example-prefix-docker} config:app:set \ - openidconnect \ - openid-connect \ - --value='{"provider-url":"https:\/\/idp.example.net","client-id":"fc9b5c78-ec73-47bf-befc-59d4fe780f6f","client-secret":"e3e5b04a-3c3c-4f4d-b16c-2a6e9fdd3cd1","loginButtonName":"Login via OpenId Connect"}' ----- - -NOTE: Only set either the database or the config.php keys but not both for the OpenID Connect app. - == Set Up Service Discovery . Webserver Service Discovery Information @@ -125,13 +94,12 @@ To make the endpoint available under the static service discovery path, it is re OWNCLOUD_ENABLE_OIDC_REWRITE_URL=true ---- -This variable sets the following rule in the embedded `.htaccess` file: +[NOTE] +==== +This variable sets the following rule in the embedded `.htaccess` file on container startup: `RewriteRule ^/.well-known/openid-configuration /index.php/apps/openidconnect/config` - -TIP: Depending on the respective infrastructure setup there can be other ways to solve this. In any case, please make sure _not to use redirect rules_ as this will violate the OpenID Connect specification. - -IMPORTANT: If you use the `.htaccess` file in the ownCloud web root, you have to manually add that rewrite rule again after any ownCloud upgrade. +==== -- . Once service discovery is available as described above, the ownCloud clients will attempt to connect via OpenID Connect. @@ -140,17 +108,17 @@ IMPORTANT: If you use the `.htaccess` file in the ownCloud web root, you have to All IdPs have their own setup, but often share common ways of configuring things. Although not identical, the xref:example-setup-using-kopano-konnect[Kopano Konnect] example may be a good starting point for the specific configuration of your setup. As Microsoft with Azure AD is different, it has its own example section. -== Example Setup Using Kopano Konnect +=== Example Setup Using Kopano Konnect Follow this link to see xref:configuration/user/oidc/kopano-setup.adoc[Example Setup Using Kopano Konnect]. -== Example Setup Using Microsoft Azure AD +=== Example Setup Using Microsoft Azure AD Follow this link to see xref:configuration/user/oidc/ms-azure-setup.adoc[Example Setup Using Microsoft Azure AD]. -== Example Setup Using OneLogin +=== Example Setup Using OneLogin Follow this link to see xref:configuration/user/oidc/onelogin-setup.adoc[Example Setup Using OneLogin]. diff --git a/modules/admin_manual/pages/configuration/user/oidc/onelogin-setup.adoc b/modules/admin_manual/pages/configuration/user/oidc/onelogin-setup.adoc index 2f34b5a04..d7de9a8fa 100644 --- a/modules/admin_manual/pages/configuration/user/oidc/onelogin-setup.adoc +++ b/modules/admin_manual/pages/configuration/user/oidc/onelogin-setup.adoc @@ -58,9 +58,9 @@ TIP: It is recommended to first figure out all configurations on a test system a Follow this link to read more about the xref:configuration/server/config_apps_sample_php_parameters.adoc#app-openid-connect-oidc[OIDC config.php parameters] available to configure OpenID Connect on ownCloud Classic. -==== Example config.php Setup +==== Example Setup -An example snippet that can be added to `config.php` is shown below. You need to add both config values as listed below. The example expects that login users have already been created in ownCloud. +The example snippet below can be added to the environment variables. Both environment variables listed below need to be added. The example assumes that login users have already been created in ownCloud. Use these links to see the corresponding configuration section for: @@ -68,6 +68,14 @@ Use these links to see the corresponding configuration section for: * xref:client-id[YOUR-CLIENT-ID] * xref:issuer-url[YOUR-ISSUER-URL] +The following environment variables are used as templates. They must be adapted according to the classic key scheme shown one step below. + +[source,.env] +---- +OWNCLOUD_HTTP_COOKIE_SAMESITE=None +OWNCLOUD_OPENID_CONNECT={"provider-url":"https://idp.example.net","client-id":"...","client-secret":"...","loginButtonName":"OpenID Connect"} +---- + [source,php] ---- 'http.cookie.samesite' => 'None', From 79632f78e4d607140db07b350767f490a4770195 Mon Sep 17 00:00:00 2001 From: Phil Davis Date: Fri, 10 Jul 2026 23:31:14 +0930 Subject: [PATCH 6/9] Apply suggestions from code review Co-authored-by: Phil Davis --- .../pages/configuration/user/user_auth_ftp_smb_imap.adoc | 2 +- .../pages/troubleshooting/general_troubleshooting.adoc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/admin_manual/pages/configuration/user/user_auth_ftp_smb_imap.adoc b/modules/admin_manual/pages/configuration/user/user_auth_ftp_smb_imap.adoc index 3878ed4a4..a4ff29e1d 100644 --- a/modules/admin_manual/pages/configuration/user/user_auth_ftp_smb_imap.adoc +++ b/modules/admin_manual/pages/configuration/user/user_auth_ftp_smb_imap.adoc @@ -1,6 +1,6 @@ = User Authentication with IMAP, SMB, and FTP :toc: right -:description: With opwnCloud, additional user backends can be configured. +:description: With ownCloud, additional user backends can be configured. == Introduction diff --git a/modules/admin_manual/pages/troubleshooting/general_troubleshooting.adoc b/modules/admin_manual/pages/troubleshooting/general_troubleshooting.adoc index c015499a8..f01b47bfa 100644 --- a/modules/admin_manual/pages/troubleshooting/general_troubleshooting.adoc +++ b/modules/admin_manual/pages/troubleshooting/general_troubleshooting.adoc @@ -171,7 +171,7 @@ Please open an issue in the https://github.com/owncloud/core/issues[ownCloud Cla Some clients - especially on iOS or macOS - may have problems finding the proper sync URL, even when explicitly configured to use it. -If problems raise while using CalDAV or CardDAV clients together with ownCloud, open an issue in the https://github.com/owncloud/core/issues[ownCloud Classic repo]. +If problems arise while using CalDAV or CardDAV clients together with ownCloud, open an issue in the https://github.com/owncloud/core/issues[ownCloud Classic repo]. === Unable to update Contacts or Events From 3e9b76c8f470294077a6922a47ace600d94b9ee3 Mon Sep 17 00:00:00 2001 From: Martin Mattel Date: Fri, 10 Jul 2026 19:32:22 +0200 Subject: [PATCH 7/9] fixes --- .../admin_manual/pages/configuration/envvars/envvars.adoc | 4 ++-- .../pages/configuration/server/caching_configuration.adoc | 2 +- .../pages/configuration/user/login_policies.adoc | 8 +++++--- .../pages/troubleshooting/general_troubleshooting.adoc | 2 +- 4 files changed, 9 insertions(+), 7 deletions(-) diff --git a/modules/admin_manual/pages/configuration/envvars/envvars.adoc b/modules/admin_manual/pages/configuration/envvars/envvars.adoc index 65e098a35..ed87bfb75 100644 --- a/modules/admin_manual/pages/configuration/envvars/envvars.adoc +++ b/modules/admin_manual/pages/configuration/envvars/envvars.adoc @@ -73,7 +73,7 @@ - `OWNCLOUD_CUSTOMCLIENT_IOS=` + Override the iOS client download URL shown in the first-run wizard (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-firstrunwizard[documentation]). - `OWNCLOUD_CUSTOMGROUPS_DISALLOWED_GROUPS=` + - Groups whose members have the Custom Groups app hidden from their personal settings. Comma-separated list of group names (see xref:configuration/user/custom_groups_app.adoc#overriding-default-behavior)[documentation]). + Groups whose members have the Custom Groups app hidden from their personal settings. Comma-separated list of group names (see xref:configuration/user/custom_groups_app.adoc#overriding-default-behavior[documentation]). - `OWNCLOUD_CUSTOMGROUPS_DISALLOW_ADMIN_ACCESS_ALL=` + When set to `true`, ownCloud admins are denied access to custom groups they are not a member of (see xref:configuration/user/custom_groups_app.adoc#overriding-default-behavior[documentation]). - `OWNCLOUD_DAV_CHUNK_BASE_DIR=` + @@ -275,7 +275,7 @@ - `OWNCLOUD_OBJECTSTORE_AVAILABLE_STORAGE=` + Indicates available storage size in the objectstore in bytes (see xref:configuration/files/external_storage/s3_compatible_object_storage_as_primary.adoc[documentation]). - `OWNCLOUD_OPENID_CONNECT=` + - OpenID Connect (`openid-connect`) app configuration as a JSON-encoded object, e.g. `{"provider-url":"https://idp.example.net","client-id":"...","client-secret":"...","loginButtonName":"OpenID Connect"}`. Supports the full nested structure (`provider-params`, `auto-provision`, ...) (see configuration/server/config_apps_sample_php_parameters.adoc#app-openid-connect-oidc[documentation]). + OpenID Connect (`openid-connect`) app configuration as a JSON-encoded object, e.g. `{"provider-url":"https://idp.example.net","client-id":"...","client-secret":"...","loginButtonName":"OpenID Connect"}`. Supports the full nested structure (`provider-params`, `auto-provision`, ...) (see xref:configuration/server/config_apps_sample_php_parameters.adoc#app-openid-connect-oidc[documentation]). - `OWNCLOUD_OPENSSL_CONFIG=` + Path to a custom `openssl.cnf` file, e.g. when using a custom PKI or CA in the container (see xref:configuration/server/config_sample_php_parameters.adoc#define-the-default-cipher-for-encrypting-files[documentation]). - `OWNCLOUD_OPERATION_MODE=` + diff --git a/modules/admin_manual/pages/configuration/server/caching_configuration.adoc b/modules/admin_manual/pages/configuration/server/caching_configuration.adoc index c8bc92cc9..f36ba7195 100644 --- a/modules/admin_manual/pages/configuration/server/caching_configuration.adoc +++ b/modules/admin_manual/pages/configuration/server/caching_configuration.adoc @@ -178,7 +178,7 @@ OWNCLOUD_MEMCACHED_HOST=memcached OWNCLOUD_MEMCACHED_PORT=11211 ---- -If you need to configure multiple Memcached servers, use the following example. Compared to the above example, you need to configure a tuple in the following format for each server `[host, port, weight]`: +If you need to configure multiple Memcached servers, use the following example. Compared to the above example, you need to configure a tuple in the following format for each server `[host, port, weight]`, where weight is optional: [source,.env] ---- diff --git a/modules/admin_manual/pages/configuration/user/login_policies.adoc b/modules/admin_manual/pages/configuration/user/login_policies.adoc index aa0a8d340..2b963f33f 100644 --- a/modules/admin_manual/pages/configuration/user/login_policies.adoc +++ b/modules/admin_manual/pages/configuration/user/login_policies.adoc @@ -28,7 +28,9 @@ To enable login policies, use the following example. Multiple values are comma s OWNCLOUD_LOGIN_POLICY_ORDER='OC\Authentication\LoginPolicies\GroupLoginPolicy' ---- -After enabling the `loginPolicy.order`, the configuration of the `groupLoginPolicy` can be made. The value definition below must be set according to the needs and the description in xref:configuration/server/config_sample_php_parameters.adoc#configuration-of-the-group-login-policy[Configuration of the Group Login Policy]: +After enabling the `loginPolicy.order`, the configuration of the `groupLoginPolicy` can be made. The value definition below must be set according to the needs and the description in xref:configuration/server/config_sample_php_parameters.adoc#configuration-of-the-group-login-policy[Configuration of the Group Login Policy]. + +Here is a template how the scheme looks like: [source,.env] ---- @@ -45,8 +47,8 @@ The following example gives an idea of how to configure the `Group Login Policy` [source,.env] ---- OWNCLOUD_LOGIN_POLICY_GROUP_FORBID_MAP={\ - "password":{"allowOnly":["group1","group2"],reject:["group3"]},\ + "password":{"allowOnly":["group1","group2"],"reject":["group3"]},\ "token":{"reject":["admin"]},\ - "OCA\OpenIdConnect\OpenIdConnectAuthModule":{"allowOnly:["group4"]}\ + "OCA\OpenIdConnect\OpenIdConnectAuthModule":{"allowOnly":["group4"]}\ } ---- diff --git a/modules/admin_manual/pages/troubleshooting/general_troubleshooting.adoc b/modules/admin_manual/pages/troubleshooting/general_troubleshooting.adoc index f01b47bfa..a8790962f 100644 --- a/modules/admin_manual/pages/troubleshooting/general_troubleshooting.adoc +++ b/modules/admin_manual/pages/troubleshooting/general_troubleshooting.adoc @@ -128,7 +128,7 @@ docker compose logs owncloud -f In a standard ownCloud installation the log level is set to `Normal`. -* To find any issues you need to raise the log level to `All` or to `Everything` via the `OWNCLOUD_LOG_LEVEL` environment variable or via your ownCloud Admin page. Please see xref:configuration/server/logging/logging_configuration.adoc[Logging Configuration] for more information on these log levels. +* To find any issues you need to araise the log level to `All` or to `Everything` via the `OWNCLOUD_LOG_LEVEL` environment variable or via your ownCloud Admin page. Please see xref:configuration/server/logging/logging_configuration.adoc[Logging Configuration] for more information on these log levels. * Some logging - for example JavaScript console logging - needs debugging enabled. + Edit the config and change `'debug' => false,` to `'debug' => true,` Be sure to change it back when you are finished. From 8b72140e28d724f428755badaa962d9ca4b2e149 Mon Sep 17 00:00:00 2001 From: Martin Mattel Date: Fri, 10 Jul 2026 19:34:06 +0200 Subject: [PATCH 8/9] fix --- .../admin_manual/pages/configuration/user/login_policies.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/admin_manual/pages/configuration/user/login_policies.adoc b/modules/admin_manual/pages/configuration/user/login_policies.adoc index 2b963f33f..67e6b494f 100644 --- a/modules/admin_manual/pages/configuration/user/login_policies.adoc +++ b/modules/admin_manual/pages/configuration/user/login_policies.adoc @@ -34,7 +34,7 @@ Here is a template how the scheme looks like: [source,.env] ---- -OWNCLOUD_LOGIN_POLICY_GROUP_FORBID_MAP={"":{"allowOnly|reject":["","]}} +OWNCLOUD_LOGIN_POLICY_GROUP_FORBID_MAP={"":{"allowOnly|reject":["",""]}} ---- The following example gives an idea of how to configure the `Group Login Policy`: From 1457d620601d5d54a515243864afe0b9f4eec9c5 Mon Sep 17 00:00:00 2001 From: Phil Davis Date: Sat, 11 Jul 2026 13:11:00 +0930 Subject: [PATCH 9/9] Apply suggestion from @phil-davis --- .../pages/troubleshooting/general_troubleshooting.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/admin_manual/pages/troubleshooting/general_troubleshooting.adoc b/modules/admin_manual/pages/troubleshooting/general_troubleshooting.adoc index a8790962f..f01b47bfa 100644 --- a/modules/admin_manual/pages/troubleshooting/general_troubleshooting.adoc +++ b/modules/admin_manual/pages/troubleshooting/general_troubleshooting.adoc @@ -128,7 +128,7 @@ docker compose logs owncloud -f In a standard ownCloud installation the log level is set to `Normal`. -* To find any issues you need to araise the log level to `All` or to `Everything` via the `OWNCLOUD_LOG_LEVEL` environment variable or via your ownCloud Admin page. Please see xref:configuration/server/logging/logging_configuration.adoc[Logging Configuration] for more information on these log levels. +* To find any issues you need to raise the log level to `All` or to `Everything` via the `OWNCLOUD_LOG_LEVEL` environment variable or via your ownCloud Admin page. Please see xref:configuration/server/logging/logging_configuration.adoc[Logging Configuration] for more information on these log levels. * Some logging - for example JavaScript console logging - needs debugging enabled. + Edit the config and change `'debug' => false,` to `'debug' => true,` Be sure to change it back when you are finished.