From 691ecbdc7de683982cfcbc111a2b5b71f9ae5324 Mon Sep 17 00:00:00 2001 From: Connor Peshek Date: Wed, 20 May 2026 04:07:44 -0500 Subject: [PATCH 01/12] website/integrations: add opencloud integration --- .../opencloud/index.md | 89 +++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 website/integrations/chat-communication-collaboration/opencloud/index.md diff --git a/website/integrations/chat-communication-collaboration/opencloud/index.md b/website/integrations/chat-communication-collaboration/opencloud/index.md new file mode 100644 index 000000000000..9879106fcfe9 --- /dev/null +++ b/website/integrations/chat-communication-collaboration/opencloud/index.md @@ -0,0 +1,89 @@ +--- +title: Integrate with OpenCloud +sidebar_label: OpenCloud +support_level: community +--- + +## What is OpenCloud? + +> OpenCloud is an open-source content collaboration platform for storing, syncing, and sharing files, built on the Infinite Scale (oCIS) architecture. +> +> -- https://opencloud.eu + +## Preparation + +The following placeholders are used in this guide: + +- `opencloud.company` is the FQDN of the OpenCloud installation. +- `authentik.company` is the FQDN of the authentik installation. +- `opencloud` is the slug of the authentik application. + +This guide covers the [`opencloud-compose`](https://github.com/opencloud-eu/opencloud-compose) Docker deployment. OpenCloud authenticates only through OpenID Connect. + +## authentik configuration + +1. Log in to authentik as an administrator and open the Admin interface. +2. Navigate to **Applications** > **Applications** and click **New Application**. + - **Application**: provide a name and note the **slug**. + - **Choose a Provider type**: select **OAuth2/OpenID Connect**. + - **Configure the Provider**: + - **Client type**: `Public` + - **Client ID**: `web` + - **Redirect URIs**: add the following entries (each row's first dropdown is the matching mode, the second is the type): + - Type **Authorization**, **Strict**: `https://opencloud.company/oidc-callback.html` + - Type **Authorization**, **Strict**: `https://opencloud.company/oidc-silent-redirect.html` + - Type **Post Logout**, **Strict**: `https://opencloud.company/` + - **Signing Key**: select any available key. + - **Scopes**: `openid`, `profile`, `email`. + - **Invalidation flow** (under **Flow settings**): `default-invalidation-flow` (**Default - Invalidation flow**). The default provider invalidation flow does not end the authentik session, which causes OpenCloud to immediately log back in after logout. If you want to use `default-provider-invalidation-flow` and keep your authentik session on logout, remove the Post Logout Redirect URI that you set above. +3. Click **Submit**. + +## OpenCloud configuration + +In the `opencloud-compose` project, enable the external IdP overlay in `COMPOSE_FILE`. This replaces OpenCloud's built-in IdP, so login goes through authentik only. + +```bash +COMPOSE_FILE=docker-compose.yml:idm/external-idp.yml:custom/authentik-roles.yml +``` + +Set the OIDC values in `.env`: + +```bash +OC_DOMAIN=opencloud.company +IDP_DOMAIN=authentik.company +IDP_ISSUER_URL=https://authentik.company/application/o// +OC_OIDC_CLIENT_ID=web +OC_OIDC_CLIENT_SCOPES=openid profile email +WEBFINGER_WEB_OIDC_CLIENT_ID=web +WEBFINGER_WEB_OIDC_CLIENT_SCOPES=openid profile email +``` + +:::info +`WEBFINGER_WEB_OIDC_CLIENT_ID` is required — the Web UI reads its client ID from WebFinger, and login will not start if it is empty. +::: + +Create `custom/authentik-roles.yml` to assign every user the default role: + +```yaml +--- +services: + opencloud: + environment: + PROXY_ROLE_ASSIGNMENT_DRIVER: "default" + GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true" +``` + +Recreate the stack: + +```bash +docker compose up -d +``` + +## Verification + +Open `https://opencloud.company` in a new browser window. You are redirected to authentik to log in, and after authenticating you are returned to OpenCloud. + +## Resources + +- [OpenCloud documentation](https://docs.opencloud.eu/) +- [opencloud-compose](https://github.com/opencloud-eu/opencloud-compose) From 36f8d309264c3303d7a9fb4e4feeb15103099a92 Mon Sep 17 00:00:00 2001 From: Connor Peshek Date: Wed, 20 May 2026 06:01:14 -0500 Subject: [PATCH 02/12] add steps for all clients --- .../opencloud/index.md | 89 --------- .../opencloud/index.mdx | 189 ++++++++++++++++++ 2 files changed, 189 insertions(+), 89 deletions(-) delete mode 100644 website/integrations/chat-communication-collaboration/opencloud/index.md create mode 100644 website/integrations/chat-communication-collaboration/opencloud/index.mdx diff --git a/website/integrations/chat-communication-collaboration/opencloud/index.md b/website/integrations/chat-communication-collaboration/opencloud/index.md deleted file mode 100644 index 9879106fcfe9..000000000000 --- a/website/integrations/chat-communication-collaboration/opencloud/index.md +++ /dev/null @@ -1,89 +0,0 @@ ---- -title: Integrate with OpenCloud -sidebar_label: OpenCloud -support_level: community ---- - -## What is OpenCloud? - -> OpenCloud is an open-source content collaboration platform for storing, syncing, and sharing files, built on the Infinite Scale (oCIS) architecture. -> -> -- https://opencloud.eu - -## Preparation - -The following placeholders are used in this guide: - -- `opencloud.company` is the FQDN of the OpenCloud installation. -- `authentik.company` is the FQDN of the authentik installation. -- `opencloud` is the slug of the authentik application. - -This guide covers the [`opencloud-compose`](https://github.com/opencloud-eu/opencloud-compose) Docker deployment. OpenCloud authenticates only through OpenID Connect. - -## authentik configuration - -1. Log in to authentik as an administrator and open the Admin interface. -2. Navigate to **Applications** > **Applications** and click **New Application**. - - **Application**: provide a name and note the **slug**. - - **Choose a Provider type**: select **OAuth2/OpenID Connect**. - - **Configure the Provider**: - - **Client type**: `Public` - - **Client ID**: `web` - - **Redirect URIs**: add the following entries (each row's first dropdown is the matching mode, the second is the type): - - Type **Authorization**, **Strict**: `https://opencloud.company/oidc-callback.html` - - Type **Authorization**, **Strict**: `https://opencloud.company/oidc-silent-redirect.html` - - Type **Post Logout**, **Strict**: `https://opencloud.company/` - - **Signing Key**: select any available key. - - **Scopes**: `openid`, `profile`, `email`. - - **Invalidation flow** (under **Flow settings**): `default-invalidation-flow` (**Default - Invalidation flow**). The default provider invalidation flow does not end the authentik session, which causes OpenCloud to immediately log back in after logout. If you want to use `default-provider-invalidation-flow` and keep your authentik session on logout, remove the Post Logout Redirect URI that you set above. -3. Click **Submit**. - -## OpenCloud configuration - -In the `opencloud-compose` project, enable the external IdP overlay in `COMPOSE_FILE`. This replaces OpenCloud's built-in IdP, so login goes through authentik only. - -```bash -COMPOSE_FILE=docker-compose.yml:idm/external-idp.yml:custom/authentik-roles.yml -``` - -Set the OIDC values in `.env`: - -```bash -OC_DOMAIN=opencloud.company -IDP_DOMAIN=authentik.company -IDP_ISSUER_URL=https://authentik.company/application/o// -OC_OIDC_CLIENT_ID=web -OC_OIDC_CLIENT_SCOPES=openid profile email -WEBFINGER_WEB_OIDC_CLIENT_ID=web -WEBFINGER_WEB_OIDC_CLIENT_SCOPES=openid profile email -``` - -:::info -`WEBFINGER_WEB_OIDC_CLIENT_ID` is required — the Web UI reads its client ID from WebFinger, and login will not start if it is empty. -::: - -Create `custom/authentik-roles.yml` to assign every user the default role: - -```yaml ---- -services: - opencloud: - environment: - PROXY_ROLE_ASSIGNMENT_DRIVER: "default" - GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true" -``` - -Recreate the stack: - -```bash -docker compose up -d -``` - -## Verification - -Open `https://opencloud.company` in a new browser window. You are redirected to authentik to log in, and after authenticating you are returned to OpenCloud. - -## Resources - -- [OpenCloud documentation](https://docs.opencloud.eu/) -- [opencloud-compose](https://github.com/opencloud-eu/opencloud-compose) diff --git a/website/integrations/chat-communication-collaboration/opencloud/index.mdx b/website/integrations/chat-communication-collaboration/opencloud/index.mdx new file mode 100644 index 000000000000..9e133f491bd7 --- /dev/null +++ b/website/integrations/chat-communication-collaboration/opencloud/index.mdx @@ -0,0 +1,189 @@ +--- +title: Integrate with OpenCloud +sidebar_label: OpenCloud +support_level: community +--- + +## What is OpenCloud? + +> OpenCloud is an open-source content collaboration platform for storing, syncing, and sharing files, built on the Infinite Scale (oCIS) architecture. +> +> -- https://opencloud.eu + +## Preparation + +The following placeholders are used in this guide: + +- `opencloud.company` is the FQDN of the OpenCloud installation. +- `authentik.company` is the FQDN of the authentik installation. + +This guide covers integrating authentik with the [`opencloud-compose`](https://github.com/opencloud-eu/opencloud-compose) Docker deployment. OpenCloud only supports authentication via OpenID Connect (OIDC). + +Choose your setup below. The **Web only** tab logs in through the browser. The **Web, desktop & mobile** tab also enables the native sync clients, which each use a distinct client ID and require some extra issuer configuration. + +import TabItem from "@theme/TabItem"; +import Tabs from "@theme/Tabs"; + + + + +## authentik configuration + +1. Log in to authentik as an administrator and open the Admin interface. +2. Navigate to **Applications** > **Applications** and click **New Application**. + - **Application**: provide a name and note the **slug**. + - **Choose a Provider type**: select **OAuth2/OpenID Connect**. + - **Configure the Provider**: + - **Client type**: `Public` + - **Client ID**: `web` + - **Redirect URIs**: + - Strict: `https://opencloud.company/oidc-callback.html` + - Strict: `https://opencloud.company/oidc-silent-redirect.html` + - Strict: `https://opencloud.company/` + - **Signing Key**: select any available key. + - **Scopes**: `openid`, `profile`, `email`. +3. Click **Submit**. + +## OpenCloud configuration + +In the `opencloud-compose` project, enable the external IdP overlay in `COMPOSE_FILE`. This replaces OpenCloud's built-in IdP, so login goes through authentik only. + +```bash +COMPOSE_FILE=docker-compose.yml:idm/external-idp.yml:custom/authentik-roles.yml +``` + +Set the OIDC values in `.env`: + +```bash +OC_DOMAIN=opencloud.company +IDP_DOMAIN=authentik.company +IDP_ISSUER_URL=https://authentik.company/application/o// +OC_OIDC_CLIENT_ID=web +OC_OIDC_CLIENT_SCOPES=openid profile email +WEBFINGER_WEB_OIDC_CLIENT_ID=web +WEBFINGER_WEB_OIDC_CLIENT_SCOPES=openid profile email +``` + +:::info +`WEBFINGER_WEB_OIDC_CLIENT_ID` is required — the Web UI reads its client ID from WebFinger, and login will not start if it is empty. +::: + +Create `custom/authentik-roles.yml` to assign every user the default role: + +```yaml +--- +services: + opencloud: + environment: + PROXY_ROLE_ASSIGNMENT_DRIVER: "default" + GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true" +``` + +Recreate the stack: + +```bash +docker compose up -d +``` + +## Configuration verification + +Open `https://opencloud.company` in a new browser window. You are redirected to authentik to log in, and after authenticating you are returned to OpenCloud. + + + + +OpenCloud's web, desktop, Android, and iOS clients each use a distinct client ID but must validate tokens against **one** issuer. authentik gives every application its own issuer by default, so this setup uses **GLOBAL issuer mode** (all providers share `https://authentik.company/`) plus a reverse proxy that serves OIDC discovery at that shared issuer. + +## 1. Serve discovery at the shared issuer + +With GLOBAL issuer mode, tokens carry `iss = https://authentik.company/`, but authentik only serves discovery at `https://authentik.company/application/o//.well-known/openid-configuration`. Put a reverse proxy in front of authentik that rewrites the root discovery path to one provider's discovery. Any reverse proxy works; for example, with Caddy: + +```caddy +# Forward authentik.company to this; it in turn forwards to authentik. +:8081 { + @discovery path /.well-known/openid-configuration + rewrite @discovery /application/o//.well-known/openid-configuration + reverse_proxy authentik-upstream:9000 { + # keep authentik building https URLs if it is behind TLS termination + header_up X-Forwarded-Proto https + } +} +``` + +## 2. authentik configuration + +Create one **Application + OAuth2/OpenID Connect provider** pair per client. On **every** provider set the same values: + +- **Client type**: `Public` +- **Signing Key**: the **same** key for all providers (the shared issuer exposes a single `jwks_uri`, so all clients' tokens must be signed by one key). +- **Issuer mode** (under Advanced protocol settings): `Same identifier is used for all providers`. +- **Scopes**: `openid`, `profile`, `email`, and `offline_access` (the latter is required for the desktop/mobile sync clients to receive a refresh token). + +Then set the per-client **Client ID** and **Redirect URIs**: + +| Client | Client ID | Redirect URIs | +| ------- | ------------------ | ------------------------------------------------------------------------------------------- | +| Web | `web` | Strict: `https://opencloud.company/oidc-callback.html`, `…/oidc-silent-redirect.html`, `…/` | +| Desktop | `OpenCloudDesktop` | Regex: `http://127.0.0.1(:[0-9]+)?(/.*)?` and `http://localhost(:[0-9]+)?(/.*)?` | +| Android | `OpenCloudAndroid` | Strict: `oc://android.opencloud.eu` | +| iOS | `OpenCloudIOS` | Strict: `oc://ios.opencloud.eu` | + +## 3. OpenCloud configuration + +Use the same overlay and role override as the **Web only** tab, but point `OC_OIDC_ISSUER` at the shared (root) issuer and give each platform its WebFinger client ID. + +```bash +COMPOSE_FILE=docker-compose.yml:idm/external-idp.yml:custom/authentik-roles.yml +``` + +```bash +OC_DOMAIN=opencloud.company +IDP_DOMAIN=authentik.company +IDP_ISSUER_URL=https://authentik.company/ +OC_OIDC_CLIENT_ID=web +OC_OIDC_CLIENT_SCOPES=openid profile email + +WEBFINGER_WEB_OIDC_CLIENT_ID=web +WEBFINGER_WEB_OIDC_CLIENT_SCOPES=openid profile email +WEBFINGER_DESKTOP_OIDC_CLIENT_ID=OpenCloudDesktop +WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES=openid profile email offline_access +WEBFINGER_IOS_OIDC_CLIENT_ID=OpenCloudIOS +WEBFINGER_IOS_OIDC_CLIENT_SCOPES=openid profile email offline_access +WEBFINGER_ANDROID_OIDC_CLIENT_ID=OpenCloudAndroid +WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES=openid profile email offline_access +``` + +Create `custom/authentik-roles.yml` to assign every user the default role: + +```yaml +--- +services: + opencloud: + environment: + PROXY_ROLE_ASSIGNMENT_DRIVER: "default" + GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true" +``` + +Recreate the stack: + +```bash +docker compose up -d +``` + +## Configuration verification + +Open `https://opencloud.company` in a browser, and add the account in the Desktop, iOS, and Android apps using the same server URL. Each client is redirected to authentik to log in and returned to the client afterwards. + + + + +## Resources + +- [OpenCloud documentation](https://docs.opencloud.eu/) +- [opencloud-compose](https://github.com/opencloud-eu/opencloud-compose) From df7d398ce19a8095c1c06f7ab79166c26dfbf17f Mon Sep 17 00:00:00 2001 From: Connor Peshek Date: Wed, 20 May 2026 06:10:38 -0500 Subject: [PATCH 03/12] improve wording and style --- .../opencloud/index.mdx | 24 +++++++++++++------ 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/website/integrations/chat-communication-collaboration/opencloud/index.mdx b/website/integrations/chat-communication-collaboration/opencloud/index.mdx index 9e133f491bd7..93655f0fb689 100644 --- a/website/integrations/chat-communication-collaboration/opencloud/index.mdx +++ b/website/integrations/chat-communication-collaboration/opencloud/index.mdx @@ -118,14 +118,22 @@ With GLOBAL issuer mode, tokens carry `iss = https://authentik.company/`, but au ## 2. authentik configuration -Create one **Application + OAuth2/OpenID Connect provider** pair per client. On **every** provider set the same values: +Repeat these steps for **each** of the four clients (Web, Desktop, Android, and iOS), using the per-client values from the table below. -- **Client type**: `Public` -- **Signing Key**: the **same** key for all providers (the shared issuer exposes a single `jwks_uri`, so all clients' tokens must be signed by one key). -- **Issuer mode** (under Advanced protocol settings): `Same identifier is used for all providers`. -- **Scopes**: `openid`, `profile`, `email`, and `offline_access` (the latter is required for the desktop/mobile sync clients to receive a refresh token). +1. Log in to authentik as an administrator and open the Admin interface. +2. Navigate to **Applications** > **Applications** and click **New Application**. + - **Application**: provide a name and note the **slug**. + - **Choose a Provider type**: select **OAuth2/OpenID Connect**. + - **Configure the Provider**: + - **Client type**: `Public` + - **Client ID**: the client's value from the table below. + - **Redirect URIs**: the client's value from the table below. + - **Signing Key**: select the **same** key for all four providers (the shared issuer exposes a single `jwks_uri`, so all clients' tokens must be signed by one key). + - **Scopes**: `openid`, `profile`, `email`, and `offline_access` (required for the desktop and mobile sync clients to receive a refresh token). + - **Issuer mode** (under **Advanced protocol settings**): `Same identifier is used for all providers`. +3. Click **Submit**. -Then set the per-client **Client ID** and **Redirect URIs**: +The per-client **Client ID** and **Redirect URIs**: | Client | Client ID | Redirect URIs | | ------- | ------------------ | ------------------------------------------------------------------------------------------- | @@ -136,12 +144,14 @@ Then set the per-client **Client ID** and **Redirect URIs**: ## 3. OpenCloud configuration -Use the same overlay and role override as the **Web only** tab, but point `OC_OIDC_ISSUER` at the shared (root) issuer and give each platform its WebFinger client ID. +In the `opencloud-compose` project, enable the external IdP overlay in `COMPOSE_FILE`. This replaces OpenCloud's built-in IdP, so login goes through authentik only. ```bash COMPOSE_FILE=docker-compose.yml:idm/external-idp.yml:custom/authentik-roles.yml ``` +Set the OIDC values in `.env`. `OC_OIDC_ISSUER` points at the shared (root) issuer, and each client uses its own WebFinger client ID: + ```bash OC_DOMAIN=opencloud.company IDP_DOMAIN=authentik.company From 3fca7425e5207d02938da3a3bf859c976477b75f Mon Sep 17 00:00:00 2001 From: Connor Peshek Date: Wed, 20 May 2026 13:41:18 -0500 Subject: [PATCH 04/12] Update website/integrations/chat-communication-collaboration/opencloud/index.mdx Co-authored-by: Dewi Roberts Signed-off-by: Connor Peshek --- .../chat-communication-collaboration/opencloud/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/integrations/chat-communication-collaboration/opencloud/index.mdx b/website/integrations/chat-communication-collaboration/opencloud/index.mdx index 93655f0fb689..02a83d1d8872 100644 --- a/website/integrations/chat-communication-collaboration/opencloud/index.mdx +++ b/website/integrations/chat-communication-collaboration/opencloud/index.mdx @@ -102,7 +102,7 @@ OpenCloud's web, desktop, Android, and iOS clients each use a distinct client ID ## 1. Serve discovery at the shared issuer -With GLOBAL issuer mode, tokens carry `iss = https://authentik.company/`, but authentik only serves discovery at `https://authentik.company/application/o//.well-known/openid-configuration`. Put a reverse proxy in front of authentik that rewrites the root discovery path to one provider's discovery. Any reverse proxy works; for example, with Caddy: +With GLOBAL issuer mode enabled, tokens use an issuer of `iss = https://authentik.company/`, but authentik only exposes OpenID Connect discovery at `https://authentik.company/application/o//.well-known/openid-configuration`. To reconcile this, place a reverse proxy in front of authentik that maps the root discovery URL to a specific provider’s discovery endpoint. Any reverse proxy can handle this; for example, with Caddy: ```caddy # Forward authentik.company to this; it in turn forwards to authentik. From d6a31c27d866845a68e6bc66b69cfa74214e9166 Mon Sep 17 00:00:00 2001 From: Connor Peshek Date: Wed, 20 May 2026 13:41:35 -0500 Subject: [PATCH 05/12] Update website/integrations/chat-communication-collaboration/opencloud/index.mdx Co-authored-by: Dewi Roberts Signed-off-by: Connor Peshek --- .../chat-communication-collaboration/opencloud/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/integrations/chat-communication-collaboration/opencloud/index.mdx b/website/integrations/chat-communication-collaboration/opencloud/index.mdx index 02a83d1d8872..beef759baa54 100644 --- a/website/integrations/chat-communication-collaboration/opencloud/index.mdx +++ b/website/integrations/chat-communication-collaboration/opencloud/index.mdx @@ -100,7 +100,7 @@ Open `https://opencloud.company` in a new browser window. You are redirected to OpenCloud's web, desktop, Android, and iOS clients each use a distinct client ID but must validate tokens against **one** issuer. authentik gives every application its own issuer by default, so this setup uses **GLOBAL issuer mode** (all providers share `https://authentik.company/`) plus a reverse proxy that serves OIDC discovery at that shared issuer. -## 1. Serve discovery at the shared issuer +## Reverse proxy configuration With GLOBAL issuer mode enabled, tokens use an issuer of `iss = https://authentik.company/`, but authentik only exposes OpenID Connect discovery at `https://authentik.company/application/o//.well-known/openid-configuration`. To reconcile this, place a reverse proxy in front of authentik that maps the root discovery URL to a specific provider’s discovery endpoint. Any reverse proxy can handle this; for example, with Caddy: From 0dc23cd987cfac9e6a8652273326654d3981ec91 Mon Sep 17 00:00:00 2001 From: Connor Peshek Date: Wed, 20 May 2026 13:41:47 -0500 Subject: [PATCH 06/12] Update website/integrations/chat-communication-collaboration/opencloud/index.mdx Co-authored-by: Dewi Roberts Signed-off-by: Connor Peshek --- .../chat-communication-collaboration/opencloud/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/integrations/chat-communication-collaboration/opencloud/index.mdx b/website/integrations/chat-communication-collaboration/opencloud/index.mdx index beef759baa54..0fa9206e48ac 100644 --- a/website/integrations/chat-communication-collaboration/opencloud/index.mdx +++ b/website/integrations/chat-communication-collaboration/opencloud/index.mdx @@ -116,7 +116,7 @@ With GLOBAL issuer mode enabled, tokens use an issuer of `iss = https://authenti } ``` -## 2. authentik configuration +## authentik configuration Repeat these steps for **each** of the four clients (Web, Desktop, Android, and iOS), using the per-client values from the table below. From 65f6c555726e612358afedabb1cb329ab251b90b Mon Sep 17 00:00:00 2001 From: Connor Peshek Date: Wed, 20 May 2026 13:42:00 -0500 Subject: [PATCH 07/12] Update website/integrations/chat-communication-collaboration/opencloud/index.mdx Co-authored-by: Dewi Roberts Signed-off-by: Connor Peshek --- .../chat-communication-collaboration/opencloud/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/integrations/chat-communication-collaboration/opencloud/index.mdx b/website/integrations/chat-communication-collaboration/opencloud/index.mdx index 0fa9206e48ac..025bb01c2d26 100644 --- a/website/integrations/chat-communication-collaboration/opencloud/index.mdx +++ b/website/integrations/chat-communication-collaboration/opencloud/index.mdx @@ -142,7 +142,7 @@ The per-client **Client ID** and **Redirect URIs**: | Android | `OpenCloudAndroid` | Strict: `oc://android.opencloud.eu` | | iOS | `OpenCloudIOS` | Strict: `oc://ios.opencloud.eu` | -## 3. OpenCloud configuration +## OpenCloud configuration In the `opencloud-compose` project, enable the external IdP overlay in `COMPOSE_FILE`. This replaces OpenCloud's built-in IdP, so login goes through authentik only. From 199688ef3004a812b705ccd48b365b98d2cd29e1 Mon Sep 17 00:00:00 2001 From: Connor Peshek Date: Wed, 20 May 2026 14:17:30 -0500 Subject: [PATCH 08/12] add feedback --- .../opencloud/index.mdx | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/website/integrations/chat-communication-collaboration/opencloud/index.mdx b/website/integrations/chat-communication-collaboration/opencloud/index.mdx index 025bb01c2d26..004f4478ba50 100644 --- a/website/integrations/chat-communication-collaboration/opencloud/index.mdx +++ b/website/integrations/chat-communication-collaboration/opencloud/index.mdx @@ -71,7 +71,7 @@ WEBFINGER_WEB_OIDC_CLIENT_SCOPES=openid profile email ``` :::info -`WEBFINGER_WEB_OIDC_CLIENT_ID` is required — the Web UI reads its client ID from WebFinger, and login will not start if it is empty. +`WEBFINGER_WEB_OIDC_CLIENT_ID` is required as the Web UI reads its client ID from WebFinger, and login will not start if it is empty. ::: Create `custom/authentik-roles.yml` to assign every user the default role: @@ -85,11 +85,7 @@ services: GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true" ``` -Recreate the stack: - -```bash -docker compose up -d -``` +Then reboot your docker containers. ## Configuration verification @@ -180,11 +176,7 @@ services: GRAPH_ASSIGN_DEFAULT_USER_ROLE: "true" ``` -Recreate the stack: - -```bash -docker compose up -d -``` +Then reboot your docker containers. ## Configuration verification @@ -195,5 +187,5 @@ Open `https://opencloud.company` in a browser, and add the account in the Deskto ## Resources -- [OpenCloud documentation](https://docs.opencloud.eu/) +- [OpenCloud docs — Integrating external OpenID Connect Identity Providers](https://docs.opencloud.eu/docs/admin/configuration/authentication-and-user-management/external-idp) - [opencloud-compose](https://github.com/opencloud-eu/opencloud-compose) From 7830f92a3f8ed0c6566a1d8fbbc76969af69567f Mon Sep 17 00:00:00 2001 From: Connor Peshek Date: Wed, 20 May 2026 14:26:18 -0500 Subject: [PATCH 09/12] Update website/integrations/chat-communication-collaboration/opencloud/index.mdx Co-authored-by: Dominic R Signed-off-by: Connor Peshek --- .../chat-communication-collaboration/opencloud/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/integrations/chat-communication-collaboration/opencloud/index.mdx b/website/integrations/chat-communication-collaboration/opencloud/index.mdx index 004f4478ba50..baa975a87059 100644 --- a/website/integrations/chat-communication-collaboration/opencloud/index.mdx +++ b/website/integrations/chat-communication-collaboration/opencloud/index.mdx @@ -94,7 +94,7 @@ Open `https://opencloud.company` in a new browser window. You are redirected to -OpenCloud's web, desktop, Android, and iOS clients each use a distinct client ID but must validate tokens against **one** issuer. authentik gives every application its own issuer by default, so this setup uses **GLOBAL issuer mode** (all providers share `https://authentik.company/`) plus a reverse proxy that serves OIDC discovery at that shared issuer. +OpenCloud's web, desktop, Android, and iOS clients each use a distinct client ID, but must validate tokens against one issuer. authentik gives every application its own issuer by default, so this setup uses **GLOBAL issuer mode** (all providers share `https://authentik.company/`) plus a reverse proxy that serves OIDC discovery at that shared issuer. ## Reverse proxy configuration From 2aef0569fe53d4a34fff51bd8f90a872823e12ee Mon Sep 17 00:00:00 2001 From: Connor Peshek Date: Wed, 20 May 2026 14:36:06 -0500 Subject: [PATCH 10/12] move table location --- .../opencloud/index.mdx | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/website/integrations/chat-communication-collaboration/opencloud/index.mdx b/website/integrations/chat-communication-collaboration/opencloud/index.mdx index baa975a87059..b5b480c3c385 100644 --- a/website/integrations/chat-communication-collaboration/opencloud/index.mdx +++ b/website/integrations/chat-communication-collaboration/opencloud/index.mdx @@ -116,27 +116,27 @@ With GLOBAL issuer mode enabled, tokens use an issuer of `iss = https://authenti Repeat these steps for **each** of the four clients (Web, Desktop, Android, and iOS), using the per-client values from the table below. +| Client | Client ID | Redirect URIs | +| ------- | ------------------ | ------------------------------------------------------------------------------------------- | +| Web | `web` | Strict: `https://opencloud.company/oidc-callback.html`, `…/oidc-silent-redirect.html`, `…/` | +| Desktop | `OpenCloudDesktop` | Regex: `http://127.0.0.1(:[0-9]+)?(/.*)?` and `http://localhost(:[0-9]+)?(/.*)?` | +| Android | `OpenCloudAndroid` | Strict: `oc://android.opencloud.eu` | +| iOS | `OpenCloudIOS` | Strict: `oc://ios.opencloud.eu` | + 1. Log in to authentik as an administrator and open the Admin interface. 2. Navigate to **Applications** > **Applications** and click **New Application**. - **Application**: provide a name and note the **slug**. - **Choose a Provider type**: select **OAuth2/OpenID Connect**. - **Configure the Provider**: - **Client type**: `Public` - - **Client ID**: the client's value from the table below. - - **Redirect URIs**: the client's value from the table below. + - **Client ID**: the client's value from the table above. + - **Redirect URIs**: the client's value from the table above. - **Signing Key**: select the **same** key for all four providers (the shared issuer exposes a single `jwks_uri`, so all clients' tokens must be signed by one key). - **Scopes**: `openid`, `profile`, `email`, and `offline_access` (required for the desktop and mobile sync clients to receive a refresh token). - **Issuer mode** (under **Advanced protocol settings**): `Same identifier is used for all providers`. 3. Click **Submit**. -The per-client **Client ID** and **Redirect URIs**: -| Client | Client ID | Redirect URIs | -| ------- | ------------------ | ------------------------------------------------------------------------------------------- | -| Web | `web` | Strict: `https://opencloud.company/oidc-callback.html`, `…/oidc-silent-redirect.html`, `…/` | -| Desktop | `OpenCloudDesktop` | Regex: `http://127.0.0.1(:[0-9]+)?(/.*)?` and `http://localhost(:[0-9]+)?(/.*)?` | -| Android | `OpenCloudAndroid` | Strict: `oc://android.opencloud.eu` | -| iOS | `OpenCloudIOS` | Strict: `oc://ios.opencloud.eu` | ## OpenCloud configuration From 6142006e2b31f828f402718d29d4cc78cd2d61d5 Mon Sep 17 00:00:00 2001 From: Connor Peshek Date: Wed, 20 May 2026 14:41:58 -0500 Subject: [PATCH 11/12] update advanced proto settings location --- .../chat-communication-collaboration/opencloud/index.mdx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/website/integrations/chat-communication-collaboration/opencloud/index.mdx b/website/integrations/chat-communication-collaboration/opencloud/index.mdx index b5b480c3c385..f77be1a936a1 100644 --- a/website/integrations/chat-communication-collaboration/opencloud/index.mdx +++ b/website/integrations/chat-communication-collaboration/opencloud/index.mdx @@ -133,7 +133,8 @@ Repeat these steps for **each** of the four clients (Web, Desktop, Android, and - **Redirect URIs**: the client's value from the table above. - **Signing Key**: select the **same** key for all four providers (the shared issuer exposes a single `jwks_uri`, so all clients' tokens must be signed by one key). - **Scopes**: `openid`, `profile`, `email`, and `offline_access` (required for the desktop and mobile sync clients to receive a refresh token). - - **Issuer mode** (under **Advanced protocol settings**): `Same identifier is used for all providers`. + - **Under advanced protocol settings**: + - **Issuer mode**: `Same identifier is used for all providers`. 3. Click **Submit**. From 77895a3f819d4eea0d7a158c96e014681c7a111c Mon Sep 17 00:00:00 2001 From: Connor Peshek Date: Wed, 20 May 2026 14:49:31 -0500 Subject: [PATCH 12/12] lint --- .../chat-communication-collaboration/opencloud/index.mdx | 2 -- 1 file changed, 2 deletions(-) diff --git a/website/integrations/chat-communication-collaboration/opencloud/index.mdx b/website/integrations/chat-communication-collaboration/opencloud/index.mdx index f77be1a936a1..9e109eb8d38c 100644 --- a/website/integrations/chat-communication-collaboration/opencloud/index.mdx +++ b/website/integrations/chat-communication-collaboration/opencloud/index.mdx @@ -137,8 +137,6 @@ Repeat these steps for **each** of the four clients (Web, Desktop, Android, and - **Issuer mode**: `Same identifier is used for all providers`. 3. Click **Submit**. - - ## OpenCloud configuration In the `opencloud-compose` project, enable the external IdP overlay in `COMPOSE_FILE`. This replaces OpenCloud's built-in IdP, so login goes through authentik only.