Configure custom IDP for oCIS

I have a public website where users can register with creds or auth providers, I save their details on my servers in a PostgreSQL database. I want to manage SSO between my website and ocis, both on the same domain. Since I already manage the user session on my website using a session cookie token, I’d like the Infinite Scale IDP service to just redirect to a url or call an api on my server to get the token and log in the users. What settings or configs do I need to make this work? Is this just a matter of editing the IDP envs variables?

Managed to get the OIDC flow goin between my website and oCIS. Serving oCIS from after users log in to

Hosting my openid-configuration at

  "issuer": "",
  "authorization_endpoint": "",
  "token_endpoint": "",
  "userinfo_endpoint": "",
  "response_types_supported": [
  "subject_types_supported": [
  "id_token_signing_alg_values_supported": [
  "jwks_uri": "",
  "scopes_supported": [
  "code_challenge_methods_supported": [
  "token_endpoint_auth_methods_supported": [
  "claims_supported": [

If users go to, they are redirected to, which I then set the code and state then redirect to${state}&code=${code}. Afterwards, oCIS call my token endpoint with the code and I find the logged in user and return the token with claims:

const createJWT = async (user) => {
  const jwtPayload = {
    iss: baseUrl,
    aud: "web",
const createAccessJWT = async (user) => {
  const jwtPayload = {
    iss: baseUrl,
    aud: "web",
    scp: "profile email openid",
    preferred_username: user.profileId,
  return res.json({
      token_type: "Bearer",
      expires_in: 3600,
      id_token: token,
      access_token: accessToken

These are my oCIS yaml and web configs:

    image: owncloud/ocis
    container_name: ocis_runtime
      - "9200:9200"
      - "/efs-mount:/var/lib/ocis"
      - "./ocis/ocis-config:/etc/ocis"
      - "./web-config/:/config"
      OCIS_INSECURE: "false"
      WEB_UI_THEME_PATH: "/ocis/theme/theme.json"
      WEB_UI_CONFIG_FILE: "/config/config.json"
      OCIS_URL: ""
      PROXY_USER_OIDC_CLAIM: "preferred_username"

 "server": "",
 "theme": "",
 "openIdConnect": {
   "metadata_url": "",
   "authority": "",
   "client_id": "web",
   "response_type": "code",
   "scope": "openid profile email"

Using oCIS 4.0.0 with web 8.0.0-alpha.4.

Managed to stop the redirect by adding a userinfo_endpoint and returning an access_token.
Now I get this message on the oCIS website:

Not logged in. This could be because of a routine safety log out, or because your account is either inactive or not yet authorized for use. Please try logging in after a while or seek help from your Administrator.

I see logs saying:


[UserManager] signinRedirectCallback: success, signed in subject {}
POST 500 (Internal Server Error)
GET 500 (Internal Server Error)


ocis_runtime | {"level":"error","service":"idm","bind_dn":"uid=reva,ou=sysusers,o=libregraph-idm","op":"bind","remote_addr":"","time":"2023-10-30T18:00:55.388217385Z","message":"invalid credentials"}
ocis_runtime | {"level":"error","service":"ocis","error":"error: not found: create container: error: not found: f1bdd61a-da7c-49fc-8203-0558109d1b4f!f1bdd61a-da7c-49fc-8203-0558109d1b4f/settings","time":"2023-10-30T18:00:55.398045148Z","message":"error initializing metadata client"}
ocis_runtime | {"level":"error","service":"ocis","error":"error: not found: create container: error: not found: f1bdd61a-da7c-49fc-8203-0558109d1b4f!f1bdd61a-da7c-49fc-8203-0558109d1b4f/settings","time":"2023-10-30T18:00:55.504548876Z","message":"error initializing metadata client"}
ocis_runtime | {"level":"error","service":"graph","middleware":"requireAdmin","error":"{\"id\":\"go.micro.server\",\"code\":500,\"detail\":\"panic recovered: runtime error: invalid memory address or nil pointer dereference\",\"status\":\"Internal Server Error\"}","userid":"52f799eb-f38b-479d-abd0-15a9ba60ee36","time":"2023-10-30T18:00:55.505188828Z","message":"Failed to get roles for user"}
ocis_runtime | {"level":"error","service":"proxy","error":"401 Unauthorized","time":"2023-10-30T18:00:55.505635713Z","message":"Error creating user"}
ocis_runtime | {"level":"error","service":"proxy","error":"401 Unauthorized","time":"2023-10-30T18:00:55.505652418Z","message":"Autoprovisioning user failed"}

Where do I set the authorization for these calls? I have not touched the IDM creds:

    admin_password: BKc3=!M#Bm%9-3@.$fta!HSSqs.asmLK
    idm_password: TeO4VxrTH%fwI3BaW#XTn3LlCEuX4#fE
    reva_password: ve.8%0N%wg%o%hhpRsqbg81J+-1u&OCu
    idp_password: RpX@TiYHe%fB5Wr*-sw!z&pXFPyZxvE^

Finally got it to work by deleteing the ocis.yaml and everything in OCIS_BASE_DATA_PATH, then re running the image.

So you basically implemented your own OIDC IDP? I am not entirely sure if what you did also works with the other owncloud clients (android, IOS, desktop). But if you don’t need them I am happy that you got things working.

I am still not sure I understood completely what you’re trying to achieve, but I think as your not using the OCIS builtin IDP at all, you can you simply disable it by setting OCIS_EXCLUDE_RUN_SERVICES=idp.