Owncloud + OpenID connection under a local account

vach · November 21, 2022, 7:50am

Hi, I have set up a connection to owncloud using OpenID. But I also want to be able to connect to owncloud using a local administrator account if necessary or if OpenID is unavailable, what should I specify in my configuration file for this?

pako81 · November 21, 2022, 11:48am

You should still be able to login with a local account by using the “normal” login mask.

pako81 · November 21, 2022, 11:52am

Unless you have 'autoRedirectOnLoginPage' => true which will redirect directly to the Identity Provider login without requiring the user to click a button. In this case, you may want to set it to false.

vach · November 21, 2022, 1:28pm

I have the autoRedirectOnLoginPage’ => true parameter specified in my configuration file.
Is there perhaps an emergency parameter where you could specify the emergency shutdown URL that can be used to disable login via OpenID Connect?
Or maybe there are other options so that I could log in under a local account bypassing OpenID Connect?

pako81 · November 21, 2022, 8:26pm

Currently, 'openid-connect.basic_auth_guest_only' => true, will allow guest users (and guests only) to log in using basic auth, basically bypassing OIDC authentication: Apps Config.php Parameters :: ownCloud Documentation

What you are asking for will be possible once If basic_auth_guest_only is active, allow groups to bypass the check by jvillafanez · Pull Request #265 · owncloud/openidconnect · GitHub gets merged, so most likely in the next openidconnect app version.

vach · November 22, 2022, 6:21am

Thanks for the answer, I added ‘OpenID-connect.basic_auth_guest_only’ => true, to my config file, but I still can’t log in under a local account. Here is my OpenID configuration

  'openid-connect' =>
  array (
    'auto-provision' =>
    array (
      'enabled' => false,
    ),
    'provider-url' => 'https://test-keycloak.com/auth/realms/test-sso/',
    'client-id' => 'owncloud-test',
    'client-secret' => '',
    'loginButtonName' => 'SSO',
    'openid-connect.basic_auth_guest_only' => true,
    'autoRedirectOnLoginPage' => true,
    'post_logout_redirect_uri' => 'https://owncloud-test.com',
    'mode' => 'email',
    'scopes' =>
    array (
    ),
    'use-access-token-payload-for-user-info' => false,
    'provider-params' =>
    array (
      'authorization_endpoint' => 'https://test-keycloak.com/auth/realms/test-sso/protocol/openid-connect/auth',
      'token_endpoint' => 'https://test-keycloak.com/auth/realms/test-sso/protocol/openid-connect/token',
      'check_session_iframe' => 'https://test-keycloak.com/auth/realms/test-sso/protocol/openid-connect/login-status-iframe.html',
      'end_session_endpoint' => 'https://test-keycloak.com/auth/realms/test-sso/protocol/openid-connect/logout',
      'jwks_uri' => 'https://test-keycloak.com/auth/realms/test-sso/protocol/openid-connect/certs',
    ),
  ),

rkaussow · November 22, 2022, 7:47am

Because the linked PR is not merged yet, and only guest users can bypass OIDC (by design). Even if this feature exists, I would not allow bypassing OIDC in production use for security reasons.

But I also want to be able to connect to owncloud using a local administrator account if necessary or if OpenID is unavailable

Why not just set autoRedirectOnLoginPage to false whenever you need to login as local user and change it back to true when you are done?

vach · November 22, 2022, 8:24am

This is not very convenient for administration, for example, in the case when the administrator only has access to the web admin, but there is no access to config.php or the owncloud database

rkaussow · November 22, 2022, 8:33am

You can still add OIDC users to the ownCloud Admin group. Local login is only required in emergency cases where e.g. OIDC is broken, and in such cases it’s IMO reasonable to temp disable the autoRedirectOnLoginPage.

system · February 20, 2023, 8:33am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.