Owncloud + OpenID connection under a local account

Hi, I have set up a connection to owncloud using OpenID. But I also want to be able to connect to owncloud using a local administrator account if necessary or if OpenID is unavailable, what should I specify in my configuration file for this?

You should still be able to login with a local account by using the “normal” login mask.

Unless you have 'autoRedirectOnLoginPage' => true which will redirect directly to the Identity Provider login without requiring the user to click a button. In this case, you may want to set it to false.

I have the autoRedirectOnLoginPage’ => true parameter specified in my configuration file.
Is there perhaps an emergency parameter where you could specify the emergency shutdown URL that can be used to disable login via OpenID Connect?
Or maybe there are other options so that I could log in under a local account bypassing OpenID Connect?

Currently, 'openid-connect.basic_auth_guest_only' => true, will allow guest users (and guests only) to log in using basic auth, basically bypassing OIDC authentication: Apps Config.php Parameters :: ownCloud Documentation

What you are asking for will be possible once If basic_auth_guest_only is active, allow groups to bypass the check by jvillafanez · Pull Request #265 · owncloud/openidconnect · GitHub gets merged, so most likely in the next openidconnect app version.

Thanks for the answer, I added ‘OpenID-connect.basic_auth_guest_only’ => true, to my config file, but I still can’t log in under a local account. Here is my OpenID configuration

  'openid-connect' =>
  array (
    'auto-provision' =>
    array (
      'enabled' => false,
    ),
    'provider-url' => 'https://test-keycloak.com/auth/realms/test-sso/',
    'client-id' => 'owncloud-test',
    'client-secret' => '',
    'loginButtonName' => 'SSO',
    'openid-connect.basic_auth_guest_only' => true,
    'autoRedirectOnLoginPage' => true,
    'post_logout_redirect_uri' => 'https://owncloud-test.com',
    'mode' => 'email',
    'scopes' =>
    array (
    ),
    'use-access-token-payload-for-user-info' => false,
    'provider-params' =>
    array (
      'authorization_endpoint' => 'https://test-keycloak.com/auth/realms/test-sso/protocol/openid-connect/auth',
      'token_endpoint' => 'https://test-keycloak.com/auth/realms/test-sso/protocol/openid-connect/token',
      'check_session_iframe' => 'https://test-keycloak.com/auth/realms/test-sso/protocol/openid-connect/login-status-iframe.html',
      'end_session_endpoint' => 'https://test-keycloak.com/auth/realms/test-sso/protocol/openid-connect/logout',
      'jwks_uri' => 'https://test-keycloak.com/auth/realms/test-sso/protocol/openid-connect/certs',
    ),
  ),

Because the linked PR is not merged yet, and only guest users can bypass OIDC (by design). Even if this feature exists, I would not allow bypassing OIDC in production use for security reasons.

But I also want to be able to connect to owncloud using a local administrator account if necessary or if OpenID is unavailable

Why not just set autoRedirectOnLoginPage to false whenever you need to login as local user and change it back to true when you are done?

2 Likes

This is not very convenient for administration, for example, in the case when the administrator only has access to the web admin, but there is no access to config.php or the owncloud database

You can still add OIDC users to the ownCloud Admin group. Local login is only required in emergency cases where e.g. OIDC is broken, and in such cases it’s IMO reasonable to temp disable the autoRedirectOnLoginPage.

1 Like