From 56da9b7153ba11cdd079a97ea581676c0188f753 Mon Sep 17 00:00:00 2001 From: Thiago Murilo Diniz Date: Mon, 18 Aug 2025 22:34:13 -0400 Subject: [PATCH 1/4] adds signout custom params Signed-off-by: Thiago Murilo Diniz --- lib/Provider/OpenIDConnectClient.php | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/lib/Provider/OpenIDConnectClient.php b/lib/Provider/OpenIDConnectClient.php index b3d1dac..5659b72 100644 --- a/lib/Provider/OpenIDConnectClient.php +++ b/lib/Provider/OpenIDConnectClient.php @@ -206,9 +206,19 @@ public function getEndSessionUrl(string $post_logout_redirect_uri): string .'Set "oidc_login_end_session_redirect" => false in Nextcloud config.'); } - $signout_params = [ - 'id_token_hint' => $id_token_hint, - 'post_logout_redirect_uri' => $post_logout_redirect_uri, ]; + $custom_params = $this->config->getSystemValue('oidc_login_signout_params', null); + + if (!is_array($custom_params)) { + // Default logout params + $signout_params = compact('id_token_hint', 'post_logout_redirect_uri'); + } + elseif (array_is_list($custom_params)) { + // Create logout params array containing params and their values + $client_id = $this->config->getSystemValue('oidc_login_client_id'); + $logout_uri = $post_logout_redirect_uri; + $signout_params = compact(...$custom_params); + } + $end_session_endpoint .= (false === strpos($end_session_endpoint, '?') ? '?' : '&').http_build_query($signout_params); return $end_session_endpoint; From af54ca7228b1f9cab0b53f7420786da133920b08 Mon Sep 17 00:00:00 2001 From: Thiago Murilo Diniz Date: Fri, 22 Aug 2025 16:47:57 -0400 Subject: [PATCH 2/4] improves signout custom params Signed-off-by: Thiago Murilo Diniz --- lib/Provider/OpenIDConnectClient.php | 35 +++++++++++++++++++++------- 1 file changed, 26 insertions(+), 9 deletions(-) diff --git a/lib/Provider/OpenIDConnectClient.php b/lib/Provider/OpenIDConnectClient.php index 5659b72..ecd826b 100644 --- a/lib/Provider/OpenIDConnectClient.php +++ b/lib/Provider/OpenIDConnectClient.php @@ -206,17 +206,34 @@ public function getEndSessionUrl(string $post_logout_redirect_uri): string .'Set "oidc_login_end_session_redirect" => false in Nextcloud config.'); } - $custom_params = $this->config->getSystemValue('oidc_login_signout_params', null); - - if (!is_array($custom_params)) { - // Default logout params - $signout_params = compact('id_token_hint', 'post_logout_redirect_uri'); - } - elseif (array_is_list($custom_params)) { - // Create logout params array containing params and their values + // Default logout params + $signout_params = compact('id_token_hint', 'post_logout_redirect_uri'); + + // Custom logout params + $custom_params = $this->config->getSystemValue('oidc_login_logout_params', null); + if (!empty($custom_params) && array_is_list($custom_params)) { + // Additional parameters available $client_id = $this->config->getSystemValue('oidc_login_client_id'); $logout_uri = $post_logout_redirect_uri; - $signout_params = compact(...$custom_params); + + // Validate custom parameters + $valid_params = []; + foreach ($custom_params as $param) { + if (isset($$param)) { + $valid_params[] = $param; + } else { + \OC::$server->get(\Psr\Log\LoggerInterface::class)->warning( + 'Error when readind custom logout param "' . $param . '"', + ['app' => $this->appName] + ); + break; + $valid_params = []; + } + } + + if (!empty($valid_params)) { + $signout_params = compact(...$valid_params); + } } $end_session_endpoint .= (false === strpos($end_session_endpoint, '?') ? '?' : '&').http_build_query($signout_params); From 731ec34988d680f64f12b724bf9475a6431c3afb Mon Sep 17 00:00:00 2001 From: Thiago Murilo Diniz Date: Fri, 22 Aug 2025 16:49:07 -0400 Subject: [PATCH 3/4] adds doc for signout custom params Signed-off-by: Thiago Murilo Diniz --- README.md | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 57 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7e60379..7dcd981 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,22 @@ $CONFIG = array ( // provider will redirect back to 'oidc_login_logout_url' (MUST be set). 'oidc_login_end_session_redirect' => false, + // List of URL parameters to be passed to the OIDC provider's logout URL. + // + // Default parameters: + // - 'id_token_hint' + // - 'post_logout_redirect_uri' (it will be the value defined in 'oidc_login_logout_url'). + // + // Other parameters available: + // - 'client_id' (it will be the value defined in 'oidc_login_client_id') + // - 'logout_uri' (it will be the value defined in 'oidc_login_logout_url'). + // + // The value of 'oidc_login_end_session_redirect' MUST be true. + 'oidc_login_logout_params' => array( + 0 => 'id_token_hint', + 1 => 'post_logout_redirect_uri', + ), + // Quota to assign if no quota is specified in the OIDC response (bytes) // // NOTE: If you want to allow NextCloud to manage quotas, omit this option. Do not set it to @@ -231,8 +247,8 @@ $CONFIG = array ( 1. Create a new Client for Nextcloud in a Keycloak Realm of your choosing. 1. Set a `Client ID` and save. 2. Set `Access type` to `confidential` - 3. Add a `Valid Redirect URI` e.g. `https://cloud.example.com/*`. - 4. Open the `Fine Grain OpenID Connect Configuration` dropdown and set `ID Token Signature Algorithm` to `RS256` and save. + 3. Add a `Valid Redirect URI` e.g. `https://cloud.example.com/*`. + 4. Open the `Fine Grain OpenID Connect Configuration` dropdown and set `ID Token Signature Algorithm` to `RS256` and save. 2. Open your created Client and go to `Mappers`. (optional) 1. Click `create` and set `Mapper Type` to `User Attribute`. @@ -296,4 +312,43 @@ The login filter feature allows to allow/deny access to nextcloud to users based The login filter feature will replace the deprecated `oidc_login_allowed_groups`, as this was limited to using groups for access control. If you want to use a group as login filter you can still achieve the same by setting `login_filter` to your groups claim and setting a corresponding `oidc_login_filter_allowed_values`. +### Usage with [AWS Cognito](https://aws.amazon.com/pm/cognito/) +1. Create a new `App client` for Nextcloud in a Cognito `User pool` of your choosing. + 1. Set `Application type` to `Traditional web application`. + 2. Set `Name your application` to a valid name. + 3. Set `Add a return URL` to `https://cloud.example.com/apps/oidc_login/oidc`. + 4. Click `Create app client`. + +2. Set the allowed logout URL and OpenID Connect scopes. + 1. In the `App client` that was just created, go to the `Login pages` tab and click `Edit`. + 2. In the `Allowed sign-out URLs` section, click on `Add sign-out URL` and put the same URL defined in `Allowed callback URLs`. + 3. In `OpenID Connect scopes` add the `Profile` scope. + 4. Click `Save changes`. + +3. Assign a `Style` to the `App client` if you are using `Managed login`. + 1. In the `Branding` -> `Managed login` menu, click `Create a style`. + 2. Select the `App client` that was just created and click `Create`. + 3. (optional) Edit the style if you want. + +4. Necessary `config.php` settings +```php + 'oidc_login_provider_url' => 'https://cognito-idp.YOUR-AWS-REGION.amazonaws.com/YOUR-USER-POOL-ID/', + 'oidc_login_client_id' => 'client_id', // Client ID generated by Cognito in your App client + 'oidc_login_client_secret' => 'secret', // Client secret generated by Cognito in your App client + 'oidc_login_attributes' => + array ( + 'id' => 'username', // https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-usernames + ), + 'oidc_login_logout_url' => 'http://localhost:8080/apps/oidc_login/oidc', + 'oidc_login_end_session_redirect' => true, + 'oidc_login_logout_params' => // https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html + array ( + 0 => 'client_id', + 1 => 'logout_uri', + ), +``` +5. (optional) Enable the [PKCE flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-proof-key-for-code-exchange-pkce) by setting the appropriate configuration value accordingly: +```php +'oidc_login_code_challenge_method' => 'S256', +``` \ No newline at end of file From 84c91e625369f1ffafe23952d681e8e969e34ffd Mon Sep 17 00:00:00 2001 From: Thiago Murilo Diniz Date: Fri, 22 Aug 2025 17:02:25 -0400 Subject: [PATCH 4/4] fix logout_url example Signed-off-by: Thiago Murilo Diniz --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7dcd981..0260337 100644 --- a/README.md +++ b/README.md @@ -339,7 +339,7 @@ The login filter feature will replace the deprecated `oidc_login_allowed_groups` array ( 'id' => 'username', // https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-usernames ), - 'oidc_login_logout_url' => 'http://localhost:8080/apps/oidc_login/oidc', + 'oidc_login_logout_url' => 'https://cloud.example.com/apps/oidc_login/oidc', 'oidc_login_end_session_redirect' => true, 'oidc_login_logout_params' => // https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html array (