Nextcloud Integration with Authentik via OpenID Connect (OIDC)

This guide describes how to integrate Nextcloud with Authentik for Single Sign-On (SSO) and centralized identity managemen using the OpenID Connect (OIDC) protocol. This setup enables secure authentication for users, eliminating local Nextcloud accounts and centralizing identity management with Authentik.

Prerequisites

A running Nextcloud instance: e.g. https://nextcloud.example.com
A running Authentik instance: e.g. https://authentik.example.com
Admin access to both Authentik and Nextcloud
Nextcloud OpenID Connect user backend app installed and enabled

Step 1: Install Nextcloud OIDC App

Log into Nextcloud (https://nextcloud.example.com) as an admin.
Go to Apps → Your apps. (top right menu).
Search for OpenID Connect user backend.
Click Install and Enable.

Step 2: Configure Authentik OIDC Provider

Log into Aunthentik (https://authentik.example.com) as an admin.
Navigate to Applications → Providers.
Click Create and select OAuth2 / OpenID Connect Provider.

Set the following values:

Name: Nextcloud OIDC
Authorization Flow: default-provider-authorization-implicit-consent (or your choice)
Client type: Confidential
Redirect URIs: https://nextcloud.example.com/index.php/apps/user_oidc/code
Signing Key: Select your existing key or create one.
Scopes: openid, profile, email
Subject mode: Based on the User's username.

Save the provider.

Step 3: Create an Application in Authentik

Go to Applications → Create

Set the following values:

Name: Nextcloud
Slug: nextcloud
Provider: Select the Nextcloud OIDC provider you created.
Launch URL: https://nextcloud.example.com or leave empty
Assign appropriate groups/users to the application if needed.

Save the application.

Step 4: Get OIDC Credentials from Authentik

Open your Nextcloud OIDC provider in Authentik.

Copy the following values:

Client ID
Client Secret
OpenID Configuration Issuer: https://authentik.example.com/application/o/nextcloud/

Step 5: Configure Nextcloud OIDC Settings

In Nextcloud, go to Settings → Administration → OpenID Connect user backend.

Fill in the fields as follows:

Identifier (max 128 characters): e.g: Authentik or SSO
Discovery endpoint: *(Use the Provider URL (Issuer) from Authentik OIDC provider)*
e.g.: https://authentik.example.com/application/o/nextcloud/
Client ID: *(from Authentik OIDC provider)*
Client Secret: *(from Authentik OIDC provider)*
Authorization endpoint: https://authentik.example.com/application/o/authorize/
Scopes: openid profile email

Note

Uncheck Use Unique user ID

Save settings.

Navigate to https://nextcloud.example.com.
Try logging in; you should be redirected to Authentik.
After authentication, you will be sent back to Nextcloud and logged in automatically.

With this setup, Nextcloud is fully integrated into your centralized Authentik SSO & Zero Trust environment.

Troubleshooting

Ensure domains and URLs are correct and reachable from both servers.
If login fails, review Nextcloud's admin logs and Authentik's provider logs.
Check for trailing slashes and matching Redirect URIs.
Make sure clocks are synced (for token validation).

OpenID Connect Provider Setup via Command Line

This guide explains how to make OpenID Connect (OIDC) the default and only login method in your Nextcloud instance, as well as how to manage OIDC provider entries via the command line.

If you only have one OpenID Connect provider configured in Nextcloud, you can force it to be the default login method. This means users will be immediately redirected to your OIDC provider's login page, bypassing the default nextcloud login form.

Admins can still log in using the native login page by appending ?direct=1 to the login URL.
- e.g.: https://nextcloud.example.com/login?direct=1

Disable Multiple User Backends

To make the OIDC provider the sole login method, run:

sudo -u www-data php /var/www/nextcloud/occ config:app:set --value=0 user_oidc allow_multiple_user_backends

Note

--value=0: Disables multiple user backends (OIDC becomes default and exclusive)
--value=1: Enables multiple user backends (users can choose between available login methods)
/var/www/nextcloud: Replace this with the actual path to your Nextcloud installation directory

Provider Entries Management

OIDC providers are managed by their provider identifier in Nextcloud. You can list, create, show, or delete providers directly from the command line.

List All Configured Providers

sudo -u www-data php /var/www/nextcloud/occ user_oidc:provider

Show Detailed Provider Configuration

sudo -u www-data php /var/www/nextcloud/occ user_oidc:provider PROVIDER_IDENTIFIER

Replace PROVIDER_IDENTIFIER with your actual provider's name.

Create a New Provider

If a provider with the given identifier does not exist, you can create it (replace values as needed):

sudo -u www-data php /var/www/nextcloud/occ user_oidc:provider PROVIDER_IDENTIFIER --clientid="WBXCa003871" \ --clientsecret="lbXy***********" --discoveryuri="https://authentik.example.com/openid-configuration"

Info

- You can set other options (attribute mappings, group provisioning, etc.) by adding more flags.
- For all available parameters, use:

sudo -u www-data php /var/www/nextcloud/occ user_oidc:provider --help

Delete a Provider

To delete a configured provider:

sudo -u www-data php /var/www/nextcloud/occ user_oidc:provider:delete PROVIDER_IDENTIFIER

Replace /var/www/nextcloud with the actual path to your Nextcloud installation directory.

You will be asked for confirmation.

Warning

Deleting a provider may invalidate all Nextcloud user accounts provisioned by that provider.

To skip the confirmation, add --force:

sudo -u www-data php /var/www/nextcloud/occ user_oidc:provider:delete PROVIDER_IDENTIFIER --force