Skip to main content

Integrate with Nextcloud

Support level: Community

What is Nextcloud?

Nextcloud is an open-source content collaboration platform for file sync and share, groupware, and related productivity apps that can be self-hosted or run as a managed service.

-- https://nextcloud.com/

Server-side encryption

If you require Nextcloud server-side encryption with per-user keys, use LDAP. OIDC and SAML do not provide Nextcloud with the user's cleartext password, which can prevent encrypted user data from being decrypted.

HTTPS required

OIDC and SAML login require Nextcloud to run with HTTPS enabled. If Nextcloud is behind a reverse proxy, configure Nextcloud's overwrite parameters so generated URLs use https.

Built-in login fallback

If an OIDC or SAML configuration issue prevents users from logging in, visit https://nextcloud.company/login?direct=1 to use Nextcloud's built-in authentication.

Preparation

The following placeholders are used in this guide:

  • nextcloud.company is the FQDN of the Nextcloud installation.
  • authentik.company is the FQDN of the authentik installation.
info

This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.

Nextcloud can use OIDC, SAML, or LDAP for authentication. OIDC is usually the simplest SSO method for a new Nextcloud deployment. Use LDAP when Nextcloud needs direct password authentication, such as deployments that rely on server-side encryption with per-user keys.

authentik configuration

Redirect URI changes in authentik 2026.5

In authentik versions earlier than 2026.5, all Redirect URIs are automatically treated as Authorization type. If you are using one of these older authentik versions, add only the Authorization URL to your Redirect URIs and do not configure a Post Logout URI.

To support the integration of Nextcloud with authentik over OIDC, you need to create an application/provider pair. If you want authentik to send Nextcloud storage quotas, group membership, or existing Nextcloud user IDs, also create a custom scope mapping.

Create a scope mapping

If you do not need storage quota, group information, administrator assignment, or existing-user matching in Nextcloud, skip to the next section.

This mapping reads Nextcloud-specific groups from application entitlements. After you create the application below, create entitlements with names that match the group names Nextcloud should receive. To grant Nextcloud administrator access, create an entitlement named admin and bind the appropriate users or groups to it.

  1. Log in to authentik as an administrator and open the authentik Admin interface.

  2. Navigate to Customization > Property mappings and click Create.

    • Select type: select Scope Mapping.
    • Create Scope Mapping:
      • Name: Nextcloud Profile

      • Scope name: nextcloud

      • Expression:

        groups = [
        entitlement.name
        for entitlement in request.user.app_entitlements(provider.application)
        ]
        quota = (
        request.user.app_entitlements_attributes(provider.application).get("nextcloud_quota")
        or request.user.group_attributes().get("nextcloud_quota")
        )

        return {
        "name": request.user.name,
        "groups": groups,
        "quota": quota,
        "user_id": request.user.attributes.get("nextcloud_user_id", str(request.user.uuid)),
        }
  3. Click Finish.

To set a quota, define the nextcloud_quota attribute on a user, group, or Nextcloud application entitlement. For example, setting it to 1 GB restricts the user to 1 GB of storage. To connect an authentik user to an existing Nextcloud account, set the user's nextcloud_user_id attribute to the existing Nextcloud username.

Create an application and provider

  1. Log in to authentik as an administrator and open the authentik Admin interface.
  2. Navigate to Applications > Applications and click New Application to open the application wizard.
    • Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. Note the application Slug because it will be required later.
    • Choose a Provider type: select OAuth2/OpenID Connect as the provider type.
    • Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
      • Note the Client ID and Client Secret values because they will be required later.
      • Add a Redirect URI of type Strict Authorization as https://nextcloud.company/apps/user_oidc/code.
      • Add a Redirect URI of type Strict Post Logout as https://nextcloud.company.
      • Select any available signing key.
      • Under Advanced protocol settings:
        • Subject Mode: select Based on the User's UUID.
        • If you created the Nextcloud Profile scope mapping, add it to Selected Scopes.
    • Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
  3. Click Submit to save the new application and provider.

If you created the Nextcloud Profile scope mapping and want authentik to send Nextcloud-specific group values, open the new application, click the Application entitlements tab, and create the entitlements that Nextcloud should receive in the groups claim. Bind the appropriate users or groups to each entitlement.

Configure the OpenID Connect user backend

  1. In Nextcloud, install the OpenID Connect user backend app.
  2. Log in to Nextcloud as an administrator and navigate to Settings > OpenID Connect.
  3. Click the + button and enter the following settings:
    • Identifier: authentik
    • Client ID: <Client ID from authentik>
    • Client secret: <Client Secret from authentik>
    • Discovery endpoint: https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration
    • Scope: email profile openid
    • If you created the Nextcloud Profile scope mapping, add nextcloud to the Scope value.
    • Under Attribute mapping:
      • User ID mapping: sub
      • Display name mapping: name
      • Email mapping: email
      • If you created the Nextcloud Profile scope mapping:
        • User ID mapping: user_id
        • Quota mapping: quota
        • Groups mapping: groups
        • Enable Use group provisioning.
    • Disable Use unique user ID if you use user_id to match existing Nextcloud users or if you send the admin group for administrator access.
Local provider connections

If authentik and Nextcloud are running on the same host and Nextcloud cannot reach authentik, add 'allow_local_remote_servers' => true to the Nextcloud config/config.php file.

Enable OIDC back-channel logout (optional)

To automatically log users out of their Nextcloud sessions when they log out of authentik, enable back-channel logout.

  1. In Nextcloud, navigate to Settings > OpenID Connect.
  2. Under Registered Providers, locate the provider with the identifier used earlier.
  3. Copy the back-channel logout URL for that provider. For example, https://nextcloud.company/apps/user_oidc/backchannel-logout/authentik.
  4. In authentik, navigate to Applications > Providers and edit the Nextcloud provider.
  5. Under Protocol settings, set Logout URI to the copied back-channel logout URL.
  6. Set Logout Method to Back-channel.
  7. Click Update.

Make OIDC the default login method (optional)

If this is the only configured OpenID Connect provider, run the following command on the Nextcloud host to redirect users to authentik automatically when they access the Nextcloud login page:

sudo -u www-data php /var/www/nextcloud/occ config:app:set --type=string --value=0 user_oidc allow_multiple_user_backends

Administrators can still use Nextcloud's built-in authentication with https://nextcloud.company/login?direct=1.

Configuration verification

To confirm that authentik is properly configured with Nextcloud, log out of Nextcloud and use the login method you configured:

  • For OIDC, click Login with authentik. You should be redirected to authentik and then returned to the Nextcloud dashboard.
  • For SAML, click SSO & SAML log in. You should be redirected to authentik and then returned to the Nextcloud dashboard.
  • For LDAP, log in with an LDAP user from authentik.

Resources