{"id":29190790,"url":"https://github.com/owncloud/openidconnect","last_synced_at":"2026-04-07T16:02:39.834Z","repository":{"id":38446484,"uuid":"175372403","full_name":"owncloud/openidconnect","owner":"owncloud","description":"OpenId Connect (OIDC) Integration for ownCloud","archived":false,"fork":false,"pushed_at":"2026-03-11T14:31:53.000Z","size":582,"stargazers_count":6,"open_issues_count":3,"forks_count":13,"subscribers_count":15,"default_branch":"master","last_synced_at":"2026-03-11T20:13:55.205Z","etag":null,"topics":["openid","owncloud","owncloud-app"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/owncloud.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2019-03-13T07:53:12.000Z","updated_at":"2026-03-11T14:31:56.000Z","dependencies_parsed_at":"2023-11-29T00:29:50.801Z","dependency_job_id":"0c4d95bc-989f-4b75-8473-402b953b9641","html_url":"https://github.com/owncloud/openidconnect","commit_stats":null,"previous_names":[],"tags_count":31,"template":false,"template_full_name":null,"purl":"pkg:github/owncloud/openidconnect","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/owncloud%2Fopenidconnect","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/owncloud%2Fopenidconnect/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/owncloud%2Fopenidconnect/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/owncloud%2Fopenidconnect/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/owncloud","download_url":"https://codeload.github.com/owncloud/openidconnect/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/owncloud%2Fopenidconnect/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31518643,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-07T03:10:19.677Z","status":"ssl_error","status_checked_at":"2026-04-07T03:10:13.982Z","response_time":105,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["openid","owncloud","owncloud-app"],"created_at":"2025-07-02T00:11:14.329Z","updated_at":"2026-04-07T16:02:39.811Z","avatar_url":"https://github.com/owncloud.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OpenId Connect for ownCloud\n\n[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=owncloud_openidconnect\u0026metric=alert_status)](https://sonarcloud.io/dashboard?id=owncloud_openidconnect)\n[![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=owncloud_openidconnect\u0026metric=security_rating)](https://sonarcloud.io/dashboard?id=owncloud_openidconnect)\n[![Coverage](https://sonarcloud.io/api/project_badges/measure?project=owncloud_openidconnect\u0026metric=coverage)](https://sonarcloud.io/dashboard?id=owncloud_openidconnect)\n\n## Configuration\n\n### General\n\nA distributed memcache setup is required to properly operate this app - like Redis or memcached.\nFor development purpose APCu is reasonable as well.\nPlease follow the [documentation on how to set up caching](https://doc.owncloud.com/server/admin_manual/configuration/server/caching_configuration.html#supported-caching-backends).\n\n### Setup\n\nThe OpenId integration is established by either entering the parameters below to the\nownCloud configuration file or saving them to the app config database table.\n\n_provider-url_, _client-id_ and _client-secret- are to be taken from the OpenId\nProvider setup.\n_loginButtonName_ can be chosen freely depending on the installation.\n\n### Settings in database\n\nIf you run a clustered setup, the following method is preferred because it is stateless. The OpenID Connect app checks for settings in the database first. If none is found, it falls back to the settings stored in `config.php`. If a malformed JSON string is found, an error is logged. You have to store your settings as a JSON formatted string in the ownCloud database table `oc_appconfig` with the following keys:\n\n| Key         | Value            |\n| ----------- | ---------------- |\n| appid       | 'openidconnect'  |\n| configkey   | 'openid-connect' |\n| configvalue | _JSON-String_    |\n\nThe _key-\u003evalue_ pairs are the same as when storing them to the `config.php` file. The preferred method is using the occ command:\n\n```\nocc config:app:set openidconnect openid-connect \\\n--value='{\"provider-url\":\"https://idp.example.net\",\"client-id\":\"fc9b5c78-ec73-47bf-befc-59d4fe780f6f\",\"client-secret\":\"e3e5b04a-3c3c-4f4d-b16c-2a6e9fdd3cd1\",\"loginButtonName\":\"Login via OpenId Connect\"}'\n```\n\nThis task can also be done by opening the database console for your ownCloud database and enter the following example command. Use the database commands `UPDATE` or `DELETE` to change or delete this keys (not recommended).\n\n```\nINSERT INTO oc_appconfig (\n  appid,\n  configkey,\n  configvalue\n) VALUES (\n  'openidconnect',\n  'openid-connect',\n  '{\"provider-url\":\"https://idp.example.net\",\"client-id\":\"fc9b5c78-ec73-47bf-befc-59d4fe780f6f\",\"client-secret\":\"e3e5b04a-3c3c-4f4d-b16c-2a6e9fdd3cd1\",\"loginButtonName\":\"Login via OpenId Connect\"}'\n);\n```\n\nNote: The app checks for settings in the database first. If none is found it falls back to the config.php. If a malformed JSON string is found an error is thrown to the logger instance.\n\n### Settings in config.php\n\n```php\n\u003c?php\n$CONFIG = [\n  'openid-connect' =\u003e [\n    'provider-url' =\u003e 'https://idp.example.net',\n    'client-id' =\u003e 'fc9b5c78-ec73-47bf-befc-59d4fe780f6f',\n    'client-secret' =\u003e 'e3e5b04a-3c3c-4f4d-b16c-2a6e9fdd3cd1',\n    'loginButtonName' =\u003e 'OpenId Connect',\n  ],\n];\n```\n\nThe above configuration assumes that the OpenId Provider is supporting service discovery.\nIf not the endpoint configuration has to be done manually as follows:\n\n```php\n\u003c?php\n$CONFIG = [\n  'openid-connect' =\u003e [\n    'provider-url' =\u003e 'https://idp.example.net',\n    'client-id' =\u003e 'fc9b5c78-ec73-47bf-befc-59d4fe780f6f',\n    'client-secret' =\u003e 'e3e5b04a-3c3c-4f4d-b16c-2a6e9fdd3cd1',\n    'loginButtonName' =\u003e 'OpenId Connect',\n    'post_logout_redirect_uri' =\u003e '...',\n    'provider-params' =\u003e [\n      'authorization_endpoint' =\u003e '...',\n      'token_endpoint' =\u003e '...',\n      'token_endpoint_auth_methods_supported' =\u003e '...',\n      'userinfo_endpoint' =\u003e '...',\n      'registration_endpoint' =\u003e '...',\n      'end_session_endpoint' =\u003e '...',\n      'jwks_uri' =\u003e '...',\n    ],\n  ],\n];\n```\n\n### Setup auto provisioning mode\n\nThe auto provisioning mode will create a user based on the provided user information as returned by the OpenID Connect provider.\nThe config parameters 'mode' and 'search-attribute' will be used to create a unique user so that the lookup mechanism can find the user again.\n\n```php\n\u003c?php\n$CONFIG = [\n  'openid-connect' =\u003e [\n    'auto-provision' =\u003e [\n      // explicit enable the auto provisioning mode\n      'enabled' =\u003e true,\n      // documentation about standard claims: https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims\n      // only relevant in userid mode,  defines the claim which holds the email of the user\n      'email-claim' =\u003e 'email',\n      // defines the claim which holds the display name of the user\n      'display-name-claim' =\u003e 'given_name',\n      // defines the claim which holds the picture of the user - must be a URL\n      'picture-claim' =\u003e 'picture',\n      // defines a list of groups to which the newly created user will be added automatically\n      'groups' =\u003e ['admin', 'guests', 'employees'],\n    ],\n  ],\n];\n```\n\n#### Setup auto-update of user account info\n\nThe provisioning auto-update mode will update user account info with current information provided by the OpenID Connect provider\nupon each log in.\n\n```php\n$CONFIG = [\n  'openid-connect' =\u003e [\n    'auto-provision' =\u003e [\n      'update' =\u003e [\n        // enable the user info auto-update mode\n        'enabled' =\u003e true,\n      ],\n    ],\n  ],\n];\n```\n\n#### All Configuration Values explained\n\n- loginButtonName - the name as displayed on the login screen which is used to redirect to the IdP\n- autoRedirectOnLoginPage - if set to true the login page will redirect to the Idp right away\n- provider-url - the url where the IdP is living. In some cases (KeyCloak, Azure AD) this holds more than just a domain but also a path\n- client-id \u0026 client-secret - self-explanatory\n- scopes - depending on the IdP setup, needs the list of required scopes to be entered here\n- insecure - boolean value (true/false), no ssl verification will take place when talking to the IdP - DON'T use in production\n- provider-params - additional config depending on the IdP is to be entered here - usually only necessary if the IdP does not support service discovery\n- auth-params - additional parameters which are sent to the IdP during the auth requests\n- redirect-url - the full url under which the ownCloud OpenId Connect redirect url is reachable - only needed in special setups\n- token-introspection-endpoint-client-id \u0026 token-introspection-endpoint-client-secret - client id and secret to be used with the token introspection endpoint\n- post_logout_redirect_uri - a given url where the IdP should redirect to after logout\n- mode - the mode to search for user in ownCloud - either userid or email\n- search-attribute - the attribute which is taken from the access token JWT or user info endpoint to identify the user\n- allowed-user-backends - limit the users which are allowed to login to a specific user backend - e.g. LDAP\n- use-access-token-payload-for-user-info - if set to true any user information will be read from the access token. If set to false the userinfo endpoint is used (starting app version 1.1.0)\n- jwt-self-signed-jwk-header-supported - if set to true JWK will be taken from the JWT header instead of the IdP's jwks_uri. Should only be enabled in exceptional cases as this could lead to vulnerabilities https://portswigger.net/kb/issues/00200902_jwt-self-signed-jwk-header-supported\n\n### Setup within the OpenId Provider\n\nWhen registering ownCloud as OpenId Client use `https://cloud.example.net/index.php/apps/openidconnect/redirect` as redirect url .\n\nIn case [OpenID Connect Front-Channel Logout 1.0](https://openid.net/specs/openid-connect-frontchannel-1_0.html)\nis supported please enter `https://cloud.example.net/index.php/apps/openidconnect/logout` as logout url within the client registration of the OpenId Provider.\nWe require `frontchannel_logout_session_required` to be true.\n\n### Setup service discovery\n\nIn order to allow other clients to use OpenID Connect when talking to ownCloud please setup\na redirect on the web server to point .well-known/openid-configuration to /index.php/apps/openidconnect/config\n\nThis is an .htaccess example\n\n```\n  RewriteRule ^\\.well-known/openid-configuration /index.php/apps/openidconnect/config [P]\n```\n\nThe Apache modules proxy and proxy_http need to be enabled. (Debian/Ubuntu: a2enmod proxy proxy_http)\n\n### How to setup an IdP for development and test purpose\n\nThere are various Open Source IdPs out there. The one with the most features implemented seems to be [panva/node-oidc-provider](https://github.com/panva/node-oidc-provider).\nCAUTION: node-oidc-provider does not accept the redirect URLs we need for owncloud clients. For release testing, use kopano konnectd instead.\n\nTo set it up locally do the following:\n\n1. Clone panva/node-oidc-provider\n2. yarn install\n3. cd example\n4. Add client config into \u003chttps://github.com/panva/node-oidc-provider/blob/master/example/support/configuration.js#L14\u003e\n\n   ```\n   module.exports.clients = [\n     {\n       client_id: 'ownCloud',\n       client_secret: 'ownCloud',\n       grant_types: ['refresh_token', 'authorization_code'],\n       redirect_uris: ['http://localhost:8080/index.php/apps/openidconnect/redirect'],\n       frontchannel_logout_uri: 'http://localhost:8080/index.php/apps/openidconnect/logout'\n     }\n   ];\n\n   // Enable introspection\n   module.exports.features: {\n      devInteractions: { enabled: false },\n      introspection: { enabled: true },\n      deviceFlow: { enabled: true },\n      revocation: { enabled: true },\n      issAuthResp: { enabled: true },\n   },\n\n   ```\n\n5. Start the IdP via: `node standalone.js`\n6. Open in browser: \u003chttp://localhost:3000/.well-known/openid-configuration\u003e\n7. ownCloud configuration looks as follows:\n\n   ```\n   $CONFIG = [\n     'openid-connect' =\u003e [\n         'provider-url' =\u003e 'http://localhost:3000',\n         'client-id' =\u003e 'ownCloud',\n         'client-secret' =\u003e 'ownCloud',\n         'loginButtonName' =\u003e 'node-oidc-provider',\n         'mode' =\u003e 'userid',\n         'search-attribute' =\u003e 'sub',\n         // do not verify tls host or peer\n         'insecure' =\u003e true\n     ],\n   ];\n\n   ```\n\n8. Clients can now use \u003chttp://localhost:3000/.well-known/openid-configuration\u003e to obtain all information which is necessary\n   to initiate the OpenId Connect flow. Use the granted access token in any request to ownCloud within a bearer authentication header.\n9. You can login with any credentials but you need to make sure that the user with the given user id exists. In a real world deployment the users will come from LDAP.\n-  Keep in mind that by default, oidc app will search for the `email` attribute - which is hardcoded to `johndoe@example.com` [ref](https://github.com/panva/node-oidc-provider/blob/master/example/support/account.js#L32)\n-  If you wish to map the login name on the oidc-provider with owncloud user ids, you can configure it as following:\n\n```\n    $CONFIG = [\n      'openid-connect' =\u003e [\n        'search-attribute' =\u003e 'sub',\n        'mode' =\u003e 'userid',\n      ]\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fowncloud%2Fopenidconnect","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fowncloud%2Fopenidconnect","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fowncloud%2Fopenidconnect/lists"}