Linking Authentik SSO to Nextcloud (OIDC)
Purpose: This guide outlines the steps to enable Single Sign-On (SSO) for Nextcloud using Authentik via the OpenID Connect (OIDC) protocol. This allows users to log in to Nextcloud using their central Authentik credentials.
Prerequisites
- A working Authentik instance (e.g.,
auth.goonersnas.com). - A working Nextcloud instance (e.g.,
nc.goonersnas.com). - Administrator access to both platforms.
Step 1: Create the Authentik Provider
The Provider acts as the authentication engine for the handshake.
https://nc.goonersnas.com/index.php/apps/sociallogin/custom_oidc/authentik
Click Finish and then copy your Client ID and Client Secret from the provider details page.
Step 2: Create the Authentik Application
The Application links the Provider to a user-facing icon.
Step 3: Configure Nextcloud Social Login
3.1 General Settings
Check the following boxes at the top of the page:
- Uncheck: "Disable auto-create new users" (to allow SSO to create accounts).
- Check: "Allow users to connect social logins with their account".
- Check: "Update user profile every login".
3.2 Custom OpenID Connect
| Nextcloud Field | Authentik URL Path |
|---|---|
| Internal name | authentik |
| Authorize URL | https://auth.goonersnas.com/application/o/authorize/ |
| Token URL | https://auth.goonersnas.com/application/o/token/ |
| User info URL | https://auth.goonersnas.com/application/o/userinfo/ |
| Scope | openid profile email |
Important: Ensure there are no leading or trailing spaces in the Client ID or Client Secret fields.
Step 4: Final Testing
- Open an Incognito Window.
- Navigate to your Nextcloud URL.
- Click the large Authentik button at the bottom of the login form.
- Log in with your Authentik credentials.
Success! If redirected to your Nextcloud dashboard, the SSO link is active. New users created in Authentik will now automatically have Nextcloud accounts provisioned on their first login.