# Linking Authentik SSO to Nextcloud (OIDC)

**Purpose:** This guide outlines the steps to enable Single Sign-On (SSO) for Nextcloud using Authentik via the OpenID Connect (OIDC) protocol. This allows users to log in to Nextcloud using their central Authentik credentials.

## Prerequisites

- A working **Authentik** instance (e.g., `auth.goonersnas.com`). - A working **Nextcloud** instance (e.g., `nc.goonersnas.com`). - Administrator access to both platforms. ---

## Step 1: Create the Authentik Provider The Provider acts as the authentication engine for the handshake.

1. Navigate to **Applications > Providers** in the Authentik Admin interface. 2. Click **Create** and select **OAuth2/OpenID Provider**. 3. Set the following values:

Field	Value
Name	Nextcloud
Authentication flow	default-authentication-flow
Authorization flow	default-provider-authorization-implicit-consent
Client Type	Confidential

4. In the **Redirect URIs** section, add the following (adjust domain as needed):

``` https://nc.goonersnas.com/index.php/apps/sociallogin/custom_oidc/authentik ``` Click **Finish** and then copy your **Client ID** and **Client Secret** from the provider details page. ## Step 2: Create the Authentik Application The Application links the Provider to a user-facing icon.

1. Navigate to **Applications > Applications**. 2. Click **Create**. 3. **Name:** Nextcloud | **Slug:** nextcloud 4. **Provider:** Select the "Nextcloud" provider created in Step 1. 5. Click **Finish**. ---

## Step 3: Configure Nextcloud Social Login Install the **Social Login** app from the Nextcloud App Store, then navigate to **Settings > Administration > Social login**. ### 3.1 General Settings Check the following boxes at the top of the page:

- **Uncheck:** "Disable auto-create new users" (to allow SSO to create accounts). - **Check:** "Allow users to connect social logins with their account". - **Check:** "Update user profile every login".

### 3.2 Custom OpenID Connect Click the **+** button under Custom OpenID Connect and fill in the following:

Nextcloud Field	Authentik URL Path
Internal name	authentik
Authorize URL	https://auth.goonersnas.com/application/o/authorize/
Token URL	https://auth.goonersnas.com/application/o/token/
User info URL	https://auth.goonersnas.com/application/o/userinfo/
Scope	openid profile email

**Important:** Ensure there are no leading or trailing spaces in the Client ID or Client Secret fields.

---

## Step 4: Final Testing

1. Open an **Incognito Window**. 2. Navigate to your Nextcloud URL. 3. Click the large **Authentik** button at the bottom of the login form. 4. Log in with your Authentik credentials.

**Success!** If redirected to your Nextcloud dashboard, the SSO link is active. New users created in Authentik will now automatically have Nextcloud accounts provisioned on their first login.