Nextcloud - Can not get identifier from provider

Hi everyone!

Hope you are all good!

I did integrate unikname connect to nextcloud.
Thanks to @dlecan for his help.
So i’ve got the button to connect :

All seems good.

But, when i accept the connection through the app, here the result :

## Erreur

*** Can not get identifier from provider**

What could i do?

Thanks for your support!

Hi @Michael,

Can you paste here the plugin configuration, :rotating_light: without the client_secret :rotating_light:
Thank you

Here the configuration :

    // Some Nextcloud options that might make sense here
    'allow_user_to_change_display_name' => false,
    'lost_password_link' => 'disabled',

    // URL of provider. All other URLs are auto-discovered from .well-known
    'oidc_login_provider_url' => 'https://connect.unikname.com/oidc/',

    // Client ID and secret registered with the provider
    'oidc_login_client_id' => 'ZGlkOnVuaWs6dW5pZDo5ZjM0NDQ5NjMzYTZhYTQzMGNhYTU0ZmUwNDE2M2IxMGE4ZDlmYWM3Yjk3Yzg0Zjk3ZTc1Y2FjZjQ4MTI4MmJi',
    'oidc_login_client_secret' => '######',

    // Automatically redirect the login page to the provider
    'oidc_login_auto_redirect' => false,

    // Redirect to this page after logging out the user
    'oidc_login_logout_url' => 'https://cloud.michaelfertonphoto.com/',

    // Quota to assign if no quota is specified in the OIDC response (bytes)
    'oidc_login_default_quota' => '1000000000',

    // Login button text
    'oidc_login_button_text' => 'Se connecter avec @unikname',

    // Attribute map for OIDC response. Available keys are:
    //   i)   id:       Unique identifier for username
    //   ii)  name:     Full name
    //   iii) mail:     Email address
    //   iv)  quota:    Nextcloud storage quota
    //   v)   home:     Home directory location. A symlink or external storage to this location is used
    //   vi)  ldap_uid: LDAP uid to search for when running in proxy mode
    //   vii) groups:   Array or space separated string of NC groups for the user
    //
    // The attributes in the OIDC response are flattened by adding the nested
    // array key as the prefix and an underscore. Thus,
    //
    //     $profile = [
    //         'id' => 1234,
    //         'attributes' => [
    //             'uid' => 'myuid'
    //         ]
    //     ];
    //
    // would become,
    //
    //     $profile = [
    //         'id' => 1234,
    //         'attributes_uid' => 'myuid'
    //     ]
    //
    'oidc_login_attributes' => array (
        'id' => '###',
        'name' => '###',
        'mail' => '####',
        'quota' => 'unlimited',
        'home' => '#####',
        'ldap_uid' => 'uid',
        'groups' => 'admin',
    ),

    // Default group to add users to (optional, defaults to nothing)
    'oidc_login_default_group' => 'defaults',

    // Use external storage instead of a symlink to the home directory
    // Requires the files_external app to be enabled
    'oidc_login_use_external_storage' => false,

    // Set OpenID Connect scope
    'oidc_login_scope' => 'openid',

    // Run in LDAP proxy mode
    // In this mode, instead of creating users of its own, OIDC login
    // will get the existing user from an LDAP database and only
    // perform authentication with OIDC. All user data will be derived
    // from the LDAP database instead of the OIDC user response
    //
    // The `id` attribute in `oidc_login_attributes` must return the
    // "Internal Username" (see expert settings in LDAP integration)
    'oidc_login_proxy_ldap' => false,

    // Disable creation of new users from OIDC login
    'oidc_login_disable_registration' => true,

    // Fallback to direct login if login from OIDC fails
    // Note that no error message will be displayed if enabled
    'oidc_login_redir_fallback' => false,

    // Use an alternative login page
    // This page will be php-included instead of a redirect if specified
    // In the example below, the PHP file `login.php` in `assets`
    // in nextcloud base directory will be included
    // Note: the PHP variable $OIDC_LOGIN_URL is available for redirect URI
    // Note: you may want to try setting `oidc_login_logout_url` to your
    // base URL if you face issues regarding re-login after logout
    #'oidc_login_alt_login_page' => 'assets/login.php',

    // For development, you may disable TLS verification. Default value is `true`
    // which should be kept in production
    'oidc_login_tls_verify' => true,

This part was modified :

'oidc_login_provider_url' => 'https://connect.unikname.com/oidc/',

With the current url in the “how to” https://connect.unikname.com/oidc/.well-known/openid-configuration, this does not work.

I assume you are using the OIDC_Login Nextcloud plugin.

Yes, the plugin adds automatically .well-known/openid-configuration. I will improve the documentation to explain that.

// URL of provider. All other URLs are auto-discovered from .well-known
'oidc_login_provider_url' => 'https://connect.unikname.com/oidc/',

:heavy_check_mark: already done!

// Client ID and secret registered with the provider
'oidc_login_client_id' => '',
'oidc_login_client_secret' => '',

:heavy_check_mark: already done!

// Login button text
'oidc_login_button_text' => 'Se connecter avec votre @unikname',

Like you say Se connecter avec votre email, I think you should add votre in front of @unikname, because @unikname is an identifier, like an email, not a solution.

We recommend to use the identifier name, not the solution name.

// Attribute map for OIDC response. Available keys are:
//
'oidc_login_attributes' => array (
    'id' => 'sub',
    ...
),

Here is the most important part to solve your error: you need to map the returned attributes from Unikname Connect to Nextcloud. 'id' is mandatory, and is returned as sub (subject in the OpenID Connect standard).
But you can safely remove all keys as they have correct default configurations in the plugin.

// Set OpenID Connect scope
'oidc_login_scope' => 'openid',

You can remove that, because this is the default configuration.
You may add email scope in the next months to get an email address from your users (if they consent it).

// Disable creation of new users from OIDC login
'oidc_login_disable_registration' => false,

You may enable this if you want your users to create their account with a @unikname.

You can remove all other parameters.

So the final configuration:

'oidc_login_provider_url' => 'https://connect.unikname.com/oidc/',
'oidc_login_client_id' => 'TODO',
'oidc_login_client_secret' => 'TODO',
'oidc_login_button_text' => 'Se connecter avec votre @unikname',
'oidc_login_disable_registration' => false,

Remove all other oidc_login_* keys.

1 Like

Thanks !
Indeed, that’s work!
Now i need to link my account to my Unikname.
I’m gonna dig.

1 Like