mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-24 04:57:00 +01:00
Code Issues Actions 10 Packages Projects Releases Wiki Activity

Add instructions on how to enable PKCE in Nextcloud (#2647)

Browse source
This commit is contained in:
Martin Wurm 2024-03-12 03:42:04 +01:00 committed by GitHub
parent 285f4362b2
commit a0357ad227
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 5 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
book/src/integrations/oauth2.md
View file

@ -378,10 +378,14 @@ OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://idm.example.com/oauth2/openid/<oauth2_
Install the module [from the nextcloud market place](https://apps.nextcloud.com/apps/user_oidc) - it Install the module [from the nextcloud market place](https://apps.nextcloud.com/apps/user_oidc) - it
can also be found in the Apps section of your deployment as "OpenID Connect user backend". can also be found in the Apps section of your deployment as "OpenID Connect user backend".
In Nextcloud's config.php you need to allow connection to remote servers: In Nextcloud's config.php you need to allow connection to remote servers and enable PKCE:
```php ```php
'allow_local_remote_servers' => true, 'allow_local_remote_servers' => true,
'user_oidc' => [
'use_pkce' => true,
],
``` ```
You may optionally choose to add: You may optionally choose to add:
@ -397,13 +401,6 @@ If you forget this, you may see the following error in logs:
Host 172.24.11.129 was not connected to because it violates local access rules Host 172.24.11.129 was not connected to because it violates local access rules
``` ```
This module does not support PKCE or ES256. You will need to run:
```bash
kanidm system oauth2 warning-insecure-client-disable-pkce <resource server name>
kanidm system oauth2 warning-enable-legacy-crypto <resource server name>
```
In the settings menu, configure the discovery URL and client ID and secret. In the settings menu, configure the discovery URL and client ID and secret.
You can choose to disable other login methods with: You can choose to disable other login methods with: