Cannot connect Nextcloud with Kopano Konnect

nfaction

Hello all,
I have been trying to get Nextcloud to connect with the Kopano Docker environment without much success. Any help would be much appreciated!

I used the post Using Docker to Spin Up a Kopano Environment to set up a full environment, which works perfectly. Since this is mainly a test environment, I created a self-signed cert and configured it to use this one instead of the included Letsencrypt backend, that I will likely use in the near future.

For Nextcloud, I am using this container linuxserver/nextcloud, which has been also configured to use OnlyOffice with Docker as well, which works fine. In order to ensure proper network communication, I added BOTH Nextcloud and Onlyoffice to the main docker-compose.yml file that is generated via the setup.sh in the first link of this post.

Once I run docker-compose up, I get the entire Kopano environment, Nextcloud + OnlyOffice and they all work as expected separately.

Here’s what I added to the docker-compose.yml file (shown via a git diff):

kopano-docker$ git diff
diff --git a/docker-compose.yml b/docker-compose.yml
index 0a644a1..c2c1221 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -90,6 +90,53 @@ services:
     tmpfs:
       - /tmp/

+  nextcloud:
+    image: linuxserver/nextcloud
+    container_name: nextcloud
+    depends_on:
+      - kopano_konnect
+      - kopano_ssl
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=America/Phoenix
+    volumes:
+      - /home/debian/nextcloud-oo/config:/config
+      - /home/debian/nextcloud-oo/data:/data
+    networks:
+      - kopano-net
+    ports:
+      - 7443:443
+    restart: unless-stopped
+    # networks:
+    #  - ldap-net
+
+  onlyoffice:
+    image: onlyoffice/documentserver
+    container_name: onlyoffice
+    depends_on:
+      - kopano_konnect
+      - kopano_ssl
+    environment:
+      - TZ=America/Phoenix
+      - USE_UNAUTHORIZED_STORAGE=true
+      - SSL_CERTIFICATE_PATH=/ssl/onlyoffice.crt
+      - SSL_KEY_PATH=/ssl/onlyoffice.key
+      - SSL_DHPARAM_PATH=/ssl/dhparam.pem
+    volumes:
+      - /home/debian/nextcloud-oo/oo-logs:/var/log/onlyoffice
+      - /home/debian/nextcloud-oo/oo-data:/var/www/onlyoffice/Data
+      - /home/debian/nextcloud-oo/oo-lib:/var/lib/onlyoffice
+      - /home/debian/nextcloud-oo/oo-db:/var/lib/postgresql
+      - /home/debian/nextcloud-oo/ssl:/ssl
+    networks:
+      - kopano-net
+    ports:
+      - 780:80
+      - 8443:443
+    restart: unless-stopped
+
+
   kopano_webapp:
     image: ${docker_repo:-zokradonh}/kopano_webapp:${WEBAPP_VERSION:-latest}
     read_only: true # in case additional packages need to be installed this option should be set to false

I have attempted to connect Nextcloud (21.0.2) with Kopano Konnect using this documentation: Using Kopano Konnect to sign into Nextcloud. I am also using the Social Login app (4.6.5) as directed.

I am able to hit the https://$(hostname)/.well-known/openid-configuration url which does in fact show all the endpoints listed in the above documentation. After configuring the Custom OpenID Connect section of the Social Login app in settings, I am able to see the new Kopano Konnect button on the Nextcloud login splash, but when I hit this button I get a redirected page with the following error message:

Error

    Provider returned an error: access_denied unknown client_id: Kopano

I have re-reviewed my settings many times, but nothing seems to work. When I use the Kopano Konnect button, I am already logged into Kopano mail as user1 in another tab, so it should just automatically log me in to Nextcloud, but instead I get the message above.

As you can see above, I am running Kopano and Nextcloud+OO on the same host, via the same docker-compose file with the same domain. Since I am using the same domain (the only difference is that I’m using 7443 for Nextcloud) I don’t believe I need to make a custom section within the identifier-registration.yaml file, but I could be wrong.

Any suggestions?

Any help would be much appreciated!

fbartels

@nfaction said in Cannot connect Nextcloud with Kopano Konnect:

the only difference is that I’m using 7443 for Nextcloud

This here is the reason you see the “unknown client_id” message. It needs to be the exact same domain (and also the same port) to have the application automatically trusted. For everything else you need to register the app in Konnect before use. I would however just adapt the front facing proxy to make Nextcloud available e.g. from https://yourdomain/nextcloud.

nfaction

@fbartels Do you have any suggestions on the best way to do a proxy as you suggest? I’ve been looking into caddy, but I haven’t seen an obvious way to add a proxy for nextcloud. I found this: https://github.com/zokradonh/kopano-docker/blob/7d225324b80e6c8b71d31e0a63b2440d68e98456/web/kweb.cfg

nfaction

I’ve been playing with the caddy v1 configurations and was able to get a redirect to work, added the trusted domain in nextcloud, but I can’t get the site url to rewrite.

Unfortunately the v1 documentation is almost impossible to find, so I kinda gave up on that…

I’ve been attempting to add an exception/addition to the identifier-registration.yaml but am struggling to get that to load properly.

Still getting the same error messages.

fbartels

@nfaction said in Cannot connect Nextcloud with Kopano Konnect:

added the trusted domain in nextcloud, but I can’t get the site url to rewrite.

You previously already found the right file. In https://github.com/zokradonh/kopano-docker/blob/7d225324b80e6c8b71d31e0a63b2440d68e98456/web/kweb.cfg#L244-L250 you can see how requests for the /owncloud path get proxied to its dedicated container. I would expect it works the same for Nextcloud.

To add your own proxy rules you only need to write them to a file placed in /etc/kweb-extras/, https://github.com/zokradonh/kopano-docker/blob/7d225324b80e6c8b71d31e0a63b2440d68e98456/web/kweb.cfg#L252 will take care of sourcing these intructions.

@nfaction said in Cannot connect Nextcloud with Kopano Konnect:

I’ve been attempting to add an exception/addition to the identifier-registration.yaml but am struggling to get that to load properly.

If you are starting fresh you can mount a pre-modified identifier registration at startup, when you already have a running setup its the easiest to modify the file from within e.g. the Konnect container directly. It always helps to raise the logging to debug for the Konnect container as then it will print registered applications at startup.

nfaction

Alright, I have tried just about everything I can think of and everything suggested without success…

Here’s what I have…

# kopano-docker/web/kweb.cfg
...
        proxy /owncloud/ owncloud:8080 {
                transparent
                keepalive 0
                fail_timeout 10s
                try_duration 30s
        }
        folderish /owncloud

        proxy /nextcloud/ nextcloud:7443 {
                transparent
                keepalive 0
                fail_timeout 10s
                try_duration 30s
        }
        folderish /nextcloud

        import /etc/kweb-extras/*
}
...

^^ This does not work. I get the self-signed cert warning, when I click through it just fails to resolve or just times out.

# konnect/konnectd-identifier-registration.yaml
clients:
...
  - id: nextcloud
    name: Nextcloud
    application_type: web
    trusted: true
    insecure: yes
    redirect_uris:
       - https://<nextcloud-dns-domainname>:7443/index.php/apps/sociallogin/custom_oidc/Kopano
...

I added the - id: nextcloud to the clients block after the compose was already up and running by going to /var/lib/docker/volumes and modifying the file in the mount here: vim ./kopano_kopanossl/_data/konnectd-identifier-registration.yaml For some reason it never mounted the file in the github repository.

After all this I made some progress. Instead of the invalid client, I now get an error on the redirect url. Here’s what I see now…

Provider returned an error: access_denied invalid redirect_uri: https://<nextcloud-dns-domainname>:7443/apps/sociallogin/custom_oidc/Kopano

To be sure it wasn’t blocking on the other side (Nextcloud), I added the other entries to the trusted_domains file:

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => '<secret>',
  'passwordsalt' => '<secret>',
  'secret' => '<secret>',
  'trusted_domains' =>
  array (
    0 => '<nextcloud-dns-domainname>:7443',
    1 => '<nextcloud-dns-domainname>',
    2 => '<nextcloud-dns-domainname>/nextcloud',
    3 => 'localhost',
  ),
  'dbtype' => 'sqlite3',
  'version' => '21.0.2.1',
  'overwrite.cli.url' => 'https://<nextcloud-dns-domainname>:7443',
  'installed' => true,
);

Also, do you have any suggestions on how to create a new user? I tried to use the kopano-admin command, but I get an error. This is what I tried:

docker exec -it kopano_server bash

root@kopano_server:/kopano/path# kopano-admin -c <username-to-add> -p<user-pass> -e <user-email> -f '<user's name>' -a 1
Unable to create user: action not supported by server (0x80040102)
Check server.log for details.
Using the -v option (possibly multiple times) may give more hints.

Any suggestions on all of this would be much appreciated @fbartels !

fbartels

@nfaction said in Cannot connect Nextcloud with Kopano Konnect:

This does not work. I get the self-signed cert warning, when I click through it just fails to resolve or just times out.

Without trying it I would guess the self signed warning is since you proxy to a https endpoint with a self signed certificate? If proxying to a ssl endpoint you need to give https infront of the address. There seems also to be a way to disable ssl verification. But since its all internal its probably the easiest to disable ssl in the nextcloud container?

https://caddy.community/t/best-way-to-reverse-proxy-to-self-signed-https-server/8742 looks like a relevant question from the Caddy forum.

@nfaction said in Cannot connect Nextcloud with Kopano Konnect:

by going to /var/lib/docker/volumes and modifying the file in the mount

I would rather exec into the container to modify the file from there. e.g. docker-compose exec kopano_konnect sh.

@nfaction said in Cannot connect Nextcloud with Kopano Konnect:

Provider returned an error: access_denied invalid redirect_uri: https://<nextcloud-dns-domainname>:7443/apps/sociallogin/custom_oidc/Kopano

In this way your OpenID application wants to tell you that this is the redirect_uri it expected, but which was not setup as a redirect_uri within the provider (so Konnect in this case). When you add the url like it is to the identifier registration then it will work. If it still does not work, then something else is wrong with your yaml file, but Konnect will tell you what it is when you restart it with logging set to debug.

@nfaction said in Cannot connect Nextcloud with Kopano Konnect:

Also, do you have any suggestions on how to create a new user?

That project is setup to use ldap for user management by default.

nfaction

@fbartels I was able to fix this, but not with any of the above suggestions. Caddy doesn’t want to work properly. I found the error. The documentation is wrong…

clients:
  - id: nextcloud
    name: Nextcloud
    application_type: web
    trusted: true
    insecure: yes
    redirect_uris:
       - https://<nextcloud-dns-domainname>:7443/apps/sociallogin/custom_oidc/Kopano

After removing the index.php it worked perfectly… Please correct the documentation to reflect that… See https://documentation.kopano.io/kopanocore_administrator_manual/configure_kc_components.html#using-kopano-konnect-to-sign-into-nextcloud under the redirect_uris uri section…

fbartels

@nfaction said in Cannot connect Nextcloud with Kopano Konnect:

After removing the index.php it worked perfectly

Ah, that is a good point. In essence this depends on the php configuration of the Nextcloud system, but as its anyway the better practice to not show any files with a php extension to the user I have adapted the example shown.