Integrate with ownCloud
Support level: Community
What is ownCloud?
ownCloud is a free and open-source software project for content collaboration and sharing and syncing of files.
Preparation
The following placeholders are used in this guide:
owncloud.companyis the FQDN of the ownCloud installation.authentik.companyis the FQDN of the authentik installation.
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
This guide focuses on ownCloud Server deployments using Docker and the official ownCloud OpenID Connect (OIDC) app. If you deployed ownCloud Server using a different mechanism, the configuration file location and service management commands might differ.
authentik configuration
In authentik versions earlier than 2026.5, all Redirect URIs are automatically treated as Authorization type. If you are using one of these older authentik versions, add only the Authorization URL to your Redirect URIs and do not configure a Post Logout URI.
To support the integration of ownCloud with authentik, you need to create an application/provider pair for each ownCloud client type that should use OIDC: Web UI, Desktop, Android, and iOS.
ownCloud Server stores one OIDC provider URL in its configuration, but the ownCloud desktop and mobile clients use their own predefined client IDs, secrets, and redirect URIs. Use the values from this table when creating the authentik providers.
| ownCloud client | Client ID | Client Secret | Redirect URI |
|---|---|---|---|
| Web UI | Use the value generated by authentik. | Use the value generated by authentik. | Strict Authorization: https://owncloud.company/index.php/apps/openidconnect/redirect |
| Desktop | xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69 | UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh | Regex Authorization: http://localhost(:[0-9]+)?(/.*)? and Regex Authorization: http://127.0.0.1(:[0-9]+)?(/.*)? |
| Android | e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD | dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD | Strict Authorization: oc://android.owncloud.com |
| iOS | mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1 | KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx | Strict Authorization: oc://ios.owncloud.com |
Create applications and providers
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Applications > Applications and click New Application to open the application wizard. Repeat the wizard once for each ownCloud client type that you want to support.
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. For the Web UI application, note the Slug value because it is used as the
<application_slug>value in the ownCloud configuration. - Choose a Provider type: select OAuth2/OpenID Connect as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Client ID: enter the client ID from the table above.
- Client Secret: enter the client secret from the table above.
- Redirect URIs: add the redirect URI values from the table above.
- Signing Key: select the same signing key for all ownCloud providers.
- Advanced protocol settings > Scopes: select
openid,profile,email, andoffline_access.
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. For the Web UI application, note the Slug value because it is used as the
- Click Submit to save the new application and provider.
ownCloud configuration
Install the OpenID Connect app
- Log in to ownCloud as an administrator.
- Open the Market by navigating to
https://owncloud.company/apps/market/#/, or by clicking the hamburger menu in the top-left corner of any page in ownCloud and selecting Market. - Search for and enable the OpenID Connect app.
Configure the OpenID Connect app
The OpenID Connect app cannot be configured from the ownCloud UI. Configure it by adding settings to the ownCloud configuration file or by storing the same settings in the ownCloud database with occ. For clustered setups, ownCloud recommends database-backed app configuration.
The Docker Compose deployment from the ownCloud documentation mounts the files volume at /mnt/data inside the ownCloud container. In that deployment, place oidc.config.php in the /mnt/data/config directory. If your deployment stores ownCloud configuration elsewhere, place the file in the same directory as config.php.
You can configure ownCloud to use either the sub or preferred_username claim as the UID field under search-attribute. When using preferred_username, disable the authentik Allow users to change username setting to prevent authentication issues if a username changes.
<?php
$CONFIG = [
'http.cookie.samesite' => 'None',
'openid-connect' => [
'provider-url' => 'https://authentik.company/application/o/<application_slug>/',
'client-id' => '<Client ID from the authentik Web UI provider>',
'client-secret' => '<Client Secret from the authentik Web UI provider>',
'loginButtonName' => 'Log in with authentik',
'mode' => 'userid',
'search-attribute' => 'preferred_username',
],
];
To allow ownCloud to create users automatically when they first sign in with authentik, add the auto-provision block:
<?php
$CONFIG = [
'http.cookie.samesite' => 'None',
'openid-connect' => [
'provider-url' => 'https://authentik.company/application/o/<application_slug>/',
'client-id' => '<Client ID from the authentik Web UI provider>',
'client-secret' => '<Client Secret from the authentik Web UI provider>',
'loginButtonName' => 'Log in with authentik',
'mode' => 'userid',
'search-attribute' => 'preferred_username',
'auto-provision' => [
'enabled' => true,
'email-claim' => 'email',
'display-name-claim' => 'name',
'update' => [
'enabled' => true,
],
],
],
];
The configuration above creates ownCloud users with the same username as their authentik username. To use the user's email address as the ownCloud username instead, remove the mode and search-attribute settings.
Using email addresses as ownCloud usernames can make mobile clients display usernames in a format such as user@email.com@owncloud.company.
To make ownCloud redirect immediately to authentik from its login page, add autoRedirectOnLoginPage to the openid-connect configuration. Keep this disabled until you have tested OIDC login.
<?php
$CONFIG = [
'openid-connect' => [
'autoRedirectOnLoginPage' => true,
],
];
If autoRedirectOnLoginPage is enabled while OIDC is misconfigured, you can lock yourself out of the normal ownCloud login page. Disable the setting and restart ownCloud to restore the standard login page.
To force existing desktop, Android, and iOS client sessions to authenticate again with OIDC, set token_auth_enforced to true.
<?php
$CONFIG = [
'token_auth_enforced' => true,
];
Configure service discovery
To allow the ownCloud desktop, Android, and iOS clients to use OIDC, configure your reverse proxy to rewrite https://owncloud.company/.well-known/openid-configuration to https://owncloud.company/index.php/apps/openidconnect/config.
Do not configure this as an HTTP redirect. ownCloud clients expect the discovery document to be served directly from /.well-known/openid-configuration.
Configuration verification
To confirm that authentik is properly configured with ownCloud, open ownCloud and select the Log in with authentik option. A successful authentication redirects you to authentik and then returns you to ownCloud as a signed-in user.
If you configured service discovery, add a new connection in the ownCloud desktop or mobile app. The client should discover OIDC and send you through the authentik sign-in flow.