Skip to main content

Integrate with ownCloud

Support level: Community

What is ownCloud?

ownCloud is a free and open-source software project for content collaboration and sharing and syncing of files.

-- https://owncloud.com

Preparation

The following placeholders are used in this guide:

  • owncloud.company is the FQDN of the ownCloud installation.
  • authentik.company is the FQDN of the authentik installation.
info

This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.

This guide focuses on ownCloud Server deployments using Docker and the official ownCloud OpenID Connect (OIDC) app. If you deployed ownCloud Server using a different mechanism, the configuration file location and service management commands might differ.

authentik configuration

Redirect URI changes in authentik 2026.5

In authentik versions earlier than 2026.5, all Redirect URIs are automatically treated as Authorization type. If you are using one of these older authentik versions, add only the Authorization URL to your Redirect URIs and do not configure a Post Logout URI.

To support the integration of ownCloud with authentik, you need to create an application/provider pair for each ownCloud client type that should use OIDC: Web UI, Desktop, Android, and iOS.

ownCloud Server stores one OIDC provider URL in its configuration, but the ownCloud desktop and mobile clients use their own predefined client IDs, secrets, and redirect URIs. Use the values from this table when creating the authentik providers.

ownCloud clientClient IDClient SecretRedirect URI
Web UIUse the value generated by authentik.Use the value generated by authentik.Strict Authorization: https://owncloud.company/index.php/apps/openidconnect/redirect
DesktopxdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFhRegex Authorization: http://localhost(:[0-9]+)?(/.*)? and Regex Authorization: http://127.0.0.1(:[0-9]+)?(/.*)?
Androide4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeDdInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoDStrict Authorization: oc://android.owncloud.com
iOSmxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIxStrict Authorization: oc://ios.owncloud.com

Create applications and providers

  1. Log in to authentik as an administrator and open the authentik Admin interface.
  2. Navigate to Applications > Applications and click New Application to open the application wizard. Repeat the wizard once for each ownCloud client type that you want to support.
    • Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings. For the Web UI application, note the Slug value because it is used as the <application_slug> value in the ownCloud configuration.
    • Choose a Provider type: select OAuth2/OpenID Connect as the provider type.
    • Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
      • Client ID: enter the client ID from the table above.
      • Client Secret: enter the client secret from the table above.
      • Redirect URIs: add the redirect URI values from the table above.
      • Signing Key: select the same signing key for all ownCloud providers.
      • Advanced protocol settings > Scopes: select openid, profile, email, and offline_access.
    • Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
  3. Click Submit to save the new application and provider.

ownCloud configuration

Install the OpenID Connect app

  1. Log in to ownCloud as an administrator.
  2. Open the Market by navigating to https://owncloud.company/apps/market/#/, or by clicking the hamburger menu in the top-left corner of any page in ownCloud and selecting Market.
  3. Search for and enable the OpenID Connect app.

Configure the OpenID Connect app

The OpenID Connect app cannot be configured from the ownCloud UI. Configure it by adding settings to the ownCloud configuration file or by storing the same settings in the ownCloud database with occ. For clustered setups, ownCloud recommends database-backed app configuration.

The Docker Compose deployment from the ownCloud documentation mounts the files volume at /mnt/data inside the ownCloud container. In that deployment, place oidc.config.php in the /mnt/data/config directory. If your deployment stores ownCloud configuration elsewhere, place the file in the same directory as config.php.

Username changes

You can configure ownCloud to use either the sub or preferred_username claim as the UID field under search-attribute. When using preferred_username, disable the authentik Allow users to change username setting to prevent authentication issues if a username changes.

/mnt/data/config/oidc.config.php
<?php
$CONFIG = [
'http.cookie.samesite' => 'None',
'openid-connect' => [
'provider-url' => 'https://authentik.company/application/o/<application_slug>/',
'client-id' => '<Client ID from the authentik Web UI provider>',
'client-secret' => '<Client Secret from the authentik Web UI provider>',
'loginButtonName' => 'Log in with authentik',
'mode' => 'userid',
'search-attribute' => 'preferred_username',
],
];

To allow ownCloud to create users automatically when they first sign in with authentik, add the auto-provision block:

/mnt/data/config/oidc.config.php
<?php
$CONFIG = [
'http.cookie.samesite' => 'None',
'openid-connect' => [
'provider-url' => 'https://authentik.company/application/o/<application_slug>/',
'client-id' => '<Client ID from the authentik Web UI provider>',
'client-secret' => '<Client Secret from the authentik Web UI provider>',
'loginButtonName' => 'Log in with authentik',
'mode' => 'userid',
'search-attribute' => 'preferred_username',
'auto-provision' => [
'enabled' => true,
'email-claim' => 'email',
'display-name-claim' => 'name',
'update' => [
'enabled' => true,
],
],
],
];

The configuration above creates ownCloud users with the same username as their authentik username. To use the user's email address as the ownCloud username instead, remove the mode and search-attribute settings.

Email usernames in clients

Using email addresses as ownCloud usernames can make mobile clients display usernames in a format such as user@email.com@owncloud.company.

To make ownCloud redirect immediately to authentik from its login page, add autoRedirectOnLoginPage to the openid-connect configuration. Keep this disabled until you have tested OIDC login.

/mnt/data/config/oidc.config.php
<?php
$CONFIG = [
'openid-connect' => [
'autoRedirectOnLoginPage' => true,
],
];
Login redirect lockout

If autoRedirectOnLoginPage is enabled while OIDC is misconfigured, you can lock yourself out of the normal ownCloud login page. Disable the setting and restart ownCloud to restore the standard login page.

To force existing desktop, Android, and iOS client sessions to authenticate again with OIDC, set token_auth_enforced to true.

/mnt/data/config/oidc.config.php
<?php
$CONFIG = [
'token_auth_enforced' => true,
];

Configure service discovery

To allow the ownCloud desktop, Android, and iOS clients to use OIDC, configure your reverse proxy to rewrite https://owncloud.company/.well-known/openid-configuration to https://owncloud.company/index.php/apps/openidconnect/config.

Do not configure this as an HTTP redirect. ownCloud clients expect the discovery document to be served directly from /.well-known/openid-configuration.

Configuration verification

To confirm that authentik is properly configured with ownCloud, open ownCloud and select the Log in with authentik option. A successful authentication redirects you to authentik and then returns you to ownCloud as a signed-in user.

If you configured service discovery, add a new connection in the ownCloud desktop or mobile app. The client should discover OIDC and send you through the authentik sign-in flow.

Resources