# Integração do Nextcloud com Authentik OIDC

Link: [https://integrations.goauthentik.io/chat-communication-collaboration/nextcloud/](https://integrations.goauthentik.io/chat-communication-collaboration/nextcloud/)

Em 09/04/2026

### What is Nextcloud

> Nextcloud is a suite of client-server software for creating and using file hosting services. Nextcloud is free and open-source, which means that anyone is allowed to install and operate it on their own private server devices.
> 
> \-- [https://nextcloud.com/](https://nextcloud.com/)arning

  
<span style="color: rgb(241, 196, 15);">**WARNING**</span>  
If you require [server side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html), you must use LDAP. OpenID and SAML will cause **irrevocable data loss**. Nextcloud server side encryption requires access to the user's cleartext password, which Nextcloud has access to only when using LDAP because the user enters their password directly into Nextcloud.aution

This setup only works when Nextcloud is running with HTTPS enabled. See [here](https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html?highlight=overwriteprotocol#overwrite-parameters) on how to configure this.nfo

<span style="color: rgb(230, 126, 35);">**If there’s an issue with the configuration, you can log in using the built-in authentication by  
visiting [http://nextcloud.company/login?direct=1](http://nextcloud.company/login?direct=1).**</span>

#### Configuration methods

It is possible to configure Nextcloud to use OIDC, SAML, or LDAP for authentication. Below are the steps to configure each method.

<div class="theme-doc-markdown markdown" id="bkmrk-oidc-saml-ldap" style="text-align: justify;"><div class="theme-tabs-container tabs-container tabList_J5MA">- OIDC
- SAML
- LDAP

</div></div>#### **OIDC**  
  
Preparation

The following placeholders are used in this guide:

<div class="theme-doc-markdown markdown" id="bkmrk-nextcloud.company%C2%A0is" style="text-align: justify;"><div class="theme-tabs-container tabs-container tabList_J5MA"><div class="margin-top--md"><div class="tabItem_wHwb" role="tabpanel">- `nextcloud.company` is the FQDN of the Nextcloud installation.
- `authentik.company` is the FQDN of the authentik installation.

</div></div></div></div>##### Info

This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.  
  
<span style="color: rgb(241, 196, 15);">**WARNING**</span>

If you require [server side encryption](https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_configuration.html), you must use LDAP. OpenID and SAML will cause **irrevocable data loss**.

Let's start by considering which user attributes need to be available in Nextcloud:

<div class="theme-doc-markdown markdown" id="bkmrk-name-email-unique-us" style="text-align: justify;"><div class="theme-tabs-container tabs-container tabList_J5MA"><div class="margin-top--md"><div class="tabItem_wHwb" role="tabpanel">- name
- email
- unique user ID
- storage quota (optional)
- groups (optional)

</div></div></div></div>authentik already provides some default *scopes* with *claims*, such as:

<div class="theme-doc-markdown markdown" id="bkmrk-email%C2%A0scope%3A-include" style="text-align: justify;"><div class="theme-tabs-container tabs-container tabList_J5MA"><div class="margin-top--md"><div class="tabItem_wHwb" role="tabpanel">- `email` scope: includes `email` and `email_verified`
- `profile` scope: includes `name`, `given_name`, `preferred_username`, `nickname`, `groups`
- `openid` scope: a default required by the OpenID spec (contains no claims)

</div></div></div></div>#### Create property mapping *(optional)*

If you do not need storage quota, group information, or to manage already existing users in Nextcloud, skip to the [next section](https://integrations.goauthentik.io/chat-communication-collaboration/nextcloud/#create-an-application-and-provider-in-authentik).  
If you want to control user storage and designate Nextcloud administrators, you will need to create a property mapping.

<div class="theme-doc-markdown markdown" id="bkmrk-log-in-to-authentik-" style="text-align: justify;"><div class="theme-tabs-container tabs-container tabList_J5MA"><div class="margin-top--md"><div class="tabItem_wHwb" role="tabpanel">1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Customization** &gt; **Property mappings** and click **Create**.
    
    
    - **Select type**: select **Scope mapping**.
    - **Create Scope Mapping**: 
        - **Name**: `Nextcloud Profile`
        - **Scope name**: `nextcloud`
        - **Expression**:  
              
            <span style="color: rgb(53, 152, 219);">\# Extract all groups the user is a member of</span>  
            <span style="color: rgb(53, 152, 219);">groups = \[group.name for group in user.groups.all()\]</span>
            
            <span style="color: rgb(53, 152, 219);">\# In Nextcloud, administrators must be members of a fixed group called "admin".</span>
            
            <span style="color: rgb(53, 152, 219);">\# If a user is an admin in authentik, ensure that "admin" is appended to their group list.</span>  
            <span style="color: rgb(53, 152, 219);">if user.is\_superuser and "admin" not in groups:</span>  
            <span style="color: rgb(53, 152, 219);"> groups.append("admin")</span>
            
            <span style="color: rgb(53, 152, 219);">return {</span>  
            <span style="color: rgb(53, 152, 219);"> "name": request.user.name,</span>  
            <span style="color: rgb(53, 152, 219);"> "groups": groups,</span>  
            <span style="color: rgb(53, 152, 219);"> # Set a quota by using the "nextcloud\_quota" property in the user's attributes</span>  
            <span style="color: rgb(53, 152, 219);"> "quota": user.group\_attributes().get("nextcloud\_quota", None),</span>  
            <span style="color: rgb(53, 152, 219);"> # To connect an existing Nextcloud user, set "nextcloud\_user\_id" to the Nextcloud username.</span>  
            <span style="color: rgb(53, 152, 219);"> "user\_id": user.attributes.get("nextcloud\_user\_id", str(user.uuid)),</span>  
            <span style="color: rgb(53, 152, 219);">}</span>
3. Click **Finish**.

</div></div></div></div>##### Info

To set a quota, define the `nextcloud_quota` attribute for individual users or groups. For example, setting it to `1 GB` will restrict the user to 1GB of storage. If not set, storage is unlimited.

<div class="theme-doc-markdown markdown" id="bkmrk-" style="text-align: justify;"><div class="theme-tabs-container tabs-container tabList_J5MA"><div class="margin-top--md"><div class="tabItem_wHwb" role="tabpanel"><div class="theme-admonition theme-admonition-info admonition_WCGJ alert alert--info">  
</div></div></div></div></div><div class="theme-doc-markdown markdown" id="bkmrk--1" style="text-align: justify;"><div class="theme-tabs-container tabs-container tabList_J5MA"><div class="margin-top--md"><div class="tabItem_wHwb" role="tabpanel"><div class="theme-admonition theme-admonition-info admonition_WCGJ alert alert--info">  
</div></div></div></div></div>To connect to an existing Nextcloud user, set the `nextcloud_user_id` attribute to match the Nextcloud username (found under the user's `Display name` in Nextcloud).

#### Create an application and provider in authentik

<div class="theme-doc-markdown markdown" id="bkmrk-log-in-to-authentik--1" style="text-align: justify;"><div class="theme-tabs-container tabs-container tabList_J5MA"><div class="margin-top--md"><div class="tabItem_wHwb" role="tabpanel">1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** &gt; **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
    
    
    - **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
    - **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. 
        - Note the **Client ID** and **slug** values because they will be required later.
        - Set a `Strict` redirect URI to `https://nextcloud.company/apps/user_oidc/code`.
        - Select any available signing key.
        - Under **Advanced protocol settings**: 
            - *(optional)* If you created the `Nextcloud Profile` scope mapping, add it to **Selected Scopes**.
            - **Subject Mode**: `Based on the User's UUID`
    - **Configure Bindings** *(optional)*: you can create a [binding](https://docs.goauthentik.io/add-secure-apps/bindings-overview/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.

<div class="theme-admonition theme-admonition-info admonition_WCGJ alert alert--info">  
</div></div></div></div></div>##### Info

Depending on your Nextcloud configuration, you may need to use `https://nextcloud.company/index.php/` instead of `https://nextcloud.company/`.


#### **Nextcloud configuration**

<div class="theme-doc-markdown markdown" id="bkmrk-in-nextcloud%2C-ensure" style="text-align: justify;"><div class="theme-tabs-container tabs-container tabList_J5MA"><div class="margin-top--md"><div class="tabItem_wHwb" role="tabpanel">1. In Nextcloud, ensure that the **OpenID Connect user backend** app is installed.
2. Log in to Nextcloud as an administrator and navigate to **Settings** &gt; **OpenID Connect**.
3. Click the **+** button and enter the following settings:
    
    
    - **Identifier**: `authentik`
    - **Client ID**: Client ID from authentik
    - **Client secret**: Client secret from authentik
    - **Discovery endpoint**: `https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration`
    - **Scope**: `email profile nextcloud openid`
    - Under **Attribute mappings**:
        
        
        - **User ID mapping**: `sub` (or `user_id` for existing users)
        - **Display name mapping**: `name`
        - **Email mapping**: `email`
        - **Quota mapping**: `quota` (leave blank if the `Nextcloud Profile` property mapping was skipped)
        - **Groups mapping**: `groups` (leave blank if the `Nextcloud Profile` property mapping was skipped)  
            Tip: Enable **Use group provisioning** to allow writing to this field.
    - **Use unique user ID**: If this option is disabled, Nextcloud will use the mapped user ID as the Federated Cloud ID.
    
    ##### Info
    
    If authentik and Nextcloud are running on the same host, you will need to add `'allow_local_remote_servers' => true` to your nextcloud `config.php` file. This setting allows remote servers with local addresses.
    
    ##### Info
    
    To avoid a hashed Federated Cloud ID, deselect **Use unique user ID** and use `user_id` for the User ID mapping.
    
    ##### Danger
    
    If you're using the `Nextcloud Profile` property mapping and want administrators to retain their ability to log in, make sure that **Use unique user ID** is disabled. If this setting is enabled, it will remove administrator users from the internal admin group and replace them with a hashed group ID named "admin," which does not have real administrative privileges.

</div></div></div></div>#### Enabling OIDC back-channel logout

To automatically log users out of their Nextcloud sessions when they log out of authentik, enable back-channel logout.

<div class="theme-doc-markdown markdown" id="bkmrk-log-in-to-nextcloud-" style="text-align: justify;"><div class="theme-tabs-container tabs-container tabList_J5MA"><div class="margin-top--md"><div class="tabItem_wHwb" role="tabpanel">1. Log in to Nextcloud as an administrator and navigate to **Settings** &gt; **OpenID Connect**.
2. Under **Registered Providers**, locate the provider with the identifier used earlier.
3. Copy the `back-channel-logout-URL` value for that provider.   
    For example: `https://nextcloud.company/apps/user_oidc/backchannel-logout/<identifier>`
4. In authentik, navigate to **Applications** &gt; **Providers** and edit the Nextcloud provider.
5. Under **Protocol Settings**, set the **Logout URI** to the copied back-channel logout URL.
6. Set the **Logout Method** to `Back-channel`.

</div></div></div></div>#### Making OIDC the default login method

Automatically redirect users to authentik when they access Nextcloud by running the following command on your Nextcloud docker host:

<div class="theme-doc-markdown markdown" id="bkmrk-sudo-docker-exec---u" style="text-align: justify;"><div class="theme-tabs-container tabs-container tabList_J5MA"><div class="margin-top--md"><div class="tabItem_wHwb" role="tabpanel"><div class="language-bash codeBlockContainer_mQmQ theme-code-block"><div class="codeBlockContent_t_Hd"><div class="token-line"><span style="color: rgb(251, 238, 184);"><span class="token function"><span class="token plain">Opção 1 - (Tela de Login Authentik direto)</span>  
sudo</span> <span class="token function">docker</span> <span class="token builtin class-name">exec</span> <span class="token parameter variable">--user</span><span class="token plain"> www-data </span><span class="token parameter variable">-it</span><span class="token plain"> nextcloud-aio-nextcloud php occ config:app:set </span><span style="color: rgb(185, 106, 217);"><span class="token parameter variable">-**-value**</span>**<span class="token operator">=</span><span class="token number">0</span>**</span><span class="token plain"> user\_oidc allow\_multiple\_user\_backends. </span></span></div><div class="token-line"><span style="color: rgb(251, 238, 184);"><span class="token plain">  
<span class="token function">Opção 2 - (Tela de Login Authentik e Nextcloud)  
sudo</span> <span class="token function">docker</span> <span class="token builtin class-name">exec</span> <span class="token parameter variable">--user</span> www-data <span class="token parameter variable">-it</span> nextcloud-aio-nextcloud php occ config:app:set <span style="color: rgb(185, 106, 217);"><span class="token parameter variable">-**-value**</span>**<span class="token operator">=1</span>**</span> user\_oidc allow\_multiple\_user\_backends. </span></span></div><div class="buttonGroup_B0hJ"><button aria-label="Toggle word wrap" class="clean-btn" title="Toggle word wrap" type="button"><svg aria-hidden="true" class="wordWrapButtonIcon_CQkQ" viewbox="0 0 24 24"><path d="M4 19h6v-2H4v2zM20 5H4v2h16V5zm-3 6H4v2h13.25c1.1 0 2 .9 2 2s-.9 2-2 2H15v-2l-3 3l3 3v-2h2c2.21 0 4-1.79 4-4s-1.79-4-4-4z" fill="currentColor"></path></svg></button><button aria-label="Copy code to clipboard" class="clean-btn" title="Copy" type="button"><span aria-hidden="true" class="copyButtonIcons_Fy7c"><svg class="copyButtonIcon_r1h_" viewbox="0 0 24 24"><path d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z" fill="currentColor"></path></svg><svg class="copyButtonSuccessIcon_BIMv" viewbox="0 0 24 24"><path d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z" fill="currentColor"></path></svg></span></button></div></div></div></div></div></div></div>#### Configuration verification

To confirm that authentik is correctly configured with Nextcloud, log out and then log back in by clicking **OpenID Connect**. You'll then be redirected to authentik to log in, and once authentication is successful, you'll reach the Nextcloud dashboard.

#### Resources

<div class="theme-doc-markdown markdown" id="bkmrk-nextcloud-docs---use" style="text-align: justify;">- [Nextcloud docs - User authentication with LDAP](https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html)
- [Nextcloud OIDC App - User Documentation](https://github.com/H2CK/oidc/wiki/User-Documentation)

</div><footer class="theme-doc-footer docusaurus-mt-lg" id="bkmrk-help-us-improve-this">---

<div class="theme-admonition theme-admonition-note admonition_WCGJ alert alert--secondary admonitionContrib_Zv8a margin-top--sm theme-doc-footer-edit-meta-row" style="text-align: justify;"><div class="admonitionContent_pbrs"><div class="admonitionHeader_FPxu">**Help us improve this content**</div></div></div>We welcome your knowledge and expertise. If you see areas of the documentation that you can improve (fix a typo, correct a technical detail, add additional context, etc.) we would really appreciate your contribution.

<div class="theme-admonition theme-admonition-note admonition_WCGJ alert alert--secondary admonitionContrib_Zv8a margin-top--sm theme-doc-footer-edit-meta-row"><div class="admonitionContent_pbrs"><div class="row"><div class="col col--12">- [Edit on GitHub](https://github.com/goauthentik/authentik/edit/main/website/integrations/chat-communication-collaboration/nextcloud/index.mdx)
- [Contributor Guide](https://docs.goauthentik.io/docs/developer-docs/)
- [Open an issue](https://github.com/goauthentik/authentik/issues/new)
- [Get Enterprise Support](https://goauthentik.io/pricing/)

</div></div></div></div></footer>