[Feature Request] Support split internal/external OIDC issuer URLs for reverse proxy setups

[herrschmidt]

Problem

OpenCloud currently requires the container to reach itself via the external HTTPS URL to validate the OIDC configuration. This fails when the reverse proxy (Traefik, Nginx, Caddy) runs on a different host, which is a common setup in homelab environments using Tailscale, Wireguard, or similar VPN solutions.

Current Behavior

Setup:

Browser → VPS (Traefik on Port 443)
              ↓ (via Tailscale/VPN: 100.x.x.x)
         Homelab Server (OpenCloud Container on Port 9200)

Configuration:

environment:
  OC_URL: https://cloud.example.com
  OCIS_OIDC_ISSUER: https://cloud.example.com
  PROXY_HTTP_ADDR: "0.0.0.0:9200"
  PROXY_TLS: "false"

Error:

{"level":"error","service":"proxy","error":"Get \"https://cloud.example.com/.well-known/openid-configuration\": dial tcp 127.0.0.1:443: connect: connection refused","handler":"oidc wellknown rewrite","url":"https://cloud.example.com/.well-known/openid-configuration","time":"2025-10-29T19:49:46Z","message":"get information from url failed"}

Root Cause:

• Container tries to reach https://cloud.example.com (external URL)
• Domain resolves on VPS, not on homelab server
• Container cannot reach localhost:443 (only listens on port 9200)
• Traefik on homelab server doesn't know about cloud.example.com (domain is only configured on VPS)

Attempted Workarounds (all failed)

1. extra_hosts with localhost

extra_hosts:
  - "cloud.example.com:127.0.0.1"

Result: Connection refused (no service on port 443)

2. extra_hosts with VPS IP

extra_hosts:
  - "cloud.example.com:100.x.x.x"  # VPS Tailscale IP

Result: Timeout loop (Container → VPS → Container → ...)

3. PROXY_OIDC_REWRITE_WELLKNOWN: "true"

Result: Only helps with client discovery, container still makes internal calls to external URL

4. HTTP OIDC Issuer

OCIS_OIDC_ISSUER: http://localhost:9200

Result: Variable is ignored, container still uses external HTTPS URL

---

Proposed Solutions

Solution 1: Split Issuer URLs (Preferred)

Add support for separate internal/external OIDC issuer URLs:

environment:
  # For external clients (browsers, desktop apps)
  OC_URL: https://cloud.example.com
  OCIS_OIDC_ISSUER: https://cloud.example.com
  
  # NEW: For internal container communication
  OCIS_OIDC_ISSUER_INTERNAL: http://localhost:9200

How it would work:

• Container uses OCIS_OIDC_ISSUER_INTERNAL for self-checks
• Clients receive OCIS_OIDC_ISSUER (external URL) in .well-known/openid-configuration
• OIDC tokens remain valid (same issuer for clients)

Precedent: Keycloak, Authentik, and other OIDC providers already support this pattern:

# Keycloak example
KEYCLOAK_FRONTEND_URL: https://auth.example.com  # For clients
KC_HOSTNAME: localhost:8080                      # For internal calls

Solution 2: Proxy-Aware Mode

Add option to skip external OIDC self-checks when behind reverse proxy:

environment:
  PROXY_TRUSTED_PROXIES: "100.x.x.x,172.20.0.0/16"
  
  # NEW: Skip external OIDC validation
  OCIS_SKIP_OIDC_SELF_CHECK: "true"

How it would work:

• Container trusts reverse proxy configuration
• No external calls to validate OIDC setup
• Relies on X-Forwarded-* headers from trusted proxies

Solution 3: Flexible OIDC Issuer Aliases

Allow container to accept multiple issuer URLs as valid:

environment:
  OCIS_OIDC_ISSUER: https://cloud.example.com
  
  # NEW: Accept these URLs as valid issuers too
  OCIS_OIDC_ISSUER_ALIASES: "http://localhost:9200,http://opencloud:9200"

How it would work:

• Tokens with iss: https://cloud.example.com remain valid
• Container also accepts iss: http://localhost:9200 for internal calls
• No breaking changes for clients

---

Why This Matters

Common Use Cases

1. Homelab with VPS Reverse Proxy

   • VPS has public IP and handles SSL termination
   • Services run on homelab server (no public IP)
   • Connected via Tailscale/Wireguard VPN

2. Multi-Server Deployments

   • Reverse proxy on dedicated edge server
   • Application servers in private network
   • Common in enterprise and cloud environments

3. Docker Swarm/Kubernetes

   • Ingress controller on different nodes
   • Application pods on worker nodes
   • Service mesh routing

Comparison with Other Solutions

Nextcloud: ✅ Works perfectly

'overwrite.cli.url' => 'https://cloud.example.com',  # For clients
'trusted_proxies' => ['172.20.0.0/16'],              # For proxy
# Nextcloud doesn't make external calls to itself!

Seafile: ✅ Works perfectly

SERVICE_URL = https://seafile.example.com  # For clients
FILE_SERVER_ROOT = http://localhost:8082   # For internal calls

OpenCloud: ❌ Currently doesn't work

---

Environment

• OpenCloud Version: opencloudeu/opencloud-rolling:latest
• Deployment: Docker Compose via Dokploy
• Reverse Proxy: Traefik 3.x (on different host)
• Network: Tailscale VPN
• OS: Ubuntu 24.04 LTS

---

Additional Context

Related Discussions

Multiple users have reported this issue, and maintainers acknowledge the problem but no solution exists:

• config.json fehlt #363 - Caddy Reverse Proxy (Maintainer confirmed: "OC_URL must point to public URL. This URL must also resolve from within the OpenCloud container.")
• Looking into OpenCloud and just wondering if anyone's got it working with Tailscale via TSDProxy? #1647 - Tailscale via TSDProxy (Maintainer: "All domains need to be reachable from the outside world and from within the opencloud docker container. As long as that is guaranteed, this should work.")
• opencloud behind NGINX REVERSE PROXY #1610 - Nginx Reverse Proxy (no solution for split-host setup)
• OpenCloud behind Caddy Reverse Proxy: Login not possible #1042 - Similar issue with Caddy (already referenced)
• Getting OpenCloud to work with External SSO/OIDC (Authentik) #835 - OIDC with external SSO (related authentication issues)

Key insight: Maintainers acknowledge that the container must reach the external URL, but no workaround or configuration option exists for split-host setups where the reverse proxy runs on a different server via Tailscale/VPN/WireGuard.

Documentation

• OIDC spec requires issuer URL to be reachable, but doesn't specify it must be the same URL for internal/external access
• Many OIDC providers support split URLs for exactly this reason

[micbar]

@tbsbdr @rhafer FYI

Does that make sense?