Full Docker-Compose setup with Authentik OIDC and Caddy reverse proxy

[jicka]

After (happily!) spending a lot of time tweaking all the environment variables, I think I have gotten to a satisfying state of things and can now start using / testing opencloud. I pulled together knowledge from many different places and wanted to put it all together if anyone else is interested.

Please let me know if this is not relevant / should be posted somewhere else.

Questions and ideas for improvements are welcome !

Setup Overview

• Caddy (within a docker container) is used as reverse proxy
• Authentik (within a docker container) is used for OIDC authentification
• No LDAP is used. OIDC handles everything.
• The original opencloud-compose compose files are untouched. The idea is to be able to pull the repo in the future without having to rebuild everything manually.
• Opencloud and Collabora only at the moment. No anti-virus, no search.

Opencloud

To setup OIDC, I've created a new oidc-authentik.yml file within the idm folder. It expands the original compose file without having to touch it directly:

services:
  opencloud:
    environment:
      IDP_DOMAIN: ${IDP_DOMAIN}
      OC_OIDC_ISSUER: ${OC_OIDC_ISSUER}
      WEB_OIDC_CLIENT_ID: ${WEB_OIDC_CLIENT_ID}
      OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET}
      WEB_OIDC_SCOPE: "openid profile email groups offline_access" # Offline access prevents logouts as soon as the access token expires.
      OIDC_REDIRECT_URI: https://${OC_DOMAIN:-cloud.opencloud.test}
      
      OC_EXCLUDE_RUN_SERVICES: "idp"

      PROXY_OIDC_REWRITE_WELLKNOWN: "true"
      PROXY_AUTOPROVISION_ACCOUNTS: "true"
      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: "none"
      PROXY_OIDC_SKIP_VERIFICATION: "false"

      PROXY_USER_OIDC_CLAIM: "preferred_username"
      PROXY_AUTOPROVISION_CLAIM_USERNAME: "preferred_username"

      PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "groups"
      
      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
      GRAPH_USERNAME_MATCH: "none"
    volumes:
      - ./config/opencloud/proxy.yaml:/etc/opencloud/proxy.yaml # <-- This adds the proxy file defining group to role mappings

# It is necessary to give the network a name for the caddy compose file to be able to join this network.
networks:
  opencloud-net:
    name: opencloud-net

Within the config/opencloud folder, add the Authentik domain to csp.yaml under connect-src:

directives:
  # [...]
  connect-src:
    - '''self'''
    - 'blob:'
    - 'https://${COMPANION_DOMAIN|companion.opencloud.test}/'
    - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/'
    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
    - 'https://${IDP_DOMAIN|keycloak.opencloud.test}/'
    - 'https://update.opencloud.eu/'
    - 'https://auth.example.com/' # <-- Add this line
# [...]

Within the config/opencloud folder, add the Authentik group to Opencloud role mapping to proxy.yaml (right at the top):

role_assignment:
  driver: oidc
  oidc_role_mapper:
    role_claim: groups
    role_mapping:
      - role_name: admin 
        claim_value: opencloud-admin # <-- Authentik group name
      - role_name: user
        claim_value: opencloud-user # <-- Authentik group name
      - role_name: guest
        claim_value: opencloud-guest # <-- Authentik group name
additional_policies:
# [...]

Finally, here is the full .env file. Note that at the bottom, the OIDC values are set:

INSECURE=true # We are behind a reverse proxy

# Setup:
# 	- Main docker compose file
# 	- Collabora compose file
# 	- Additional Opencloud compose file exposing ports to the reverse proxy
# 	- Additional Collabora compose file exposing ports to the reverse proxy
# 	- New OIDC-specific compose file
COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:external-proxy/opencloud.yml:external-proxy/collabora.yml:idm/oidc-authentik.yml

OC_DOCKER_IMAGE=opencloudeu/opencloud-rolling
OC_DOCKER_TAG=latest
OC_DOMAIN=cloud.example.com # <-- Change
DEMO_USERS=false
INITIAL_ADMIN_PASSWORD=XXXXXXXXXXXXXXXXXX # <-- strong password
LOG_LEVEL=warning
LOG_PRETTY=true # <-- helps following the logs when settings things up.
OC_CONFIG_DIR=/SPECIFIC/FOLDER/FOR/config/ # <-- Change
OC_DATA_DIR=/SPECIFIC/FOLDER/FOR/data/ # <-- Change
OC_APPS_DIR=/SPECIFIC/FOLDER/FOR/apps/ # <-- Change
COLLABORA_DOMAIN=collabora.example.com # <-- Change
WOPISERVER_DOMAIN=wopi.example.com # <-- Change
COLLABORA_ADMIN_USER=admin
COLLABORA_ADMIN_PASSWORD=XXXXXXXXXXXXXXXXXX # <-- strong password
COLLABORA_SSL_ENABLE=false
COLLABORA_SSL_VERIFICATION=false

COMPOSE_PATH_SEPARATOR=:

### User Settings ###
# These are not present in the current .env file but I want them to be visible

OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD=true
OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD=true

# OC_PASSWORD_POLICY_DISABLED=
# OC_PASSWORD_POLICY_MIN_CHARACTERS=
# OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS=
# OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS=
# OC_PASSWORD_POLICY_MIN_DIGITS=
# OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS=


### OIDC ###

IDP_DOMAIN=auth.example.com # <-- Change
OC_OIDC_ISSUER=https://auth.example.com/application/o/opencloud/ # <-- Change domain
WEB_OIDC_CLIENT_ID=YYYYYYYYYYYYYYYYYYYYYYYY # <-- Client ID from Authentik provider

OIDC_CLIENT_SECRET=XXXXXXXXXXXXXXXXXXXXXXX # This doesn't do anything as far as I can tell, as Authentik has to be configured as a public client type.

Caddy

The caddy setup is very simple. Here is the relevant portion of the caddyfile:

cloud.example.com {
	reverse_proxy opencloud:9200
}
collabora.example.com {
	reverse_proxy collabora:9980
}
wopi.example.com {
	reverse_proxy collaboration:9300
}

The caddy container needs to be on the same network as the opencloud containers. The following lines are therefore added to the caddy compose.yml. This allows the caddyfile to reference the other containers as hosts.

services:
  caddy:
    # [...]
    networks:
      opencloud-net:
# [...]
opencloud-net:
    name: opencloud-net
    external: true

Authentik

First, create groups that will give access to opencloud, with a specific role:

1. opencloud-admin
2. opencloud-user
3. opencloud-guest

Then create an application with provider. Here are the relevant settings:
slug: opencloud
Provider type: Oauth2 / OpenID
Client type: Public
Redirect URIs / Origins:

• (Strict): https://cloud.example.com/
• (Strict): https://cloud.example.com/oidc-callback.html
• (Strict): https://cloud.example.com/oidc-silent-redirect.html

Scopes:

• email
• offline_access
• openid
• profile

Policy / Group / User Bindings: Add the three groups previously created

Other providers

While not in use, here are the client IDs and redirect URIs / Origins for the other client types:
Android:

• Client ID: OpenCloudAndroid
• (Strict): oc://android.opencloud.eu

iOS:

• Client ID: OpenCloudIOS
• (Strict): oc://ios.opencloud.eu

Desktop:

• Client ID: OpenCloudDesktop
• (Regex): http://127.0.0.1.*
• (Regex): http://localhost.*

EDIT 2025-11-22: Added caddy container to the opencloud-net network for direct intercontainer networking without the host. This is now necessary as the standard external-proxy compose files only bind the port to the container localhost. Removed limitation about apps as they now work (Thank you Ni0ki for the guidance!)

[ni0ki]

Huge thanks! This helped me setting up my instance.
The only modification I've made compared to your setup is the following:
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: "none"
as I'm not signing the JWT.

I also emphasize the fact that roles are needed, not only groups. That's what I was stuck on.

[jicka]

Interesting. I did in fact not have to setup any roles and only used groups. Not saying one solution is better than the other.
In the OIDC compose file, I make sure the groups claim get pulled by opencloud:

      WEB_OIDC_SCOPE: "openid profile email groups offline_access" # Offline access prevents logouts as soon as the access token expires.

In proxy.yaml, I use the groups claim to select the user level:

role_assignment:
  driver: oidc
  oidc_role_mapper:
    role_claim: groups # <-- This tells Authentik to look inside the groups claim that is getting pulled from above.
    role_mapping:
      - role_name: admin 
        claim_value: opencloud-admin # <-- Authentik group name
      - role_name: user
        claim_value: opencloud-user # <-- Authentik group name
      - role_name: guest
        claim_value: opencloud-guest # <-- Authentik group name
additional_policies:
# [...]

Finally, in Authentik:
In the application: All three groups (opencloud-admin, opencloud-user, opencloud-guest) are bound to the "OpenCloud Web" application.
In the provider: The following scopes are set. profile is important, as it is the mapping containing the groups claim:

As said above, this only works for me on the web client. If anyone has managed to get the apps working, I'd love to get some help.

I hope it helps :)

[ni0ki]

@jicka Ah, weird, I'm using your config and this did not work. Maybe I've messed up somewhere else.
For the mobile / desktop apps, I was able to get them working by:

1. Not setting any kind of Signing key

2. Setting PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD to "none" (I've read that "jwt" breaks the apps)

3. Using this discussion: https://github.com/orgs/opencloud-eu/discussions/1014
   (Basically, setting three different apps / providers, one per platform).

Only caveat, changing the token verification method seems to create another bug: #1493, even despite having offline_access in WEB_OIDC_SCOPE

[jicka]

Interesting ! Then I must have made a tiny change that I forgot to document.
Thank you so much ! I've disabled signing and now the apps work ! Amazing !
I remember the logout bug. I've spent a few minutes inside opencloud and it hasn't manifested. Here's hoping ! :)

On an unrelated note: I just updated the description above so that it works with the newest compose files from the repo (adding direct intercontainer networking, which I should have done from the start).

[kapuett]

Big thanks to both of you, got it working in the end. I found at least two issues with my config, one was missing proxy volume mount on opencloud service:

  volumes:
      - ./config/opencloud/proxy.yaml:/etc/opencloud/proxy.yaml

and the other was a missing ENVIRONMENT var. I tried a few approaches for how to organize the opencloud deployment (I can see why it is setup the way it is but imo it is somewhat obscure and I prefer to have a deployment all in one file) and on the way I obviously dropped a few lines.

Can also confirm that it works without the roles config described above - sorry @ni0ki that you had to go through the effort of documenting it here!

I am still learning about OIDC - for the groups approach to work it seems that the Authentik user needs to belong to at least one of the groups created in Authentik. In my setup both share the same username.

[ni0ki]

Happy to know you've done it! I've edited my original answer to not mislead other people, and I'll have a look at my config.

[thokich]

Big Thanks of all here. It runs on Authentik 2025.10.2
or in my frankonia language "passt scho"

[Jammrock]

This is brilliant! Thank you all!!!!

For future reference. I was getting stuck at a redirect URL. I ended up adding this to the Authentik provider.

regex: https://cloud.example.com/web-oidc-callback

But I was playing with Confidential vs. Public at the time. I may have been my own worse enemy there, but adding that doesn't break anything so I left it in.

I am also using external Traefik instead of Caddy. Meaning my OpenCloud server is on a different VM than my Traefik server. To get Traefik working I am using:

.env

• Added external-proxy/opencloud-exposed.yml to COMPOSE_FILE. The listener needs to be on the ANY (0.0.0.0) address for Traefik to access the server.
• INSECURE=true since Traefik is on a different server. Though I may need to play with this more.

Added a opencloud.yaml file to a Traefik rules dir.

http:
    routers:
        opencloud-router:
          rule: "Host(`cloud.example.com`)" # <--- change this URL
          tls:
            certResolver: letsencrypt # <--- change this certResolver
          entryPoints:
            - websecure
          priority: 10
          service: opencloud-lb
        collabora-router:
          rule: "Host(`collabora.example.com`)" # <--- change this URL
          tls:
            certResolver: letsencrypt # <--- change this certResolver
          entryPoints:
            - websecure
          priority: 10
          service: collabora-lb
        wopiserver-router:
          rule: "Host(`wopiserver.example.com`)" # <--- change this URL
          tls:
            certResolver: letsencrypt # <--- change this certResolver
          entryPoints:
            - websecure
          priority: 10
          service: wopiserver-lb

    services:
        opencloud-lb:
          loadBalancer:
            servers:
              - url: http://<OC LAN IP>:9200 # <--- change this IP/URL
        collabora-lb:
          loadBalancer:
            servers:
              - url: http://<OC LAN IP>:9980 # <--- change this IP/URL
        wopiserver-lb:
          loadBalancer:
            servers:
              - url: http://<OC LAN IP>:9300 # <--- change this IP/URL

You can use the IP address of the OpenCloud server or an internally resolvable FQDN.

In traefik.yaml, I have the a file watcher set on the main traefik dir, which also catches stuff in the rules.

providers:
  docker:
    exposedByDefault: false
    endpoint: 'unix:///var/run/docker.sock'
    watch: true
  file:
    directory: /etc/traefik/
    watch: true

With a volume linking rules to a location Traefik will watch.

- /var/docker/traefik/data/rules/:/etc/traefik/rules/