Improve OpenCloud ↔ Authelia integration for small self-hosted deployments
Is your feature request related to a problem? Please describe.
Authelia is a very good fit for small self-hosted deployments because it provides OIDC and MFA while remaining lightweight.
However, the current OpenCloud ↔ Authelia integration still has several practical limitations.
Logout synchronization
Logging out from OpenCloud does not properly terminate the Authelia session.
As a result, users may believe they are fully logged out while their IdP session remains active.
User management fragmentation
Authelia does not provide a WebUI for day-to-day user administration.
For small deployments, user administration becomes fragmented between OpenCloud and the external IdP.
OpenCloud already provides user and group management capabilities, while Authelia focuses on authentication and MFA.
This creates administrative duplication and increases the risk of inconsistencies.
Groups / roles synchronization
Group and role synchronization should be reliable and predictable.
This is especially important for OpenCloud roles and Spaces access control.
In my tests, group/role mapping through OIDC claims did not behave reliably over time and could become desynchronized between OpenCloud and the IdP.
The issue seems to be around OpenCloud depending on OIDC claims such as groups for role assignment, while not having a clear and consistent synchronization model when group membership changes in the IdP.
Client consistency
The role/group mapping should behave consistently across Web, Desktop, Android and iOS clients.
There are already reports where some clients do not request or receive the expected groups claim, causing role mapping failures such as missing roles in user claims.
This makes OIDC-based role assignment fragile for real deployments.
Describe the solution you'd like
A more complete and reliable integration path between OpenCloud and lightweight OIDC providers such as Authelia.
Ideally:
- logout is synchronized correctly between OpenCloud and the IdP;
- user administration remains simple and does not require maintaining users in multiple places;
- OpenCloud and Authelia remain consistent regarding users, groups and roles;
- group and role mappings remain reliable over time;
- permissions and Spaces access behave predictably;
- Web, Desktop and mobile clients behave the same way.
Describe alternatives you've considered
Keycloak provides a more complete IAM solution, but it is significantly heavier for small deployments.
One of OpenCloud's strengths is its lightweight architecture, and Authelia appears to be a natural fit for small self-hosted installations that require OIDC and MFA without introducing a full IAM platform.
Additional context
This request is based on real-world testing of an OpenCloud + Authelia deployment.
The goal is not to replace external identity providers, but to make OpenCloud's integration with lightweight OIDC providers more reliable and easier to operate for small deployments.
Improve OpenCloud ↔ Authelia integration for small self-hosted deployments
Is your feature request related to a problem? Please describe.
Authelia is a very good fit for small self-hosted deployments because it provides OIDC and MFA while remaining lightweight.
However, the current OpenCloud ↔ Authelia integration still has several practical limitations.
Logout synchronization
Logging out from OpenCloud does not properly terminate the Authelia session.
As a result, users may believe they are fully logged out while their IdP session remains active.
User management fragmentation
Authelia does not provide a WebUI for day-to-day user administration.
For small deployments, user administration becomes fragmented between OpenCloud and the external IdP.
OpenCloud already provides user and group management capabilities, while Authelia focuses on authentication and MFA.
This creates administrative duplication and increases the risk of inconsistencies.
Groups / roles synchronization
Group and role synchronization should be reliable and predictable.
This is especially important for OpenCloud roles and Spaces access control.
In my tests, group/role mapping through OIDC claims did not behave reliably over time and could become desynchronized between OpenCloud and the IdP.
The issue seems to be around OpenCloud depending on OIDC claims such as
groupsfor role assignment, while not having a clear and consistent synchronization model when group membership changes in the IdP.Client consistency
The role/group mapping should behave consistently across Web, Desktop, Android and iOS clients.
There are already reports where some clients do not request or receive the expected
groupsclaim, causing role mapping failures such as missing roles in user claims.This makes OIDC-based role assignment fragile for real deployments.
Describe the solution you'd like
A more complete and reliable integration path between OpenCloud and lightweight OIDC providers such as Authelia.
Ideally:
Describe alternatives you've considered
Keycloak provides a more complete IAM solution, but it is significantly heavier for small deployments.
One of OpenCloud's strengths is its lightweight architecture, and Authelia appears to be a natural fit for small self-hosted installations that require OIDC and MFA without introducing a full IAM platform.
Additional context
This request is based on real-world testing of an OpenCloud + Authelia deployment.
The goal is not to replace external identity providers, but to make OpenCloud's integration with lightweight OIDC providers more reliable and easier to operate for small deployments.