Skip to content

Improve OpenCloud ↔ Authelia integration for small self-hosted deployments #2997

Description

@davipro34

Improve OpenCloud ↔ Authelia integration for small self-hosted deployments

Is your feature request related to a problem? Please describe.

Authelia is a very good fit for small self-hosted deployments because it provides OIDC and MFA while remaining lightweight.

However, the current OpenCloud ↔ Authelia integration still has several practical limitations.

Logout synchronization

Logging out from OpenCloud does not properly terminate the Authelia session.

As a result, users may believe they are fully logged out while their IdP session remains active.

User management fragmentation

Authelia does not provide a WebUI for day-to-day user administration.

For small deployments, user administration becomes fragmented between OpenCloud and the external IdP.

OpenCloud already provides user and group management capabilities, while Authelia focuses on authentication and MFA.

This creates administrative duplication and increases the risk of inconsistencies.

Groups / roles synchronization

Group and role synchronization should be reliable and predictable.

This is especially important for OpenCloud roles and Spaces access control.

In my tests, group/role mapping through OIDC claims did not behave reliably over time and could become desynchronized between OpenCloud and the IdP.

The issue seems to be around OpenCloud depending on OIDC claims such as groups for role assignment, while not having a clear and consistent synchronization model when group membership changes in the IdP.

Client consistency

The role/group mapping should behave consistently across Web, Desktop, Android and iOS clients.

There are already reports where some clients do not request or receive the expected groups claim, causing role mapping failures such as missing roles in user claims.

This makes OIDC-based role assignment fragile for real deployments.

Describe the solution you'd like

A more complete and reliable integration path between OpenCloud and lightweight OIDC providers such as Authelia.

Ideally:

  • logout is synchronized correctly between OpenCloud and the IdP;
  • user administration remains simple and does not require maintaining users in multiple places;
  • OpenCloud and Authelia remain consistent regarding users, groups and roles;
  • group and role mappings remain reliable over time;
  • permissions and Spaces access behave predictably;
  • Web, Desktop and mobile clients behave the same way.

Describe alternatives you've considered

Keycloak provides a more complete IAM solution, but it is significantly heavier for small deployments.

One of OpenCloud's strengths is its lightweight architecture, and Authelia appears to be a natural fit for small self-hosted installations that require OIDC and MFA without introducing a full IAM platform.

Additional context

This request is based on real-world testing of an OpenCloud + Authelia deployment.

The goal is not to replace external identity providers, but to make OpenCloud's integration with lightweight OIDC providers more reliable and easier to operate for small deployments.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions