Skip to content

User Documentation

Jump to bottom
H2CK edited this page May 12, 2023 · 7 revisions

Nextcloud OIDC App - User Documentation

This is an OIDC Provider App for Nextcloud. This application allows to use your Nextcloud Login at other services supporting OpenID Connect.

Provided features:

  • Support for OpenID Connect Code (response_type = code) and Implicit (response_type = id_token) Flow (since version 0.4.0) - Implicite Flow must be activated per client.
  • Configuration of accepted client for whom JWT Tokens are provided. Public and confidential types are supported.
  • Creation of JWT Token with claims based on requested scope. (Currently supported scopes openid, profile, email, roles and groups)
  • Supported signing algorithms RS256 (default) and HS256
  • Group memberships are passed as roles in JWT token.
  • Clients can be assigned to dedicated user groups. Only users in the configured group are allowed to retrieve an access token to fetch the JWT.
  • Discovery endpoint provided
  • Logout endpoint

Endpoints

The following endpoint are available below index.php/apps/oidc/:

  • Discovery: GET openid-configuration
  • Authorization: GET authorize
  • Token: POST token
  • UserInfo: GET userinfo POST userinfo (since 0.5.0) - Authentication with previously retrieved access token)
  • JWKS: GET jwks
  • Logout: GET logout

CORS is enable for all domains on all the above endpoints. Please ensure that a reverse proxy in front of your Nextcloud installation does not block the CORS pre-flight requests.

The discovery endpoint should be made available at the URL: <Issuer>/.well-known/openid-configuration. You may have to configure your web server to redirect this url to the discovery endpoint at <Issuer>/index.php/apps/oidc/openid-configuration.

Scopes

Scope Description
openid Default scope. Will be added if missing.
profile Adds the claims nameand updated_atto the ID Token.
email Adds the email address of the user to the claim email. Furthermore the claim email_verified is added.
roles Adds the groups of the user in the claim roles.
groups Adds the groups of the user in the claim groups.

Limitations

Currently it is not yet possible to use an issued Access Token or ID Token to access resources at the Nextcloud instance it self. (Future implementation planned)

Client authentication to fetch token currently only supports the sending of the client credentials in the body. Basic Auth is currently not supported.

Usage Example

Apache Module mod_auth_openidc

Following an example configuration how to use this app with the Apache module mod_auth_openidc

OIDCProviderMetadataURL https://my.nextcloud-instance.com/.well-known/openid-configuration
OIDCRedirectURI https://my.other-service.com:443/oidc/callback

OIDCClientID <client_id from settings>
OIDCClientSecret <client_secret from settings>
OIDCProviderTokenEndpointAuth client_secret_post

OIDCRemoteUserClaim preferred_username
OIDCScope "openid profile email roles“
Clone this wiki locally