-
Notifications
You must be signed in to change notification settings - Fork 7
User Documentation
This is an OIDC Provider App for Nextcloud. This application allows to use your Nextcloud Login at other services supporting OpenID Connect.
Provided features:
- Support for OpenID Connect Code (response_type = code) and Implicit (response_type = id_token) Flow (since version 0.4.0) - Implicite Flow must be activated per client.
- Configuration of accepted client for whom JWT Tokens are provided. Public and confidential types are supported.
- Creation of JWT Token with claims based on requested scope. (Currently supported scopes openid, profile, email, roles and groups)
- Supported signing algorithms RS256 (default) and HS256
- Group memberships are passed as roles in JWT token.
- Clients can be assigned to dedicated user groups. Only users in the configured group are allowed to retrieve an access token to fetch the JWT.
- Discovery endpoint provided
- Logout endpoint
The following endpoint are available below index.php/apps/oidc/
:
- Discovery:
GET openid-configuration
- Authorization:
GET authorize
- Token:
POST token
- UserInfo:
GET userinfo
POST userinfo
(since 0.5.0) - Authentication with previously retrieved access token) - JWKS:
GET jwks
- Logout:
GET logout
CORS is enable for all domains on all the above endpoints. Please ensure that a reverse proxy in front of your Nextcloud installation does not block the CORS pre-flight requests.
The discovery endpoint should be made available at the URL: <Issuer>/.well-known/openid-configuration
. You may have to configure your web server to redirect this url to the discovery endpoint at <Issuer>/index.php/apps/oidc/openid-configuration
.
Scope | Description |
---|---|
openid | Default scope. Will be added if missing. |
profile | Adds the claims name and updated_at to the ID Token. |
Adds the email address of the user to the claim email . Furthermore the claim email_verified is added. |
|
roles | Adds the groups of the user in the claim roles . |
groups | Adds the groups of the user in the claim groups . |
Currently it is not yet possible to use an issued Access Token or ID Token to access resources at the Nextcloud instance it self. (Future implementation planned)
Client authentication to fetch token currently only supports the sending of the client credentials in the body. Basic Auth is currently not supported.
Following an example configuration how to use this app with the Apache module mod_auth_openidc
OIDCProviderMetadataURL https://my.nextcloud-instance.com/.well-known/openid-configuration
OIDCRedirectURI https://my.other-service.com:443/oidc/callback
OIDCClientID <client_id from settings>
OIDCClientSecret <client_secret from settings>
OIDCProviderTokenEndpointAuth client_secret_post
OIDCRemoteUserClaim preferred_username
OIDCScope "openid profile email roles“