-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nextcloud as an OIDC provider (core) #8846
Comments
I have implemented basic OpenID Connect support in #12567. Still only administrators can add OIDC Clients, but I think it's a step forward. |
That would be really great. Thanks @tisoft for the PR. I'm currently stumbling over the user info endpoint when using a generic OAuth2 approach, because nextcloud currently only offers the workaround via |
In the PR I support only the "Mandatory to Implement Features for All OpenID Providers". That does not include the UserInfo Endpoint. The Email and Name attributes are included in the IDToken, though. So if you only need those, you should be able to get them without accessing the I plan on adding support for more OpenID Connect features including the UserInfo endpoint after the basic stuff is accepted. Out of curiosity, which attributes do you need, that you currently get from the custom endpoint? |
Yeah, but the JSON does not follow the OpenID userinfo endpoint spec. So the software needs to support attribute mapping, e.g. JSON attributes seem to be in the OpenID Spec. Most software I've come across does not support this mapping, but requires a unserinfo endpoint (makes sense, you would not want to prompt the user for ID and name).
That is the problem, I cannot use the custom endpoint at all because the software does not support mapping (in this case Concourse CI). I think the basic stuff (ID, name, email) is sufficient for 99% of the software that supports OAuth2/OIDC. |
Your the same problem and when not finding a solution make a change in the oauth application and make a pull request with this functionality. I understand that it is not mandatory but many oauth clients need it. |
cc @nextcloud/server-triage is this feature feasible? |
Doaable I'd say, but that should be an external app. We will not develop this as the requests are too low. |
Based on the answer I am closing this to keep the issue tracker clean. |
This comment was marked as outdated.
This comment was marked as outdated.
@szaimen You might want to look into the work this guy is doing. |
This is more an evolution request concerning the OAuth 2.0 current implementation and on top of that implementing the core of OpenID connect.
Today, the OAuth2.0 is reserved to administrator, it should be changed to allow anyone "validate" external use of an application and this application would be an RP (OpenID connect relying party i.e.: a client). The application will then try to authenticate with NextCloud using the user who owns the token and then be able to do operation with Nextcloud according to the user rights?
Of course, for web application, the CORS issue need to be raised and solved...
What do you think?
As nextcloud can be seen as a core building block, I believe it makes sense!
The text was updated successfully, but these errors were encountered: