Skip to content

Nextcloud OIDC Provider App - 2.0.0

Choose a tag to compare

View all tags
@H2CK H2CK released this 29 Jun 06:48
· 4 commits to master since this release
2.0.0
d894315

Nextcloud OpenID Connect Provider App - 2.0.0

This is the an OIDC App for Nextcloud. This application allows to use your Nextcloud Login at other services supporting OpenID Connect.

Attention - Potential Breaking Change

Version 2.0.0 tightens several behaviours to better match the OpenID Connect conformance suite. OIDC-compliant clients should continue to work, but clients that depend on legacy 1.x behaviour should be reviewed before upgrading. For further details consult the documentation.

Provided features

  • Support for OpenID Connect Code (response_type = code) and Implicit (response_type = id_token) Flow - Implicite Flow must be activated per client
  • Support for PKCE
  • Public and confidential types of clients are supported
  • Creation of ID Token with claims based on requested scope (Currently supported scopes: openid, profile, email, roles, groups, and offline_access)
  • Supported signing algorithms RS256 (default) and HS256
  • Group memberships are passed as roles in ID token
  • Clients can be assigned to dedicated user groups - Only users in the configured group are allowed to retrieve an access token to fetch the ID token
  • Support for RFC9068 JWT Access Tokens (must be activated per client)
  • Discovery & WebFinger endpoint provided
  • Logout endpoint
  • Dynamic Client Registration
  • Client Configuration Management (RFC 7592)
  • Token Introspection (RFC 7662)
  • Support for resource url (RFC 9728) at introspection
  • User Consent Management
  • Support for custom claims
  • Administration of clients via CLI
  • Generation and validation of access tokens using events
  • User specific settings to define which data is passed to clients in ID token and via userinfo endpoint

Changes

Added

  • Added OpenID Connect conformance workflow, badge, report generation, and certification test plans for basic, config, hybrid, and implicit profiles (#656, #660)
  • Added support for the OpenID Connect claims request parameter for ID token and userinfo claim selection
  • Added legacy admin setting to always include scope-based claims in authorization code flow ID tokens without an explicit claims.id_token request
  • Added custom claims to JWT access tokens
  • Added custom claim functions for user language, locale, first day of week, and timezone preferences (#664)
  • Added authorization code persistence to reject code reuse during token exchange
  • Added additional unit and integration coverage for code, implicit, PKCE, listener, controller, CLI, and background job flows
  • Added AI agent development and release guidance

Changed

  • Changed authorization code flow ID tokens to include profile, email, and custom claims only when explicitly requested through claims.id_token
  • Improved OIDC conformance handling for prompt, max_age, request objects, nonce, hybrid, implicit, refresh token, scope/profile, userinfo, and code reuse scenarios (#656, #660)
  • Fixed token introspection expiry calculation for refreshed tokens (#663)
  • Fixed claim handling in code flow (#658)
  • Replaced deprecated user value access
  • Updated dependencies (#655, #657, #658, #659, #661, #662)
  • Updated translations

Full documentation can be found at:

User Documentation
Developer Documentation

What's Changed

  • Build(deps-dev): Bump shell-quote from 1.8.3 to 1.8.4 in the npm_and_yarn group across 1 directory by @dependabot[bot] in #655
  • Added OIDC conformance test by @H2CK in #656
  • Build(deps): Bump firebase/php-jwt from 7.0.5 to 7.1.0 by @dependabot[bot] in #657
  • Build(deps): Bump dompurify from 3.4.0 to 3.4.10 in the npm_and_yarn group across 1 directory by @dependabot[bot] in #658
  • Build(deps): Bump the npm_and_yarn group across 1 directory with 2 updates by @dependabot[bot] in #659
  • Build(deps-dev): Bump webpack-dev-server from 5.2.4 to 5.2.5 in the npm_and_yarn group across 1 directory by @dependabot[bot] in #661
  • Extend OIDC conformance test and conformance coverage by @H2CK in #660
  • Build(deps): Bump dompurify from 3.4.10 to 3.4.11 in the npm_and_yarn group across 1 directory by @dependabot[bot] in #662
  • fix(introspection): compute token expiry from refreshed, not created by @cbcoutinho in #663
  • New custom claims for user preferences by @SafetyIng in #664

New Contributors

Full Changelog: 1.17.0...2.0.0

Contributors

H2CK, cbcoutinho, and 2 other contributors
Assets 4
Loading