Skip to content

Nextcloud OIDC Provider App - 2.0.1

Latest
Latest

Choose a tag to compare

View all tags
@H2CK H2CK released this 29 Jun 11:07
2.0.1
de451a2

Nextcloud OpenID Connect Provider App - 2.0.1

This is the an OIDC App for Nextcloud. This application allows to use your Nextcloud Login at other services supporting OpenID Connect.

Attention - Potential Breaking Change

Version 2.x tightens several behaviours to better match the OpenID Connect conformance suite. OIDC-compliant clients should continue to work, but clients that depend on legacy 1.x behaviour should be reviewed before upgrading. For further details consult the documentation.

Provided features

  • Support for OpenID Connect Code (response_type = code) and Implicit (response_type = id_token) Flow - Implicite Flow must be activated per client
  • Support for PKCE
  • Public and confidential types of clients are supported
  • Creation of ID Token with claims based on requested scope (Currently supported scopes: openid, profile, email, roles, groups, and offline_access)
  • Supported signing algorithms RS256 (default) and HS256
  • Group memberships are passed as roles in ID token
  • Clients can be assigned to dedicated user groups - Only users in the configured group are allowed to retrieve an access token to fetch the ID token
  • Support for RFC9068 JWT Access Tokens (must be activated per client)
  • Discovery & WebFinger endpoint provided
  • Logout endpoint
  • Dynamic Client Registration
  • Client Configuration Management (RFC 7592)
  • Token Introspection (RFC 7662)
  • Support for resource url (RFC 9728) at introspection
  • User Consent Management
  • Support for custom claims
  • Administration of clients via CLI
  • Generation and validation of access tokens using events
  • User specific settings to define which data is passed to clients in ID token and via userinfo endpoint

Changes in 2.0.1

Changed

  • Fixed db table name issue with NC32 (#666)

Changes in 2.0.0

Added

  • Added OpenID Connect conformance workflow, badge, report generation, and certification test plans for basic, config, hybrid, and implicit profiles (#656, #660)
  • Added support for the OpenID Connect claims request parameter for ID token and userinfo claim selection
  • Added legacy admin setting to always include scope-based claims in authorization code flow ID tokens without an explicit claims.id_token request
  • Added custom claims to JWT access tokens
  • Added custom claim functions for user language, locale, first day of week, and timezone preferences (#664)
  • Added authorization code persistence to reject code reuse during token exchange
  • Added additional unit and integration coverage for code, implicit, PKCE, listener, controller, CLI, and background job flows
  • Added AI agent development and release guidance

Changed

  • Changed authorization code flow ID tokens to include profile, email, and custom claims only when explicitly requested through claims.id_token
  • Improved OIDC conformance handling for prompt, max_age, request objects, nonce, hybrid, implicit, refresh token, scope/profile, userinfo, and code reuse scenarios (#656, #660)
  • Fixed token introspection expiry calculation for refreshed tokens (#663)
  • Fixed claim handling in code flow (#658)
  • Replaced deprecated user value access
  • Updated dependencies (#655, #657, #658, #659, #661, #662)
  • Updated translations

Full documentation can be found at:

User Documentation
Developer Documentation

What's Changed

  • Build(deps-dev): Bump shell-quote from 1.8.3 to 1.8.4 in the npm_and_yarn group across 1 directory by @dependabot[bot] in #655
  • Added OIDC conformance test by @H2CK in #656
  • Build(deps): Bump firebase/php-jwt from 7.0.5 to 7.1.0 by @dependabot[bot] in #657
  • Build(deps): Bump dompurify from 3.4.0 to 3.4.10 in the npm_and_yarn group across 1 directory by @dependabot[bot] in #658
  • Build(deps): Bump the npm_and_yarn group across 1 directory with 2 updates by @dependabot[bot] in #659
  • Build(deps-dev): Bump webpack-dev-server from 5.2.4 to 5.2.5 in the npm_and_yarn group across 1 directory by @dependabot[bot] in #661
  • Extend OIDC conformance test and conformance coverage by @H2CK in #660
  • Build(deps): Bump dompurify from 3.4.10 to 3.4.11 in the npm_and_yarn group across 1 directory by @dependabot[bot] in #662
  • fix(introspection): compute token expiry from refreshed, not created by @cbcoutinho in #663
  • New custom claims for user preferences by @SafetyIng in #664
  • fix: too long primary index name by @saw-jan in #666

New Contributors

Full Changelog: 1.17.0...2.0.0
Full Changelog: 2.0.0...2.0.1

Contributors

H2CK, cbcoutinho, and 3 other contributors
Assets 4
Loading