Skip to content

Nextcloud OIDC Provider App - 2.0.2

Latest
Latest

Choose a tag to compare

View all tags
@H2CK H2CK released this 30 Jun 09:14
2.0.2
5445745

Nextcloud OpenID Connect Provider App - 2.0.2

This is the an OIDC App for Nextcloud. This application allows to use your Nextcloud Login at other services supporting OpenID Connect.

Attention - Potential Breaking Change

Version 2.x tightens several behaviours to better match the OpenID Connect conformance suite. OIDC-compliant clients should continue to work, but clients that depend on legacy 1.x behaviour should be reviewed before upgrading. For further details consult the documentation.

Provided features

  • Support for OpenID Connect Code (response_type = code) and Implicit (response_type = id_token) Flow - Implicite Flow must be activated per client
  • Support for PKCE
  • Public and confidential types of clients are supported
  • Creation of ID Token with claims based on requested scope (Currently supported scopes: openid, profile, email, roles, groups, and offline_access)
  • Supported signing algorithms RS256 (default) and HS256
  • Group memberships are passed as roles in ID token
  • Clients can be assigned to dedicated user groups - Only users in the configured group are allowed to retrieve an access token to fetch the ID token
  • Support for RFC9068 JWT Access Tokens (must be activated per client)
  • Discovery & WebFinger endpoint provided
  • Logout endpoint
  • Dynamic Client Registration
  • Client Configuration Management (RFC 7592)
  • Token Introspection (RFC 7662)
  • Support for resource url (RFC 9728) at introspection
  • User Consent Management
  • Support for custom claims
  • Administration of clients via CLI
  • Generation and validation of access tokens using events
  • User specific settings to define which data is passed to clients in ID token and via userinfo endpoint

Changes in 2.0.2

Added

  • Added support for response_mode=from_post (#668)

Changes in 2.0.1

Changed

  • Fixed db table name issue with NC32 (#666)

Changes in 2.0.0

Added

  • Added OpenID Connect conformance workflow, badge, report generation, and certification test plans for basic, config, hybrid, and implicit profiles (#656, #660)
  • Added support for the OpenID Connect claims request parameter for ID token and userinfo claim selection
  • Added legacy admin setting to always include scope-based claims in authorization code flow ID tokens without an explicit claims.id_token request
  • Added custom claims to JWT access tokens
  • Added custom claim functions for user language, locale, first day of week, and timezone preferences (#664)
  • Added authorization code persistence to reject code reuse during token exchange
  • Added additional unit and integration coverage for code, implicit, PKCE, listener, controller, CLI, and background job flows
  • Added AI agent development and release guidance

Changed

  • Changed authorization code flow ID tokens to include profile, email, and custom claims only when explicitly requested through claims.id_token
  • Improved OIDC conformance handling for prompt, max_age, request objects, nonce, hybrid, implicit, refresh token, scope/profile, userinfo, and code reuse scenarios (#656, #660)
  • Fixed token introspection expiry calculation for refreshed tokens (#663)
  • Fixed claim handling in code flow (#658)
  • Replaced deprecated user value access
  • Updated dependencies (#655, #657, #658, #659, #661, #662)
  • Updated translations

Full documentation can be found at:

User Documentation
Developer Documentation

What's Changed

  • Added form_post response support by @H2CK in #668

Full Changelog: 2.0.1...2.0.2

Contributors

H2CK
Assets 4
Loading