Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nextcloud as an OIDC provider (core) #8846

Closed
gbrault opened this issue Mar 16, 2018 · 11 comments
Closed

Nextcloud as an OIDC provider (core) #8846

gbrault opened this issue Mar 16, 2018 · 11 comments

Comments

@gbrault
Copy link

gbrault commented Mar 16, 2018

This is more an evolution request concerning the OAuth 2.0 current implementation and on top of that implementing the core of OpenID connect.

Today, the OAuth2.0 is reserved to administrator, it should be changed to allow anyone "validate" external use of an application and this application would be an RP (OpenID connect relying party i.e.: a client). The application will then try to authenticate with NextCloud using the user who owns the token and then be able to do operation with Nextcloud according to the user rights?

Of course, for web application, the CORS issue need to be raised and solved...

What do you think?

As nextcloud can be seen as a core building block, I believe it makes sense!

@nextcloud-bot nextcloud-bot added the stale Ticket or PR with no recent activity label Jun 20, 2018
@tisoft
Copy link

tisoft commented Nov 21, 2018

I have implemented basic OpenID Connect support in #12567. Still only administrators can add OIDC Clients, but I think it's a step forward.

@nextcloud-bot nextcloud-bot removed the stale Ticket or PR with no recent activity label Nov 21, 2018
@acidicX
Copy link

acidicX commented Jan 2, 2019

That would be really great. Thanks @tisoft for the PR. I'm currently stumbling over the user info endpoint when using a generic OAuth2 approach, because nextcloud currently only offers the workaround via /ocs/v2.php/cloud/user?format=json, which requires mapping the fields manually (and not every software supports this). Will your PR also provide the endpoint (no need for this ocs workaround anymore)?

@tisoft
Copy link

tisoft commented Jan 3, 2019

In the PR I support only the "Mandatory to Implement Features for All OpenID Providers". That does not include the UserInfo Endpoint.

The Email and Name attributes are included in the IDToken, though. So if you only need those, you should be able to get them without accessing the /ocs/v2.php/cloud/user?format=json endpoint.

I plan on adding support for more OpenID Connect features including the UserInfo endpoint after the basic stuff is accepted.

Out of curiosity, which attributes do you need, that you currently get from the custom endpoint?

@acidicX
Copy link

acidicX commented Jan 3, 2019

The Email and Name attributes are included in the IDToken, though.

Yeah, but the JSON does not follow the OpenID userinfo endpoint spec. So the software needs to support attribute mapping, e.g.
ocs.data.id => username

JSON attributes seem to be in the OpenID Spec. Most software I've come across does not support this mapping, but requires a unserinfo endpoint (makes sense, you would not want to prompt the user for ID and name).

Out of curiosity, which attributes do you need, that you currently get from the custom endpoint?

That is the problem, I cannot use the custom endpoint at all because the software does not support mapping (in this case Concourse CI). I think the basic stuff (ID, name, email) is sufficient for 99% of the software that supports OAuth2/OIDC.

@jlallana
Copy link

Your the same problem and when not finding a solution make a change in the oauth application and make a pull request with this functionality.

I understand that it is not mandatory but many oauth clients need it.

#19934

@skjnldsv skjnldsv added the 0. Needs triage Pending check for reproducibility or if it fits our roadmap label Aug 20, 2020
@szaimen
Copy link
Contributor

szaimen commented Jun 8, 2021

cc @nextcloud/server-triage is this feature feasible?

@skjnldsv
Copy link
Member

skjnldsv commented Jun 8, 2021

Doaable I'd say, but that should be an external app. We will not develop this as the requests are too low.

@szaimen
Copy link
Contributor

szaimen commented Jun 8, 2021

Based on the answer I am closing this to keep the issue tracker clean.
Feel free to open a thread on https://help.nextcloud.com to look for volunteers that are willing to implement this.

@szaimen szaimen closed this as completed Jun 8, 2021
@skjnldsv
Copy link
Member

skjnldsv commented Jun 8, 2021

@skjnldsv skjnldsv added invalid and removed needs info 0. Needs triage Pending check for reproducibility or if it fits our roadmap labels Jun 8, 2021
@Thesola10

This comment was marked as outdated.

@Ornias1993
Copy link

@szaimen You might want to look into the work this guy is doing.
You guys at Nextcloud might want to implement this as official, as it suits your bussiness customers quite well and makes Nextcloud more like "the central place to be":

https://github.com/H2CK/oidc/commits/master

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

10 participants