Nextcloud as an OIDC provider (core)

[gbrault]

This is more an evolution request concerning the OAuth 2.0 current implementation and on top of that implementing the core of OpenID connect.

Today, the OAuth2.0 is reserved to administrator, it should be changed to allow anyone "validate" external use of an application and this application would be an RP (OpenID connect relying party i.e.: a client). The application will then try to authenticate with NextCloud using the user who owns the token and then be able to do operation with Nextcloud according to the user rights?

Of course, for web application, the CORS issue need to be raised and solved...

What do you think?

As nextcloud can be seen as a core building block, I believe it makes sense!

[tisoft]

I have implemented basic OpenID Connect support in #12567. Still only administrators can add OIDC Clients, but I think it's a step forward.

[acidicX]

That would be really great. Thanks @tisoft for the PR. I'm currently stumbling over the user info endpoint when using a generic OAuth2 approach, because nextcloud currently only offers the workaround via /ocs/v2.php/cloud/user?format=json, which requires mapping the fields manually (and not every software supports this). Will your PR also provide the endpoint (no need for this ocs workaround anymore)?

[tisoft]

In the PR I support only the "Mandatory to Implement Features for All OpenID Providers". That does not include the UserInfo Endpoint.

The Email and Name attributes are included in the IDToken, though. So if you only need those, you should be able to get them without accessing the /ocs/v2.php/cloud/user?format=json endpoint.

I plan on adding support for more OpenID Connect features including the UserInfo endpoint after the basic stuff is accepted.

Out of curiosity, which attributes do you need, that you currently get from the custom endpoint?

[acidicX]

The Email and Name attributes are included in the IDToken, though.

Yeah, but the JSON does not follow the OpenID userinfo endpoint spec. So the software needs to support attribute mapping, e.g.
ocs.data.id => username

JSON attributes seem to be in the OpenID Spec. Most software I've come across does not support this mapping, but requires a unserinfo endpoint (makes sense, you would not want to prompt the user for ID and name).

Out of curiosity, which attributes do you need, that you currently get from the custom endpoint?

That is the problem, I cannot use the custom endpoint at all because the software does not support mapping (in this case Concourse CI). I think the basic stuff (ID, name, email) is sufficient for 99% of the software that supports OAuth2/OIDC.

[jlallana]

Your the same problem and when not finding a solution make a change in the oauth application and make a pull request with this functionality.

I understand that it is not mandatory but many oauth clients need it.

#19934

[szaimen]

cc @nextcloud/server-triage is this feature feasible?

[skjnldsv]

Doaable I'd say, but that should be an external app. We will not develop this as the requests are too low.

[szaimen]

Based on the answer I am closing this to keep the issue tracker clean.
Feel free to open a thread on https://help.nextcloud.com to look for volunteers that are willing to implement this.

[skjnldsv]

https://help.nextcloud.com/c/apps/app-ideas/21

[Ornias1993]

@szaimen You might want to look into the work this guy is doing.
You guys at Nextcloud might want to implement this as official, as it suits your bussiness customers quite well and makes Nextcloud more like "the central place to be":

https://github.com/H2CK/oidc/commits/master