-
-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use OIDC as an authentication between APP and Nextcloud #54
Comments
Hi @bitvilag, No, so far we haven't tried that. In our original use-case, the our APP users aren't the ones authenticating against Nextcloud, but only the app is. Correct me if I'm wrong, but I think the authentication flow using an OID Identity Provider or back-end such as KeyCloak would be such as this:
I'm not sure how advanced OIDC integration is in that OIDC Login app. I suppose it can pull roles from either the user back-end (e.g. I'm also a bit uncertain about the steps 3 and 4. So if you could confirm or correct my assumptions, that'd be appreciated. I could e.g. imagine that rather than storing the application password inside the APP, it could also be stored in As I mentioned above, I see how this could make sense, but I'm not sure how quickly we could get to implementing this, given that it technically all works out. I would also see us implementing this in two steps, first without any OIDC support, then adding that on top. The process of authenticating with Nextcloud as a user, generating an application password and then using that doesn't differ, but storage and the initial authentication against both Nextcloud and the APP may introduce further complexity. For completeness' sake, we should also acknowledge, that |
Hi @kwisatz, In my use-case, I was wondering how could my app remain stateless without any persistent storage. Generally I am designing and implementing my app that I have front-end and back-end both attached to keycloak running as multiple instances. Technically I can assign now roles to the user which I can be enforced on both front-end and back-end. Now comes in the question, how should I handle the files that needs to be uploaded, but only visible to the uploaded user (or maybe a group of users)? How should I make the user possible to interact and only interact with their own files. User and password is not even asked as I use google/fb/etc integration though it does support local users. My thought was to impersonate the user and connect to nextcloud using the impersonation as it would reach the users account only. This means technically the user could also login to the nextcloud directly, though I don't see at the moment a too big issue as I would limit the storage anyhow. Maybe this is wrong, not sure. Whats even more wild is allow the user (through api calls) to attach their own google drive to nextcloud and use my app together with their own google drive though not sure on the effort side. This would be probably something I would not implement in the near future. Generally I would like to able the user to upload files, but not to the container the app is running in, but rather to nextcloud directly. I then forsee something like:
I am not that experienced with this model, so I might not be on right track and might have not reached you with the correct assumptions. |
I moved away from this solution therefore it is not needed for now. |
This is still not a bad idea, re-opening this issue. |
I currently use keycloak as user backend using the OIDC protocol and I am moving the nextcloud instance to this as well. I was wondering if you ever tried to interact with nextcloud using tokens creating a personal account/space for the user?
The text was updated successfully, but these errors were encountered: