#11854 FAMNA Nextcloud OIDC for FAS
Closed: Fixed with Explanation 20 days ago by kevin. Opened 2 months ago by vwbusguy.

Followup to #11844

To help us register your application in our OIDC service, we need some
information from you:

Note: all the default values provided here are based on the default choice/
implementation of flask-oidc. If you do not use this library you may have to
refer to the documentation of your library.

Some generic information first:
- What is the application main URL?

- Who will be the main contact for the application, or will this be core

Scott Williams (vwbusguy).
Alternatively, Brian Monroe (paradoxguitarist).
- What privacy policy will be applicable to the application, or will this be
the standard Fedora privacy policy?
Standard Fedora policy

Some more OIDC specific information then:
- Which redirect URI(s) will the application use?
- flask-oidc defaults to: <APPLICATION_URL>/oidc_callback
but it's configurable (so double-check)

  • Does the application need the user names, or will an application-specific
    pseudonym suffice?
  • ie: using flask-oidc, do you ever rely on OIDC.user_getfield('sub') to
    get the user's username. If not, this question likely does not matter for
    your application
    There is a value mapping config:
// Use ID Token instead of UserInfo
    'oidc_login_use_id_token' => false,

    // Attribute map for OIDC response. Available keys are:
    //   * id:           Unique identifier for username
    //   * name:         Full name
    //                      If set to null, existing display name won't be overwritten
    //   * mail:         Email address
    //                      If set to null, existing email address won't be overwritten
    //   * quota:        Nextcloud storage quota
    //   * home:         Home directory location. A symlink or external storage to this location is used
    //   * ldap_uid:     LDAP uid to search for when running in proxy mode
    //   * groups:       Array or space separated string of Nextcloud groups for the user.
    //                   Note that the name here corresponds to the GID of the group and not the display name
    //                   In the admin panel, the GID may be obtained from the URL when editing a group
    //   * login_filter: Array or space separated string. If 'oidc_login_filter_allowed_values' is
    //                      set, it is checked against these values.
    //   * photoURL:     The URL of the user avatar. The nextcloud server will download the picture
    //                      at user login. This may lead to security issues. Use with care.
    //                      This will only be effective if oidc_login_update_avatar is enabled.
    //   * is_admin:     If this value is truthy, the user is added to the admin group (optional)
  • Which authorization flow does the application use?
  • flask-oidc: authorization_code
  • Which token authentication method does the application use?
  • flask-oidc: client_secret_post
  • Which response type does the application rely on?
  • flask-oidc: Code
    These appear to be the defaults for this OIDC app as well, though there are other optional methods. I'm fine with using these.

If Fedora uses KeyCloak for OIDC, this app has instructions for setting it up on the Provider side: https://github.com/pulsejet/nextcloud-oidc-login?tab=readme-ov-file#usage-with-keycloak

Metadata Update from @kevin:
- Issue priority set to: Waiting on Assignee (was: Needs Review)
- Issue tagged with: low-trouble, medium-gain, ops

2 months ago

We use ipsilon currently. ;)

What client-name should we use here? 'nextcloud' is a bit generic... famna-nextcloud?

famna-nextcloud makes sense to me.

Sorry for the delay here. ;(

I'm hoping @abompard or @zlopez or I can do this wed after we are out of final freeze.

ok, sorry again for the delay.

This should now be in place. Please let us know if it isn't working...

Metadata Update from @kevin:
- Issue close_status updated to: Fixed with Explanation
- Issue status updated to: Closed (was: Open)

20 days ago

Metadata Update from @kevin:
- Issue assigned to kevin

20 days ago

Login to comment on this ticket.

Boards 1
ops Status: Backlog