Content
View differences
Updated by Wieland Lindenthal over 1 year ago
**As** an administrator setting up the OpenProject-Nextcloud integration setting up the OpenProject side
**I want to** have a second option to use OIDC based access tokens instead of OAuth2 access tokens when I also use and idP like Keycloak for single sign on (SSO)
**so that** not each user needs to got through the OAuth grant flow
**Acceptance criteria**
* In the files storages settings for Nextcloud, there is a new step 2 in which the admin is asked what type of integration she wants to setup
* OAuth2 (default)
* OIDC (advanced)
* If the admin choses "OAuth2" then the current step 3 will be "OpenProject OAuth" and step 4 will be "Nextcloud OAuth" as we currently have them.
* If the admin choses "OIDC" then it will show information text with a link for further documentation.
* It shows a warning if there is no OIDC configured (on OpenProject's side).
* It tells that the setup was only successfully tested with Keycloak and not with other OIDC providers.
* \[open\] Is this really needed? Shouldn't we test it with at least a few more to make sure it works? Or else not release the feature
* Background: Keycloak supports the OAuth2 Token Exchange protocol when a certain feature flag is activated. Other OIDC providers AFAIK do not (yet).
* Entra ID does not support it. Entra would need to hand out less secure access tokens with audiences for both systems at once (less secure). And this, we could of course support (but explicitly not advice) and test. We could also advice for using a Keycloak in between Entra ID and OP/NC. feature?
* It tells to follow the setup instructions in the docs on how to configure OIDC in OpenProject and how to configure the OIDC provider and offers a link to the correct OpenProject docs.
**I want to** have a second option to use OIDC based access tokens instead of OAuth2 access tokens when I also use and idP like Keycloak for single sign on (SSO)
**so that** not each user needs to got through the OAuth grant flow
**Acceptance criteria**
* In the files storages settings for Nextcloud, there is a new step 2 in which the admin is asked what type of integration she wants to setup
* OAuth2 (default)
* OIDC (advanced)
* If the admin choses "OAuth2" then the current step 3 will be "OpenProject OAuth" and step 4 will be "Nextcloud OAuth" as we currently have them.
* If the admin choses "OIDC" then it will show information text with a link for further documentation.
* It shows a warning if there is no OIDC configured (on OpenProject's side).
* It tells that the setup was only successfully tested with Keycloak and not with other OIDC providers.
* \[open\] Is this really needed? Shouldn't we test it with at least a few more to make sure it works? Or else not release the feature
* Background: Keycloak supports the OAuth2 Token Exchange protocol when a certain feature flag is activated. Other OIDC providers AFAIK do not (yet).
* Entra ID does not support it. Entra would need to hand out less secure access tokens with audiences for both systems at once (less secure). And this, we could of course support (but explicitly not advice) and test. We could also advice for using a Keycloak in between Entra ID and OP/NC.
* It tells to follow the setup instructions in the docs on how to configure OIDC in OpenProject and how to configure the OIDC provider and offers a link to the correct OpenProject docs.