Content
View differences
Updated by Parimal Satyal over 1 year ago
**As** an administrator setting up the OpenProject-Nextcloud integration setting up the OpenProject side
**I want to** have a second option to use OIDC based access tokens instead of OAuth2 access tokens when I also use and idP like Keycloak for single sign on (SSO)
**so that** not each user needs to got through the OAuth grant flow
**Acceptance criteria**
* In the files storages settings for Nextcloud, there is a new step 2 in which the admin is asked what type of integration she wants to setup
* OAuth2 (default)
* OIDC (advanced)
* If the admin choses "OAuth2" then the step 3 will be "OAuth applications" with the sub-steps "OpenProject OAuth" and "Nextcloud OAuth" as we currently have them.
* If the admin choses "OIDC" then it will show information text with a link for further documentation.
* It shows a warning if there is no OIDC configured (on OpenProject's side).
* It tells that the setup was only successfully tested with Keycloak and not with other OIDC providers.
* Background: Keycloak supports the OAuth2 Token Exchange protocol when a certain feature flag is activated. Other OIDC providers AFAIK do not (yet).
* Entra ID does not support it. Entra would need to hand out less secure access tokens with audiences for both systems at once (less secure). And this, we could of course support (but explicitly not advice) and test. We could also advice for using a Keycloak in between Entra ID and OP/NC.
* It tells to follow the setup instructions in the docs on how to configure OIDC in OpenProject and how to configure the OIDC provider and offers a link to the correct OpenProject docs.
* The admin is required to select an OIDC provider. The admin can choose from configured OIDC provider of type "Keycloak" in OpenProject (dropdown).
* The admin needs to enter the OIDC client ID of Nextcloud (text input)
* The save button should be labeled as "save" (to be confirmed)
* The admin needs to be able to switch between OAuth2 and OIDC on existing file storages, to provide a migration path.
**Figma**
workPackageValue:"Figma wireframes"
**I want to** have a second option to use OIDC based access tokens instead of OAuth2 access tokens when I also use and idP like Keycloak for single sign on (SSO)
**so that** not each user needs to got through the OAuth grant flow
**Acceptance criteria**
* In the files storages settings for Nextcloud, there is a new step 2 in which the admin is asked what type of integration she wants to setup
* OAuth2 (default)
* OIDC (advanced)
* If the admin choses "OAuth2" then the step 3 will be "OAuth applications" with the sub-steps "OpenProject OAuth" and "Nextcloud OAuth" as we currently have them.
* If the admin choses "OIDC" then it will show information text with a link for further documentation.
* It shows a warning if there is no OIDC configured (on OpenProject's side).
* It tells that the setup was only successfully tested with Keycloak and not with other OIDC providers.
* Background: Keycloak supports the OAuth2 Token Exchange protocol when a certain feature flag is activated. Other OIDC providers AFAIK do not (yet).
* Entra ID does not support it. Entra would need to hand out less secure access tokens with audiences for both systems at once (less secure). And this, we could of course support (but explicitly not advice) and test. We could also advice for using a Keycloak in between Entra ID and OP/NC.
* It tells to follow the setup instructions in the docs on how to configure OIDC in OpenProject and how to configure the OIDC provider and offers a link to the correct OpenProject docs.
* The admin is required to select an OIDC provider. The admin can choose from configured OIDC provider of type "Keycloak" in OpenProject (dropdown).
* The admin needs to enter the OIDC client ID of Nextcloud (text input)
* The save button should be labeled as "save" (to be confirmed)
* The admin needs to be able to switch between OAuth2 and OIDC on existing file storages, to provide a migration path.
**Figma**
workPackageValue:"Figma wireframes"