Content
View differences
Updated by Jan Sandbrink over 1 year ago
**As** a user
**I want to** use SSO once and have Nextcloud (NC) integration working right away
**so that** there is no need for me taking the extra steps of completing OAuth2 grant flows again and again,
**Acceptance criteria**
* User's OIDC access and refresh tokens are saved to the database, along with the audience where they can be used.
* When storage is configured for authentication through central OIDC provider (IDP):
* Nextcloud queries and commands that act on user's behalf, behalf are able to use OIDC access token instead of OAuth2 bearer token.
* OIDC tokens issued by IDP are saved to authenticate requests (used token must have NC as audience)
the database.
* Expired access\_tokens are OIDC access\_token is refreshed when expired
expired.
* When no access token has the required audience, token exchange at the IDP OIDC refresh\_token expiration is attempted
handled automatically. If possible automatically in backgroun otherwise user have to relogin.
* When storage OIDC access\_token is configured for two-way OAuth 2, the authentication behaviour remains the same as before. exchanged using Token Exchange if it does not include required audience.
**I want to** use SSO once and have Nextcloud (NC) integration working right away
**so that** there is no need for me taking the extra steps of completing OAuth2 grant flows again and again,
**Acceptance criteria**
* User's OIDC access and refresh tokens are saved to the database, along with the audience where they can be used.
* When storage is configured for authentication through central OIDC provider (IDP):
* Nextcloud queries and commands that act on user's behalf,
* OIDC