Content
View differences
Updated by Jan Sandbrink over 1 year ago
**As** an administrator
**I want to** have a feature to check tokens handed out by the OpenID Connect provider for usability in my Storage provider
**so that** I understand, whether the interaction between OpenProject and the IDP yields tokens usable for accessing Nextcloud
**Acceptance criteria**
* Feature is available when user chooses to authenticate through OIDC and has already entered the Nextcloud Client ID
* Feature performs checks with token of the currently logged in user (usually the admin)
* If the token is deemed usable for use in Nextcloud:
* Show success
* If the token is not deemed usable for use in Nextcloud
* ... and if IDP offers no token exchange:
* show error
* ... and if IDP offers token exchange capability: Try to exchange token
* if exchange succeeds: show success
* if exchange fails: show error
* Also indicate correct configuration of OIDC provider: Show warning if provider is not set-up to request the offline\_access scope (which is supposed to result in long-lived refresh tokens that do not expire).
**I want to** have a feature to check tokens handed out by the OpenID Connect provider for usability in my Storage provider
**so that** I understand, whether the interaction between OpenProject and the IDP yields tokens usable for accessing Nextcloud
**Acceptance criteria**
* Feature is available when user chooses to authenticate through OIDC and has already entered the Nextcloud Client ID
* Feature performs checks with token of the currently logged in user (usually the admin)
* If the token is deemed usable for use in Nextcloud:
* Show success
* If the token is not deemed usable for use in Nextcloud
* ... and if IDP offers no token exchange:
* show error
* ... and if IDP offers token exchange capability: Try to exchange token
* if exchange succeeds: show success
* if exchange fails: show error
* Also indicate correct configuration of OIDC provider: Show warning if provider is not set-up to request the offline\_access scope (which is supposed to result in long-lived refresh tokens that do not expire).