**As** an administrator
**I want to** Begin of the insertionreceive feedback on configuration errors during setupEnd of the insertion Begin of the deletion have a feature to check tokens handed out by the OpenID Connect provider for usability in my Storage providerEnd of the deletion
**so that** I understand, whether the interaction between Begin of the insertionOpenProject,End of the insertion Begin of the deletion OpenProject andEnd of the deletion the IDP Begin of the insertionandEnd of the insertion Begin of the deletion yields tokens usable for accessingEnd of the deletion Nextcloud Begin of the insertionwill work.End of the insertion

**Acceptance criteria**

* Begin of the insertionIf no OIDC providerEnd of the insertion Begin of the deletion FeatureEnd of the deletion is Begin of the insertionconfigured on OpenProject's side, it shows a warning

* Including a linkEnd of the insertion Begin of the deletion available when user choosesEnd of the deletion to Begin of the insertiondocs for setting up anEnd of the insertion Begin of the deletion authenticate throughEnd of the deletion OIDC Begin of the insertionprovider

* Including a link to docs for specific requirements for an OIDC provider used in this scenario

* If an OIDC provider is configured, show warning if provider is not set-up to requestEnd of the insertion Begin of the deletion and has already enteredEnd of the deletion the Begin of the insertionoffline\_access scope

End of the insertion Begin of the deletion Nextcloud Client ID

End of the deletion * Begin of the insertionIncluding a link to docs for specific requirements for an OIDC provider used in this scenario

* Once a Nextcloud client ID has been entered, check suitabilityEnd of the insertion Begin of the deletion Feature performs checks with tokenEnd of the deletion of Begin of the insertionaccess token forEnd of the insertion Begin of the deletion theEnd of the deletion currently logged in user (usually the admin) Begin of the insertion

End of the insertion Begin of the deletion

End of the deletion * If the token is deemed usable for use in Nextcloud: Begin of the insertion

End of the insertion Begin of the deletion

End of the deletion * Show success Begin of the insertion(roughly: "IDP token is usable to access storage")

End of the insertion Begin of the deletion

End of the deletion * If the token is not deemed usable for use in Nextcloud Begin of the insertion

End of the insertion Begin of the deletion

End of the deletion * ... and if IDP offers no token exchange: Begin of the insertion

End of the insertion Begin of the deletion

End of the deletion * show error Begin of the insertion(roughly: "IDP token does not seem suitable to access storage")

End of the insertion Begin of the deletion

End of the deletion * ... and if IDP offers token exchange capability: Try to exchange token Begin of the insertion

End of the insertion Begin of the deletion

End of the deletion * if exchange succeeds: show success Begin of the insertion(roughly: "IDP token could be exchanged for token to access storage")

End of the insertion Begin of the deletion

End of the deletion * if exchange fails: show error Begin of the insertion(roughly: "Attempted token exchange failed")End of the insertion Begin of the deletion

* Also indicate correct configuration of OIDC provider: Show warning if provider is not set-up to request the offline\_access scope (which is supposed to result in long-lived refresh tokens that do not expire).End of the deletion