Content
View differences
Updated by Jan Sandbrink over 1 year ago
**As** a user
**I want to** use SSO once and have Nextcloud (NC) integration working right away
**so that** there is no need for me taking the extra steps of completing OAuth2 grant flows again and again,
**Acceptance criteria**
* User's OIDC access and refresh tokens are saved to the database, along with the audience where they can be used.
* When storage is configured for authentication through central OIDC provider (IDP):
* Nextcloud queries and commands that act on user's behalf, use access tokens issued by IDP to authenticate requests (used token must have NC as audience)
* Expired access\_tokens are refreshed when expired
* When no access token has the required audience, token exchange at the IDP is attempted
* As a client we must behave compliant to the open standards we follow
* Specifically, [OAuth 2.0](https://www.rfc-editor.org/rfc/rfc6749.html), [OAuth 2.0 Token Exchange](https://www.rfc-editor.org/rfc/rfc8693) and [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html)
* e.g. we should accept that an access token might be opaque and should only optionally assume it to be a JWT
* When storage is configured for two-way OAuth 2, the authentication behaviour remains the same as before.
**I want to** use SSO once and have Nextcloud (NC) integration working right away
**so that** there is no need for me taking the extra steps of completing OAuth2 grant flows again and again,
**Acceptance criteria**
* User's OIDC access and refresh tokens are saved to the database, along with the audience where they can be used.
* When storage is configured for authentication through central OIDC provider (IDP):
* Nextcloud queries and commands that act on user's behalf, use access tokens issued by IDP to authenticate requests (used token must have NC as audience)
* Expired access\_tokens are refreshed when expired
* When no access token has the required audience, token exchange at the IDP is attempted
* As a client we must behave compliant to the open standards we follow
* Specifically, [OAuth 2.0](https://www.rfc-editor.org/rfc/rfc6749.html), [OAuth 2.0 Token Exchange](https://www.rfc-editor.org/rfc/rfc8693) and [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0.html)
* e.g. we should accept that an access token might be opaque and should only optionally assume it to be a JWT