**As** an administrator setting up the OpenProject-Nextcloud integration setting up the Nextcloud side
**I want to** have a second option to use OIDC based access tokens instead of OAuth2 access tokens when I also use and idP like Keycloak for single sign on (SSO)
**so that** not each user needs to got through the OAuth grant flow

**Acceptance criteria**

* Step 1

* stays the same

* Step 2

* In the app's settings, there is a new step 2 ("Authentication method") in which the admin is asked what type of integration she wants to setup

* "OAuth2 two-way authorization code flow"

* default value

* "OpenID identity provider"

* When User OIDC app is not installed

* This option Is deactivated

* A info with the link to the User OIDC app is shown underneath

* The admin saves the selection with a "Save"-button

* Step 3 and onwards

* If the admin choses "OAuth2"

* then the next steps will be the current Steps 2 and onwards.

* If the admin choses "OIDC"

* then it will show "Authentication settings"

* information text with a link for further documentation.

* It shows a warning if the app "user\_oidc" is not installed.

* It tells that the setup was only successfully tested with Keycloak and not with other OIDC providers.

* It tells to follow the setup instructions in the docs on how to configure "user\_oidc" and the OIDC provider and offers a link to the correct OpenProject docs.

* The admin is required to select an OIDC provider. The admin can choose from configured OIDC provider in Nextcloud (dropdown).

* The admin needs to enter the OIDC client ID of OpenProject (text input)

* The admin needs to be able to switch between OAuth2 and OIDC on existing configurations, to provide a migration path.


**Figma**

workPackageValue:"Figma wireframes" Begin of the insertion

<br>

### Steps for Testing:

1. Clone the latest [integration app](https://github.com/nextcloud/integration_openproject)

2. Start NC, OP and Keycloak using [this doc](https://github.com/nextcloud/integration_openproject/blob/master/docs/setup_nc_op__full.md)

3. (Optional) In Keycloak, add new realm, two OIDC clients for NC and OP, and enable token exchange between two clients.

**NOTE:** These are automatically done when Keycloak service starts ([Check available values](https://github.com/nextcloud/integration_openproject/blob/master/docs/setup_nc_op__full.md#keycloak-realm-configuration)). If you to do it manually then see [this doc](https://schiessle.eu/en/articles/2023/07/04/nextcloud-and-openid-connect/).

4. In NC, download and enable [user\_oidc](https://github.com/nextcloud/user_oidc) app

5. (In NC) From OpenID admin settings, add the oidc provider. see [https://schiessle.eu/en/articles/2023/07/04/nextcloud-and-openid-connect/](https://schiessle.eu/en/articles/2023/07/04/nextcloud-and-openid-connect/)

6. (In NC) From OpenProject admin settings, setup connection via OIDC method

1. Add openproject url (for urls see [https://github.com/nextcloud/integration\_openproject/blob/master/docs/setup\_nc\_op\_\_full.md#run-the-setup)](https://github.com/nextcloud/integration_openproject/blob/master/docs/setup_nc_op__full.md#run-the-setup\))

2. Select OIDC method

3. Select oidc provider (keycloak)

4. Add client-id set for openproject (client-id from keycloak)

5. Finish setup with/without groupfoldersEnd of the insertion