Top Menu

Jump to content
Home
    • Projects
    • Work packages
    • News
    • Getting started
    • Introduction video
      Welcome to OpenProject Community

      Get an overview

      Get a quick overview of project management and team collaboration with OpenProject. You can restart this video from the help menu.
    • Help and support
    • User guides
    • Videos
    • Shortcuts
    • Community forum
    • Professional support
    • Additional resources
    • Data privacy and security policy
    • Digital accessibility (DE)
    • OpenProject website
    • Security alerts / Newsletter
    • OpenProject blog
    • Release notes
    • Report a bug
    • Development roadmap
    • Add and edit translations
    • API documentation
  • Sign in
      Forgot your password?
      Create a new account

      or sign in with your existing account

      Google

Side Menu

  • Overview
  • Activity
  • Roadmap
  • Work packages
  • Boards
  • Wiki
    • Table of contents
      • Hierarchy leafFileIDs
      • Hierarchy leafOpenProject edge instance for testing
      • Expanded. Click to collapseCollapsed. Click to showPreparation and Research
        • Hierarchy leafAuthorization and authentication flow
        • Hierarchy leafDevelopment environment
        • Expanded. Click to collapseCollapsed. Click to showFile Upload
          • Hierarchy leafNextcloud's upload API
        • Hierarchy leafLink types in Nextcloud
      • Hierarchy leafRequirements and UX Workshop - November 29, 2021
      • Expanded. Click to collapseCollapsed. Click to showWiki
        • Hierarchy leafSequence Diagram Nextcloud Integration
        • Hierarchy leafcurl API Tests
You are here:
  • Preparation and Research
  • Authorization and authentication flow

Content

Authorization and authentication flow

  • More
    • Table of contents

Nextcloud supports several techniques as an auth provider:

  • OAuth2
  • OpenID connect
  • SAML
  • LDAP
  • App passwords

For our current purpose we should focus on OAuth2/OIDC, as we want our OpenProject backend to work as a client to the nextcloud server. Besides tunneled requests from the browser with the OP frontend, we also want to make server to server request to e.g. fetch meta data of our file references.

OAuth2

Those are the facts about the nextcloud server as an OAuth2 provider:

  • nextcloud users can create OAuth2 provider apps by defining an app name and a redirect URL
  • client id and client secret are created
    • WARNING: the client secret is NOT hashed in the database and can get retrieved at any time by the users with admin privileges
    • possible security implication: there is an attack vector, when an attacker gets a leaked client secret and can write a impersonating client app to steal user credentials
  • only supports authorization code grant, currently without PKCE
    • JV: he will bring this topic into nextcloud internal round, maybe we can enable PKCE extension in nextcloud soon

OpenProject backend

  • the backend will serve as a client for the OAuth2 connection to the nextcloud server
  • access and refresh tokens must not leave backend scope
    • tokens are always linked to an OpenProject user's scope
    • tokens should be stored encrypted in a table
      • TBD: which key is used for encryption?
  • gem oauth2 can be used to create and configure OAuth2 clients in ruby

OpenProject frontend

  • will only authenticate against OpenProject backend
  • will communicate with tunneling API to fetch any data from nextcloud
Loading...