Nextcloud supports several techniques as an auth provider:

• OAuth2
• OpenID connect
• SAML
• LDAP
• App passwords

For our current purpose we should focus on OAuth2/OIDC, as we want our OpenProject backend to work as a client to the nextcloud server. Besides tunneled requests from the browser with the OP frontend, we also want to make server to server request to e.g. fetch meta data of our file references.

OAuth2

Those are the facts about the nextcloud server as an OAuth2 provider:

• nextcloud users can create OAuth2 provider apps by defining an app name and a redirect URL
• client id and client secret are created
  • WARNING: the client secret is NOT hashed in the database and can get retrieved at any time by the users with admin privileges
  • possible security implication: there is an attack vector, when an attacker gets a leaked client secret and can write a impersonating client app to steal user credentials
• only supports authorization code grant, currently without PKCE
  • JV: he will bring this topic into nextcloud internal round, maybe we can enable PKCE extension in nextcloud soon

OpenProject backend

• the backend will serve as a client for the OAuth2 connection to the nextcloud server
• access and refresh tokens must not leave backend scope
  • tokens are always linked to an OpenProject user's scope
  • tokens should be stored encrypted in a table
    • TBD: which key is used for encryption?
• gem oauth2 can be used to create and configure OAuth2 clients in ruby

OpenProject frontend

• will only authenticate against OpenProject backend
• will communicate with tunneling API to fetch any data from nextcloud