Access resource at the Nextcloud instance

[markus2330]

I would like to implement a web app https://github.com/ElektraInitiative/PermaPlant/ where:

1. login works with the accounts from an Nextcloud instance
2. can access notifications, files, chats etc. from the very same Nextcloud instance

Searching for an Nextcloud app that can fulfill these requirements I came across this app.

The main README says:

Currently it is not yet possible to use an issued JWT Token to access resource at the Nextcloud instance it self. (Future implementation planned)

Which sounds like that also support of "2." is planned? Is there any timeline?

Are there alternatives to achieve 1+2? I was also thinking of implementing https://github.com/ElektraInitiative/PermaPlant/ directly as Nextcloud App but I could not find any way to run the app in full screen, i.e. without losing any screen space, there is the old thread https://help.nextcloud.com/t/full-screen-mode/3619 without any answer.

[H2CK]

Currently there is no fixed timeline for this feature. I will investigate possible solution options in the next days.

[H2CK]

Short intermediate feedback: Since Nextclouds authentication mechanism is defined very strictly in the core module, it is not sufficient to just receive the JWT, perform validations on the JWT (signature, iss, exp, ...) and in the positive case "declare" the user as authenticated. This last step "authentication of the user" currently additionally requires either the user password or a token (not the JWT from oidc App instead a Nextcloud Access token). I am still trying to find a proper solution for this final step.

[markus2330]

Thank you for your investigations! Looking forward to a solution.

For the use case that the external web app itself gets username+password, the password for the authentication should be available, shouldn't it?

[absurd-turtle]

Are there any updates on this issue? Is there a timeline for "use the provided Access Tokens or ID Tokens to access resources from the Nextcloud instance"?

[H2CK]

Sorry for the late reply. Currently there is no timeline since there is no simple solution. And currently no implementation planned.

Current status is: Nextclouds authentication mechanisms rely on username/password or token issued by Nextcloud server itself (not the oidc app). It is currently not possible to extend this mechanism by any app. So the Nextcloud core framework try to authenticate any request which contains a BasicAuth or an Authorization Bearer Token. So if you would pass the issued JWT (from the oidc app) to your Nextcloud instance in the Authorization Bearer Header it will be declined before reaching the oidc app at all.

Possible solution: Nextcloud server itself is extended to accept JWT issued from the oidc app. Maybe you could place a feature request at Nextcloud itself.

Alternative solutions: Those solutions will be extremely proprietary since the JWT has to be passed in a very unusual way (Not in Authorization Header). And even in this case the oidc app must ask the user for the password at first access which is required to create a user session successfully. For further access requests either the password must be stored within the app. Or an access token must be generated which is then also stored within the app.

If you have further ideas to overcome the Nextcloud core framework limitation you are welcome to share them with me. But currently the only solution that makes sense would be to extend Nextcloud server to allow access to resources based on JWTs issued by the oidc app.