pulsejet
OIDC dynamic client registration
I suggest implementing the OIDC dynamic client registration protocol.
I understand that it seems in contradiction with the one single OIDC provider policy, but I have a concrete usecase for this feature:
I have a script that automatically deploys a nextcloud instance (with nextcloud-oidc-login) and canaille OIDC provider instance. I would love nextcloud-oidc-login to be able to automatically connect to my OIDC provider.
Allowing nextcloud-oidc-login to automatically register to the provider would allow me to simply give a initial access token to both the provider and nextcloud-oidc-login, and let them plug together.
What do you think?
I have no issues with this, though I don't understand why you're deploying a new instance of the OIDC provider every time with Nextcloud.
AFAIK there is some way to update config.php at runtime, that would be worth looking into. The client_id and secret should be updated only if dynamic registration is enabled AND client_id is blank (or not present) in the configuration.
Feel free to make a PR.
I have no issues with this, though I don't understand why you're deploying a new instance of the OIDC provider every time with Nextcloud.
This is because those are different user bases, hosted at different places.
This is because those are different user bases, hosted at different places.
Regardless, why does that require you to deploy a new OIDC instance? Isn't this a one-time config?
Because the people for who I deploy nextcloud and the OIDC provider want to host their data on their own infrastructures. There is no way for me to mutualize.