Nextcloud Oauth

Kris · July 22, 2021, 7:12pm

So I am trying to get generic oauth2 logins to work with Nextcloud. The documentation isn’t the best and it doesn’t follow the standard very well, but at least I made some progress. If anyone got some further ideas, please share.

So first I created a Oauth2 client in the Admin settings from Nextcloud. The Writefreely redirection URL seems to be nowhere documented, but it works with:

https://*yourwritefreely*/oauth/callback/generic

Then I copied over the client identifier and key into my WriteFreely config file and via trial and error and some googling already found some additional configuration settings:

[oauth.generic]
client_id          = *client identifier*
client_secret      = *secret*
host               = https://yournextclouddomain
display_name       = Nextcloud
callback_proxy     =
callback_proxy_api =
token_endpoint     = /index.php/apps/oauth2/api/v1/token
inspect_endpoint   = /ocs/v2.php/cloud/user?format=json
auth_endpoint      = /index.php/apps/oauth2/authorize
scope              =
allow_disconnect   = false
map_user_id        = user-id
map_username       = 
map_display_name   = 
map_email          =

This already gets me quite far in the auth-flow, but upon redirection to WriteFreely I get the following JSON error:
"Post \"https://mynextcloud/index.php/apps/oauth2/api/v1/token\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)" Edit: I ran into Nextcloud’s build in bruteforce protection due to too much testing.

So now I am stuck :-/

Might be an issue with Nextcloud, but their Oauth2 server seems to work in general.

Kris · July 22, 2021, 10:57pm

So the above error was only because of the bruteforce protection of Nextcloud
The actual error remains that somehow I can’t get it to understand the json response of Nextcloud:
"no UserID (user-id) value returned"
But with a empty setting or user_id it is the same.

I think the json response of Nextcloud in general is somehow broken.

matt · July 27, 2021, 4:22pm

Based on that last error message, it sounds like Nextcloud isn’t returning a user-id property on the token inspection endpoint (inspect_endpoint config value).

I’m not familiar with Nextcloud, so I’m just spitballing here. But is it supposed to return a user-id of some kind here? Is that the right field name? Maybe there’s another field you should be configuring for map_user_id to uniquely identify a user?

Kris · July 27, 2021, 6:48pm

Yes, that is also my interpretation. I think their json API user-backend is not really meant for OIDC like user authentification and there might be some hick-up with the oauth2 authflow regarding it.

Sadly their forum was also not helpful so far: Help with Oauth2 server userinfo json endpoint - ℹ️ Support - Nextcloud community

Kris · July 28, 2021, 1:00pm

I currently don’t have time to look into this further, but for reference, this might give the needed hints to make this work: GitHub - bahuma/oauth2-nextcloud: This package provides Nextcloud OAuth 2.0 support for the PHP League's OAuth 2.0 Client