User authentication with OpenID Connect

Nextcloud users can authenticate via an external identity provider. Nextcloud can also be an identity provider itself.

Authentication in Nextcloud

The OpenID Connect user backend app makes it possible for users to authenticate using external Oidc identity providers.

This app can optionally be in charge of user provisioning (by creating users when they first connect) or rely on other user backends and only take care of authentication.

More details in the project’s README

Using Nextcloud as an identity provider

The OIDC Identity Provider community app can be installed to make Nextcloud an identity provider for other services.

This app will allow any Nextcloud user (managed by any user backend) to authenticate during an Oidc login flow. This is useful if you want your Nextcloud instance to be the authority regarding authentication and user profile data among multiple services.

Bearer token validation

Nextcloud can accept Oidc ID tokens and access tokens as valid bearer token for API requests. If using an external identity provider, only the user_oidc app is necessary.

If Nextcloud is the identity provider, you will naturally need the oidc app to make Nextcloud an Oidc provider, and also the user_oidc app because it will take care of validating API requests authentication. In user_oidc, the oidc_provider_bearer_validation config flag needs to be set to true so user_oidc knows it needs to ask the oidc app to validate the received bearer tokens.

More details on bearer token validation