User authentication with OpenID Connect
Nextcloud users can authenticate via an external identity provider. Nextcloud can also be an identity provider itself.
Authentication in Nextcloud
The OpenID Connect user backend app makes it possible for users to authenticate using external Oidc identity providers.
This app can optionally be in charge of user provisioning (by creating users when they first connect) or rely on other user backends and only take care of authentication.
Using Nextcloud as an identity provider
The OIDC Identity Provider community app can be installed to make Nextcloud an identity provider for other services.
This app will allow any Nextcloud user (managed by any user backend) to authenticate during an Oidc login flow. This is useful if you want your Nextcloud instance to be the authority regarding authentication and user profile data among multiple services.
Bearer token validation
Nextcloud can accept Oidc ID tokens and access tokens as valid bearer token for API requests.
If using an external identity provider, only the user_oidc
app is necessary.
If Nextcloud is the identity provider, you will naturally need the oidc
app to make Nextcloud an Oidc provider,
and also the user_oidc
app because it will take care of validating API requests authentication.
In user_oidc, the oidc_provider_bearer_validation
config flag needs to be set to true so user_oidc
knows
it needs to ask the oidc
app to validate the received bearer tokens.