OpenID Connect (Oidc)
There are multiple ways for apps to interact with the user_oidc
and oidc
apps.
It is possible to get tokens from those apps and to ask them to validate tokens.
All available events are in the user_oidc
app even if some use case don’t involve the main feature of this app.
Getting the login token
When using user_oidc
, which uses an external identity provider, the login token can be stored so apps can later
get it via an event.
The store_login_token
config flag must be enabled.
The login token is automatically refreshed by user_oidc
when needed during the user session.
The login token can be obtained by apps by emitting the OCA\UserOIDC\Event\ExternalTokenRequestedEvent
event.
Token exchange
If the external identity provider supports token exchange, apps can ask user_oidc
to perform one
and deliver the exchanged token by emitting the OCA\UserOIDC\Event\ExchangedTokenRequestedEvent
event.
Generating a token if Nextcloud is the provider
If the oidc
app is used to make Nextcloud an identity provider, some Nextcloud apps might need to ask
Nextcloud to generate a token that they will use to authenticate against an external service.
This requires both oidc
and user_oidc
apps installed (even if user_oidc
is not used as a user backend).
The token can be generated by emitting the OCA\UserOIDC\Event\InternalTokenRequestedEvent
event.