OpenID Connect (Oidc)

There are multiple ways for apps to interact with the user_oidc and oidc apps. It is possible to get tokens from those apps and to ask them to validate tokens. All available events are in the user_oidc app even if some use case don’t involve the main feature of this app.

user_oidc events doc

Getting the login token

When using user_oidc, which uses an external identity provider, the login token can be stored so apps can later get it via an event.

The store_login_token config flag must be enabled. The login token is automatically refreshed by user_oidc when needed during the user session. The login token can be obtained by apps by emitting the OCA\UserOIDC\Event\ExternalTokenRequestedEvent event.

Token exchange

If the external identity provider supports token exchange, apps can ask user_oidc to perform one and deliver the exchanged token by emitting the OCA\UserOIDC\Event\ExchangedTokenRequestedEvent event.

Generating a token if Nextcloud is the provider

If the oidc app is used to make Nextcloud an identity provider, some Nextcloud apps might need to ask Nextcloud to generate a token that they will use to authenticate against an external service. This requires both oidc and user_oidc apps installed (even if user_oidc is not used as a user backend). The token can be generated by emitting the OCA\UserOIDC\Event\InternalTokenRequestedEvent event.