Calling Rest APIs exposed by Nextcloud Apps After Integeration With an IDP through SAML

First of all thanks for the wonderful job done in user_saml app.
After we integrated the Nextcloud with an IDP through SAML 2, we wondered how this is going to affect REST API calls exposed by our NextCloud apps ( used by other subsystems for integeration with Nextcloud).

Prior to this integration, all endpoints used Basic-auth to call APIs, which their respective Controller methods were protected with these annotations:


Now, after the integeration with an IDP through SAML 2.0 I wanted to know how this API calls should be made and what has changed in this context.


with user_saml there is a capability provided (not documented as usual!) where passwords can be assigned to user accounts which in return can be used in calling REST APIs that use HTTP basic Auth for authentication (basically APIs you would expose by Nextcloud app framework,in my opinion this is not a good approach as we need more of a token based authorization mechanism for calling REST APIs not the simple sad HTTP Basic Auth).

The flow is simple that all you need is to insert a record into the user_saml_auth_token table (git:db xml file for the corresponding user and the password / token for the user must be hashed by password_hash() php function.

if interested the UserBackend class that user_saml registers evaluates passwords here

Also as documented the mobile authorization against an SSO follows (almost) the same principle.


Can you please provide me more details on how you implemented this? I have configured keycloak with the nextcloud server using user_saml app and trying to authenticate and call the webDAV API to upload the file to the nextcloud. But, I am not able to get it as the token is generated from the endpoint of the keycloak server and this is not being validated by the nextcloud server.
Please provide your inputs.