How to request a "well-known" OAuth Client ID and Secret for elementary OS?

I started to develop a Nextcloud integration into elementary OS 1. The goal is to add Nextcloud as “Online Account” provider to the system settings 2 to enable a elementary OS integrated Contact, Task and Calendar and maybe even File Sync. In order to do so, I’d love to use the OAuth authentication flow, as it is also implemented in the Nextcloud Desktop Client.

As it seems the Nextcloud Desktop Client uses static OAuth Client ID and Secret to be able to connect to every Nextcloud instance, is there a way to request such a “well-known” OAuth Client ID and Secret for elementary OS? Or should I simply use the Nextcloud Desktop Client’s ID and Secret?

cc @rullzer @nickvergessen

So, this code is an leftover from ownCloud.
Nextcloud itself does not use that.

So for this to work you’d need to add a new entry. Go to your admin security settings and just create a new OAuth client. Then you can obtain the required info. Now of course this is not as seamless as you’d want it.

Ideally (which is still on my list) we’d have PKCE support. Because then we would not have to expose the secret to the public.

Thanks for clarification! How does the Nextcloud Desktop client the authorization then? Because there I don’t have to create an OAuth client upfront. Is it preconfigured in every Nextcloud server instance?

I understand that preconfiguring every possible OAuth client out there isn’t a viable option, but until PKCE support is in place, we might just go with whatever the Desktop client does to enable a seemless experience to the end user?

Hello @rullzer,

Sorry if you already answered that, but it’s not obvious for me in this thread: do you have the RFC 7591 - Dynamic Client Registration and RFC8414 - Authorization Server Metadata in mind?

The former RFC allows a client to ask the server for a client_id and client_secret so the end-user doesn’t need to manually create one, and the latter makes it easy for the client apps to know which endpoint to poll. This, combined with the Authorization Code + PKCE flow you mentioned and which is the state of the art, would allow the best user experience and respect the IETF’s security best practices.

Thanks!

See: https://docs.nextcloud.com/server/18/developer_manual/client_apis/LoginFlow/index.html#login-flow-v2

Hi @tmartin,

no we currently do not. it is still on my list but to be honest not very high.
I started with PKCE at some point. But before I start messing with any of the code I’d want to make sure we have full intergration tests for OAuth. So that we don’t break existing things.

Any help in this regard is welcome.

1 Like

Thanks for the fast answer, I didn’t expect it this quick :slight_smile:

I’m not a seasoned PHP developer but I’m quite used to OAuth2 and identity/authentication/authorizations. I’d be more than happy to help. If one of your developers or QA Engineer wants help with that, I can help.

Also feel free to reach me if you want some help with the current best practices and the most interesting RFC to implement for your Authorization Server!