Instanceid: a suitable client_id value for OpenID-connect?

rjakse · January 27, 2023, 10:27am

Hello!

I’m developping an application that does authenticated requests to a service using openID-connect. Tokens are retrieved using openID-connect’s code flow, which require a client_id, which is a globally unique identifier for the client (a nextcloud instance in my case).

The instanceid system config value seems to be a unique identifier for each nextcloud instance. Is it suitable as a client id? i.e. is it fine to make it “somewhat” public?

Or is it suitable if I hash it?

Or do you have suggestions to what I could use as a client_id? The domain name + path to the nextcloud instance (which could move, so maybe not totally suitable?)

nickvergessen · January 27, 2023, 10:46am

It’s not garanteed to be unique in the Nextcloud universe. E.g. in most test setups bigger instances run, they use the same config file and therefor the same instance id.
Also it has a low entropy.

I would follow the oauth sample and generate a longer random string:

github.com

nextcloud/server/blob/c6ae53096c36e6a475467eaeb6df00ac8d38e4b2/apps/oauth2/lib/Controller/SettingsController.php#L78-L79


      
          		$client->setSecret($this->secureRandom->generate(64, self::validChars));
          		$client->setClientIdentifier($this->secureRandom->generate(64, self::validChars));

rjakse · January 27, 2023, 11:05am

Perfect, thank you very much!