Instanceid: a suitable client_id value for OpenID-connect?


I’m developping an application that does authenticated requests to a service using openID-connect. Tokens are retrieved using openID-connect’s code flow, which require a client_id, which is a globally unique identifier for the client (a nextcloud instance in my case).

The instanceid system config value seems to be a unique identifier for each nextcloud instance. Is it suitable as a client id? i.e. is it fine to make it “somewhat” public?

Or is it suitable if I hash it?

Or do you have suggestions to what I could use as a client_id? The domain name + path to the nextcloud instance (which could move, so maybe not totally suitable?)

It’s not garanteed to be unique in the Nextcloud universe. E.g. in most test setups bigger instances run, they use the same config file and therefor the same instance id.
Also it has a low entropy.

I would follow the oauth sample and generate a longer random string:

1 Like

Perfect, thank you very much!