User Authentication and Group Assignment with External REST API

Hi All

We are a rather large student association with about 3300 members. We recently developed a new member management REST API which contains all member information, such as what subdivision they belong to, and allows to authenticate users. We now want to setup a file storage cloud for all of our members.
For this, we want to code a nextcloud app, which does the following:
on each user login:

  1. authenticate user against our REST API service
  2. read users subdivisions from REST API and:
    2.1 create new nextcloud groups for every new subdivision and create a shared folder for this group
    2.2 assign nextcloud groups to logged in user

I.e. what we want to achieve is that user authentication and group association data is read from an external interface. (+ some other helper tasks)

To implement this, we already implemented an authentication proof of concept which allows to authenticate users against our API. We now have the following questions:

  • Is it a good idea to do all group tasks (create group, create share, assign group) at user login time? What would be a better approach? At every user login, this process should be repeated as a user might have left a subdivision in the mean time and access to the respective shares should be revoked.
  • Which modules do we need to use to: create a new nextcloud group? create a share for this group? assign a possibly new user to a group?
  • Does anybody know an existing app/addon which does user authentication / group assignment / share creation where we could base our implementation on?

Thanks all for your help!


Have you read up on the User Provisioning API?

Thanks for your reply!

Yes, we have. It would be an idea to just code an extra service which periodically does the updates via said API. But then, we asked us these questions:

  1. To keep the user accounts within Nextcloud as up-to-date as possible with our own user database, we would need to access the User Provisioning API very often. What happens if a user is logged in when his groups get updated? Can we revoke rights to a group share while he is browsing it?
  2. When creating a new group with a new group share, we also need to access nextcloud via WebDAV to actually create the share. If this is true, this is again introduces a new level of complexity we would like to avoid.

For these reasons, we thought its easier to work within nextcloud by writing an App for it. But if creating group / creating share is not possible within PHP, we actually have to go the way of using said User Provisioning API.

Hello @cruel0r ,

did you implement one of the discussed solutions yet? What are your experiences? Would you mind sharing your code? I am thinking of a similar solutions, although its only something like 15 users of a boy and girl scouts troop :smile:.

Thank you for any information in advance!