user_oidc icon indicating copy to clipboard operation
user_oidc copied to clipboard
verified publisher icon nextcloud

Refresh tokens and OIDC managed session

Open Adphi opened this issue 2 years ago • 1 comments

First of all, thank you for your work on this app. Happy to see an application for OIDC support in the Nextcloud organisation !

Are there any plans to support OIDC refresh tokens (offline_access claim) so that the OP can manage session duration as well as session invalidation ?

Also, what integration strategies could be used so that user_oidc provides the id-token to the mail application for use with XOAUTH2 or OAUTHEBEARER authentication (https://github.com/nextcloud/mail/issues/3146) ?

Adphi avatar Nov 21 '23 12:11 Adphi

It looks like this pull-request has implemented the feature (thanks @julien-nc 😀).

To delegate authentication session management to the IdP it is necessary to set 'token_exchange' => true in the user_oidc config, which is may be confusing because even though it is necessary for the token exchange process, it doesn't have a direct link.

Perhaps it should be enabled by default as soon as the offline_access scope is requested.

Or maybe just by default, because why shouldn't the session expire when the token is expired ?

Adphi avatar Jan 24 '25 17:01 Adphi