mirror/opencloud
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud.git synced 2026-04-09 18:08:02 -04:00
Code Issues Packages Projects Releases Wiki Activity

adr(webfinger): Document OIDC client parameter discovery

Browse Source
This commit is contained in:
Ralf Haferkamp
2026-02-02 17:45:25 +01:00
committed by Ralf Haferkamp
parent edb917b74a
commit 2bf4f2e12e
1 changed files with 67 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
docs/adr/0003-oidc-client-config-discovery.md Normal file
View File

@@ -0,0 +1,67 @@
---
title: "Discover OIDC Client configuration via WebFinger"
---
* Status: pending
* Deciders: [@TheOneRing @kulmann @rhafer @dragotin]
* Date: 2026-02-02
Reference: https://github.com/opencloud-eu/opencloud/pull/2072, https://github.com/opencloud-eu/desktop/issues/217
## Context and Problem Statement
Up to now our client applications used hard-coded OIDC client configurations.
So it is not possible to change the client id that a client should use or the
list of scopes that a client needs to request. This makes it hard to integrate
OpenCloud with various existing identity providers. For example:
- Authentik basically creates a different issuer URL for each client. As OpenCloud
can only work with a single issuer URL, all OpenCloud clients need to use the
same client id to work with Authetnik.
- Some IDPs (kanidm) are not able to work with user-supplied client ids. They generate
client ids automatically and do not allow to specify them manually.
- To make features like automatic role assignment work, clients need to request
specific scopes, depending on which exact IDP is used.
## Decision Drivers
* Support broader set of IDPs
* Do required the user got configure anything additional on the client side
## Decision
Enhance the WebFinger service in OpenCloud to provide platform-specific OIDC
discovery, enabling clients to query for the correct OIDC `client_id` and
`scopes` based on their application type (e.g., web, desktop, android, ios).
This is achieved by allowing and additional `platform` query parameter to be used
when querying the WebFinger endpoint. The response will include the appropriate
`client_id` and `scopes` in the `properties` section of the response.
This is implemented in a backward-compatible way, so existing clients that do not
specify the `platform` parameter will continue to receive just the issuer information.
## Example
### Client Request
```
GET /.well-known/webfinger?resource=https://cloud.opencloud.test&rel=http://openid.net/specs/connect/1.0/issuer&platform=desktop
```
### Example Response
```json
{
"subject": "https://cloud.opencloud.test",
"links": [{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://idp.example.com"
}],
"properties": {
"http://opencloud.eu/ns/oidc/client_id": "desktop-client-id",
"http://opencloud.eu/ns/oidc/scopes": ["openid", "profile", "email", "offline_access"]
}
}
```