Implement token exchange from OCM#57234
Conversation
enriquepablo
requested review from
come-nc,
icewind1991,
nfebe and
provokateurin
and removed request for
a team
|
Hello there, We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process. Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6 Thank you for contributing to Nextcloud and we hope to hear from you soon! (If you believe you should not receive this message, you can add yourself to the blocklist.) |
enriquepablo
force-pushed
the
master
branch
2 times, most recently
from
869318e to
fa85a7c
Compare
|
Disclaimer: Some of the code in this PR (mainly regarding the tests) was generated by Claude Opus 4.5. I have provided it with very specific prompts, and thoroughly reviewed the output. |
enriquepablo
force-pushed
the
master
branch
2 times, most recently
from
af0f4f2 to
736b3ff
Compare
mickenordin
force-pushed
the
master
branch
2 times, most recently
from
6e14936 to
84713bc
Compare
|
I have grouped all changes into |
screencast-2026-06-07T11.18.mp4Here is a screen cast of a webapp share, using the token exchange and new http signatures |
screencast-2026-06-07T11.33.mp4Here is a screen cast of the same server sharing to a vanilla nextcloud server, and you can see that the fallback to basic auth works without any token exchange, so backwards compatibility is maintained |
Co-authored-by: Micke Nordin <kano@sunet.se> Signed-off-by: Micke Nordin <kano@sunet.se> Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
Signed-off-by: Micke Nordin <kano@sunet.se> Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
…ccess tokens Co-authored-by: Micke Nordin <kano@sunet.se> Signed-off-by: Micke Nordin <kano@sunet.se> Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
… validation Accept both the legacy options.sharedSecret envelope and the new protocol[name].sharedSecret form. Preserve the original cloud ID so the factory can discover capabilities, then reset shareWith to the local username for user lookup. Delegate per-protocol validation to providers via the new IValidationAwareCloudFederationProvider interface, with split exception handling: BadRequestException -> 400, ProviderCouldNotAddShareException -> the exception's own HTTP status (501 fallback). In the notification handler, fall back to looking up the refresh token via OcmTokenMapMapper when the access token cannot identify the federation. Co-authored-by: Micke Nordin <kano@sunet.se> Signed-off-by: Micke Nordin <kano@sunet.se> Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
Co-authored-by: Micke Nordin <kano@sunet.se> Signed-off-by: Micke Nordin <kano@sunet.se> Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
…ange Co-authored-by: Micke Nordin <kano@sunet.se> Signed-off-by: Micke Nordin <kano@sunet.se> Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
… shares Co-authored-by: Micke Nordin <kano@sunet.se> Signed-off-by: Micke Nordin <kano@sunet.se> Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
Co-authored-by: Micke Nordin <kano@sunet.se> Signed-off-by: Micke Nordin <kano@sunet.se> Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
Shares using the OCM multi-protocol envelope (name multi, with the secret carried in a sibling protocol entry such as webdav) were rejected with Missing sharedSecret in protocol. Scan every protocol entry for the shared secret during validation, resolve the secret from the matching entry, and let the files provider serve the webdav entry of a multi envelope. Covers the file and folder resource types. Signed-off-by: Micke Nordin <kano@sunet.se>
|
@provokateurin @susnux do you think we can get this reviewed and merged now that NC34 is out? It takes a significant amount of work to keep the pr fresh... |
| * | ||
| * @since 32.0.0 |
There was a problem hiding this comment.
| * | |
| * @since 32.0.0 |
Only needed for ocp apis
|
Thanks for your first pull request and welcome to the community! Feel free to keep them coming! If you are looking for issues to tackle then have a look at this selection: https://github.com/nextcloud/server/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22 |
|
This PR is missing a version bump and therefore breaks all daily/master based instances |
| $db = Server::get(IDBConnection::class); | ||
| $tokenProvider = Server::get(PublicKeyTokenProvider::class); | ||
| $userManager = Server::get(IUserManager::class); |
| * Shares created by this fork (32-char tokens) that are somehow missing from | ||
| * oc_authtoken are silently repaired. | ||
| */ | ||
| class Version1012Date20260306120000 extends SimpleMigrationStep { |
There was a problem hiding this comment.
Should bump the version of the app since a migration was added
There was a problem hiding this comment.
I can see you already addressed this in #61428 . Thanks!
| } | ||
|
|
||
| if (!$table->hasColumn('access_token_expires')) { | ||
| $table->addColumn('access_token_expires', Types::INTEGER, [ |
There was a problem hiding this comment.
If this is supposed to be a timestamp, the column type is wrong at least on 32bits
Should have lenght 11 or more, or BIGINT or type datetime instead
|
@nickvergessen I will fix these issues and open a new PR and link it here |
Check what was already fixed here first: #61428 (review) @enriquepablo |
9 participants
See #57152 #57166
Summary
This PR implements the token exchange flow from OCM, allowing Nextcloud to use bearer auth with short lived tokens. This opens up interoperability with OpenCloud/ownCloud OCIS and the possibility to implement webapp shares in the future, which requires this.
Discussion
This is a preliminary PR for discussion. If this goes through there are some things missing with which we'll be grateful to get some guidance:
There is also the question that for access tokens, we are keeping a reference to the corresponding refresh token in the uid field of the access token db record.