diff --git a/app-hooks/post-installation/00-setup-trusted-domains.sh b/app-hooks/post-installation/00-setup-trusted-domains.sh index be04409..7a219ea 100755 --- a/app-hooks/post-installation/00-setup-trusted-domains.sh +++ b/app-hooks/post-installation/00-setup-trusted-domains.sh @@ -3,3 +3,9 @@ set -euox pipefail php /var/www/html/occ config:system:set trusted_domains 2 --value=host.docker.internal + +# Set overwrite settings for URL generation (needed for OIDC discovery to return correct URLs) +# These ensure that URLs generated by Nextcloud include the correct host:port +php /var/www/html/occ config:system:set overwritehost --value="localhost:8080" +php /var/www/html/occ config:system:set overwriteprotocol --value="http" +php /var/www/html/occ config:system:set overwrite.cli.url --value="http://localhost:8080" diff --git a/app-hooks/post-installation/20-install-astroglobe-app.sh b/app-hooks/post-installation/20-install-astroglobe-app.sh index 65077b8..83faf46 100755 --- a/app-hooks/post-installation/20-install-astroglobe-app.sh +++ b/app-hooks/post-installation/20-install-astroglobe-app.sh @@ -52,15 +52,28 @@ if php /var/www/html/occ oidc:list 2>/dev/null | grep -q "$MCP_CLIENT_ID"; then fi # Create OAuth client with correct resource_url for MCP server audience -echo "Creating OAuth client with resource_url=$MCP_RESOURCE_URL" -php /var/www/html/occ oidc:create \ +echo "Creating OAuth confidential client with resource_url=$MCP_RESOURCE_URL" +CLIENT_OUTPUT=$(php /var/www/html/occ oidc:create \ "Astroglobe" \ "$MCP_REDIRECT_URI" \ --client_id="$MCP_CLIENT_ID" \ - --type=public \ + --type=confidential \ --flow=code \ --token_type=jwt \ --resource_url="$MCP_RESOURCE_URL" \ - --allowed_scopes="openid profile email notes:read notes:write calendar:read calendar:write contacts:read contacts:write cookbook:read cookbook:write deck:read deck:write tables:read tables:write files:read files:write" + --allowed_scopes="openid profile email offline_access notes:read notes:write calendar:read calendar:write contacts:read contacts:write cookbook:read cookbook:write deck:read deck:write tables:read tables:write files:read files:write") + +echo "$CLIENT_OUTPUT" + +# Extract client_secret from JSON output +CLIENT_SECRET=$(echo "$CLIENT_OUTPUT" | php -r 'echo json_decode(file_get_contents("php://stdin"), true)["client_secret"] ?? "";') + +if [ -n "$CLIENT_SECRET" ]; then + echo "Configuring Astroglobe client secret in system config..." + php /var/www/html/occ config:system:set astroglobe_client_secret --value="$CLIENT_SECRET" + echo "✓ Client secret configured: ${CLIENT_SECRET:0:8}..." +else + echo "⚠ Warning: Could not extract client_secret from OIDC client creation" +fi echo "Astroglobe app installed and configured successfully"