From 656214b162789578c72ff8ebc50a1b155af37552 Mon Sep 17 00:00:00 2001 From: Chris Coutinho Date: Mon, 15 Dec 2025 21:47:10 +0100 Subject: [PATCH] chore(docker): update app hooks for confidential OAuth client MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Configure Astroglobe as a confidential OAuth client with client_secret to support token refresh for long-lived sessions. Changes: - Update install-astroglobe-app hook to: - Create confidential client instead of public - Add offline_access scope for refresh tokens - Extract and store client_secret in system config - Display secret (truncated) for verification - Update trusted-domains hook (formatting) Benefits: - Enables automatic token refresh without re-authentication - Supports long-lived backend operations - Better security for server-side OAuth flows 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 --- .../00-setup-trusted-domains.sh | 6 ++++++ .../20-install-astroglobe-app.sh | 21 +++++++++++++++---- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/app-hooks/post-installation/00-setup-trusted-domains.sh b/app-hooks/post-installation/00-setup-trusted-domains.sh index be04409..7a219ea 100755 --- a/app-hooks/post-installation/00-setup-trusted-domains.sh +++ b/app-hooks/post-installation/00-setup-trusted-domains.sh @@ -3,3 +3,9 @@ set -euox pipefail php /var/www/html/occ config:system:set trusted_domains 2 --value=host.docker.internal + +# Set overwrite settings for URL generation (needed for OIDC discovery to return correct URLs) +# These ensure that URLs generated by Nextcloud include the correct host:port +php /var/www/html/occ config:system:set overwritehost --value="localhost:8080" +php /var/www/html/occ config:system:set overwriteprotocol --value="http" +php /var/www/html/occ config:system:set overwrite.cli.url --value="http://localhost:8080" diff --git a/app-hooks/post-installation/20-install-astroglobe-app.sh b/app-hooks/post-installation/20-install-astroglobe-app.sh index 65077b8..83faf46 100755 --- a/app-hooks/post-installation/20-install-astroglobe-app.sh +++ b/app-hooks/post-installation/20-install-astroglobe-app.sh @@ -52,15 +52,28 @@ if php /var/www/html/occ oidc:list 2>/dev/null | grep -q "$MCP_CLIENT_ID"; then fi # Create OAuth client with correct resource_url for MCP server audience -echo "Creating OAuth client with resource_url=$MCP_RESOURCE_URL" -php /var/www/html/occ oidc:create \ +echo "Creating OAuth confidential client with resource_url=$MCP_RESOURCE_URL" +CLIENT_OUTPUT=$(php /var/www/html/occ oidc:create \ "Astroglobe" \ "$MCP_REDIRECT_URI" \ --client_id="$MCP_CLIENT_ID" \ - --type=public \ + --type=confidential \ --flow=code \ --token_type=jwt \ --resource_url="$MCP_RESOURCE_URL" \ - --allowed_scopes="openid profile email notes:read notes:write calendar:read calendar:write contacts:read contacts:write cookbook:read cookbook:write deck:read deck:write tables:read tables:write files:read files:write" + --allowed_scopes="openid profile email offline_access notes:read notes:write calendar:read calendar:write contacts:read contacts:write cookbook:read cookbook:write deck:read deck:write tables:read tables:write files:read files:write") + +echo "$CLIENT_OUTPUT" + +# Extract client_secret from JSON output +CLIENT_SECRET=$(echo "$CLIENT_OUTPUT" | php -r 'echo json_decode(file_get_contents("php://stdin"), true)["client_secret"] ?? "";') + +if [ -n "$CLIENT_SECRET" ]; then + echo "Configuring Astroglobe client secret in system config..." + php /var/www/html/occ config:system:set astroglobe_client_secret --value="$CLIENT_SECRET" + echo "✓ Client secret configured: ${CLIENT_SECRET:0:8}..." +else + echo "⚠ Warning: Could not extract client_secret from OIDC client creation" +fi echo "Astroglobe app installed and configured successfully"