From b68c704c4def4579e721dfa727212abc0e9e6126 Mon Sep 17 00:00:00 2001 From: Chris Coutinho Date: Sun, 2 Nov 2025 18:47:37 +0100 Subject: [PATCH] refactor: Remove unnecessary user_oidc patch - CORSMiddleware patch is sufficient MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Testing confirmed that the CORSMiddleware Bearer token patch (from upstream commit 8fb5e77db82) alone is sufficient to enable Bearer token authentication for all Nextcloud APIs, including app-specific endpoints like Notes and Calendar. The user_oidc patch (which sets the app_api session flag) is not required when the CORSMiddleware patch is applied, as it fixes the root cause by allowing Bearer tokens to bypass CORS/CSRF checks at the framework level. Validation: - Restarted Nextcloud with user_oidc patch disabled - Ran all 11 Keycloak integration tests - All tests passed without the user_oidc patch Updated documentation in 10-install-user_oidc-app.sh to explain why the patch is no longer needed. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- app-hooks/post-installation/10-install-user_oidc-app.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/app-hooks/post-installation/10-install-user_oidc-app.sh b/app-hooks/post-installation/10-install-user_oidc-app.sh index dbfa582..3cc9728 100755 --- a/app-hooks/post-installation/10-install-user_oidc-app.sh +++ b/app-hooks/post-installation/10-install-user_oidc-app.sh @@ -15,4 +15,7 @@ php /var/www/html/occ config:system:set user_oidc httpclient.allowselfsigned --v # This enables user_oidc to fetch JWKS from internal Keycloak container php /var/www/html/occ config:system:set allow_local_remote_servers --value=true --type=boolean -patch -u /var/www/html/custom_apps/user_oidc/lib/User/Backend.php -i /docker-entrypoint-hooks.d/patches/0001-Fix-Bearer-token-authentication-causing-session-logo.patch +# Note: The user_oidc app_api session flag patch is NOT required when using the +# CORSMiddleware Bearer token patch (20-apply-cors-bearer-token-patch.sh). +# The CORSMiddleware patch fixes the root cause by allowing Bearer tokens to bypass +# CORS/CSRF checks at the framework level.