Chris Coutinho
6.5 KiB
Authentication
The Nextcloud MCP server supports two authentication modes for connecting to your Nextcloud instance.
Authentication Modes Comparison
| Mode | Status | Security | Use Case |
|---|---|---|---|
| OAuth2/OIDC | ✅ Recommended | 🔒 High | Production deployments, multi-user scenarios |
| Basic Auth | ⚠️ Legacy | ⚠️ Lower | Development, backward compatibility |
OAuth2/OIDC (Recommended)
OAuth2/OIDC authentication provides secure, token-based authentication following modern security standards.
Architecture
The Nextcloud MCP Server acts as an OAuth 2.0 Resource Server, protecting access to Nextcloud resources:
MCP Client ←→ MCP Server (Resource Server) ←→ Nextcloud (Authorization Server + APIs)
OAuth Flow with PKCE Bearer Token Auth
Key Components:
- MCP Server: OAuth Resource Server (validates tokens, provides MCP tools)
- Nextcloud
oidcapp: OAuth Authorization Server (issues tokens) - Nextcloud
user_oidcapp: Token validation middleware - MCP Client: Any MCP-compatible client (Claude, custom clients)
For detailed architecture, see OAuth Architecture.
Required Nextcloud Apps
OAuth authentication requires two Nextcloud apps to work together:
1. oidc - OIDC Identity Provider
Purpose: Makes Nextcloud an OAuth2/OIDC authorization server
Provides:
- OAuth2 authorization endpoint (
/apps/oidc/authorize) - Token endpoint (
/apps/oidc/token) - User info endpoint (
/apps/oidc/userinfo) - JWKS endpoint for token validation (
/apps/oidc/jwks) - Dynamic client registration endpoint (
/apps/oidc/register)
Installation: Available in Nextcloud App Store under "Security"
2. user_oidc - OpenID Connect User Backend
Purpose: Authenticates users and validates Bearer tokens
Provides:
- Bearer token validation against the OIDC provider
- User authentication via OIDC
- Session management for authenticated users
Installation: Available in Nextcloud App Store under "Security"
Important: The user_oidc app requires a patch for Bearer token support on non-OCS endpoints (like Notes API). See Upstream Status for details.
Benefits
- Zero-config deployment via dynamic client registration
- No credential storage in environment variables
- Per-user authentication with access tokens
- Per-user permissions - each user has their own Nextcloud client
- Automatic token validation via Nextcloud OIDC userinfo endpoint
- Token caching for performance (default: 1 hour TTL)
- PKCE required for enhanced security (S256 code challenge)
- Secure by design following OAuth 2.0 and OpenID Connect standards
Current Implementation Limitations
Important
Tested Configuration:
- ✅ Nextcloud
oidcapp (OIDC Identity Provider) +user_oidcapp (OIDC User Backend)- ✅ Nextcloud acting as its own identity provider (self-hosted OIDC)
- ✅ MCP server as OAuth Resource Server
- ✅ PKCE with S256 code challenge method
Not Tested:
- ❌ External identity providers (Azure AD, Keycloak, Okta, etc.)
- ❌ Using
user_oidcwith external OIDC providersKnown Requirements:
- 🔧 The
user_oidcapp requires a patch for Bearer token support on non-OCS endpoints (see Upstream Status)- ⏱️ Dynamic client registration credentials expire (default: 1 hour) - use pre-configured clients for production
- 🔐 PKCE must be advertised in OIDC discovery (see Upstream Status)
How OAuth Works
The MCP server implements the OAuth 2.0 Resource Server pattern:
Phase 1: Authorization (OAuth Flow with PKCE)
- MCP client connects and receives OAuth settings (issuer URL, scopes)
- Client initiates OAuth flow with PKCE (Proof Key for Code Exchange)
- User authenticates via browser to Nextcloud
- Nextcloud redirects back with authorization code
- Client exchanges code + code_verifier for access token
Phase 2: API Access (Bearer Token Validation)
6. Client sends MCP requests with Authorization: Bearer <token> header
7. MCP server validates token by calling Nextcloud's userinfo endpoint
8. Server creates per-user NextcloudClient instance with the token
9. All Nextcloud API requests use the user's Bearer token
10. User-specific permissions and audit trails apply
This ensures:
- Each user has their own authenticated session
- Actions appear from the correct user in Nextcloud logs
- Proper permission boundaries are maintained
- No shared credentials between users
See Also
- OAuth Quick Start - 5-minute setup for development
- OAuth Setup Guide - Detailed production setup
- OAuth Architecture - Technical details
- Upstream Status - Required patches and PR status
- OAuth Troubleshooting - OAuth-specific issues
- Configuration - Environment variables
Basic Authentication (Legacy)
Basic Authentication uses username and password credentials directly.
Benefits
- Simple setup with username/password
- Single-user server instances
- Quick for development and testing
Limitations
- Credentials in environment (less secure)
- Single user only - all requests use the same account
- No audit trail - all actions appear from the same user
- Maintained for compatibility - will be deprecated in future versions
Warning
Security Notice: Basic Authentication stores credentials in environment variables and is less secure than OAuth. It's maintained for backward compatibility only and may be deprecated in future versions. Use OAuth for production deployments.
See Also
- Configuration - BasicAuth environment variables
- Running the Server - BasicAuth examples
Mode Detection
The server automatically detects the authentication mode:
- OAuth mode: When
NEXTCLOUD_USERNAMEandNEXTCLOUD_PASSWORDare NOT set - BasicAuth mode: When both username and password are provided
You can also force a specific mode using CLI flags:
# Force OAuth mode
uv run nextcloud-mcp-server --oauth
# Force BasicAuth mode
uv run nextcloud-mcp-server --no-oauth
Switching Between Modes
See Troubleshooting: Switching Between OAuth and BasicAuth for instructions.