Chris Coutinho
849c67c32a
This commit completes the Keycloak external IdP integration for the MCP
server, implementing ADR-002 Tier 2 (External Identity Provider) with
full Bearer token authentication support.
Key Changes:
1. **Keycloak backchannel-dynamic configuration**
- Added --hostname-strict=false and --hostname-backchannel-dynamic=true
- Allows external issuer (localhost:8888) with internal endpoints (keycloak:8080)
- Solves Docker networking issue where containers can't reach localhost
2. **CORSMiddleware Bearer token patch**
- Created app-hooks/patches/cors-bearer-token.patch from upstream commit 8fb5e77db82
- Allows Bearer tokens to bypass CORS/CSRF checks (stateless authentication)
- Applied via post-installation hook 20-apply-cors-bearer-token-patch.sh
- Enables app-specific APIs (Notes, Calendar, etc.) to work with Bearer tokens
3. **Patch organization**
- Moved patches to app-hooks/patches/ directory
- Updated docker-compose.yml to mount entire app-hooks directory
- Consolidated patch management for better maintainability
4. **Test improvements**
- All 11 Keycloak integration tests passing
- Tests validate OAuth token acquisition, MCP connectivity, token validation,
tool execution, token persistence, user provisioning, scope filtering,
and error handling
Architecture:
- Keycloak acts as external OAuth/OIDC identity provider
- MCP server uses Keycloak tokens to access Nextcloud APIs
- Nextcloud user_oidc app validates Bearer tokens from Keycloak
- No admin credentials needed - all API access uses user's OAuth tokens
Cache Note:
- Discovery and JWKS caches must be cleared when switching Keycloak configurations
- Use: docker compose exec redis redis-cli DEL "<cache-key>"
- Or: docker compose exec app php occ user_oidc:provider keycloak --clientid nextcloud
Related:
- ADR-002: Vector sync background jobs authentication
- Validates external IdP integration pattern
- Demonstrates offline_access with refresh tokens (Tier 1 & 2)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
70 lines
2.9 KiB
Diff
70 lines
2.9 KiB
Diff
From deab2dac3d73d25f20a95c18103f327ab48f837a Mon Sep 17 00:00:00 2001
|
|
From: Chris Coutinho <chris@coutinho.io>
|
|
Date: Sun, 12 Oct 2025 21:09:29 +0200
|
|
Subject: [PATCH 1/1] Fix Bearer token authentication causing session logout
|
|
|
|
When using Bearer token authentication with OIDC, API requests to
|
|
endpoints with @CORS annotations (like Notes API) were failing with
|
|
401 Unauthorized errors. This occurred because:
|
|
|
|
1. Bearer token validation successfully authenticated the user
|
|
2. A session was created for the authenticated user
|
|
3. Nextcloud's CORSMiddleware detected the logged-in session but no
|
|
CSRF token, causing it to call session->logout()
|
|
4. The logout invalidated the session, breaking the API request
|
|
|
|
This fix sets the 'app_api' session flag during Bearer token
|
|
authentication, which instructs CORSMiddleware to skip the CSRF check
|
|
and logout logic. This is the same mechanism used by Nextcloud's
|
|
AppAPI framework for external application authentication.
|
|
|
|
The flag is set at all successful Bearer token authentication points:
|
|
- Line 243: After OIDC Identity Provider validation
|
|
- Line 310: After auto-provisioning with bearer provisioning
|
|
- Line 315: After existing user authentication
|
|
- Line 337: After LDAP user sync
|
|
|
|
Fixes: Bearer token authentication for all Nextcloud APIs
|
|
Tested-with: nextcloud-mcp-server integration tests
|
|
Signed-off-by: Chris Coutinho <chris@coutinho.io>
|
|
---
|
|
lib/User/Backend.php | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
diff --git a/lib/User/Backend.php b/lib/User/Backend.php
|
|
index 23cfb18..65665cc 100644
|
|
--- a/lib/User/Backend.php
|
|
+++ b/lib/User/Backend.php
|
|
@@ -240,6 +240,7 @@ class Backend extends ABackend implements IPasswordConfirmationBackend, IGetDisp
|
|
$this->eventDispatcher->dispatchTyped($validationEvent);
|
|
$oidcProviderUserId = $validationEvent->getUserId();
|
|
if ($oidcProviderUserId !== null) {
|
|
+ $this->session->set('app_api', true);
|
|
return $oidcProviderUserId;
|
|
} else {
|
|
$this->logger->debug('[NextcloudOidcProviderValidator] The bearer token validation has failed');
|
|
@@ -306,10 +307,12 @@ class Backend extends ABackend implements IPasswordConfirmationBackend, IGetDisp
|
|
}
|
|
|
|
$this->session->set('last-password-confirm', strtotime('+4 year', time()));
|
|
+ $this->session->set('app_api', true);
|
|
return $userId;
|
|
} elseif ($this->userExists($tokenUserId)) {
|
|
$this->checkFirstLogin($tokenUserId);
|
|
$this->session->set('last-password-confirm', strtotime('+4 year', time()));
|
|
+ $this->session->set('app_api', true);
|
|
return $tokenUserId;
|
|
} else {
|
|
// check if the user exists locally
|
|
@@ -331,6 +334,7 @@ class Backend extends ABackend implements IPasswordConfirmationBackend, IGetDisp
|
|
}
|
|
$this->checkFirstLogin($tokenUserId);
|
|
$this->session->set('last-password-confirm', strtotime('+4 year', time()));
|
|
+ $this->session->set('app_api', true);
|
|
return $tokenUserId;
|
|
}
|
|
}
|
|
--
|
|
2.51.0
|
|
|