Chris Coutinho
b68c704c4d
Testing confirmed that the CORSMiddleware Bearer token patch (from upstream commit 8fb5e77db82) alone is sufficient to enable Bearer token authentication for all Nextcloud APIs, including app-specific endpoints like Notes and Calendar. The user_oidc patch (which sets the app_api session flag) is not required when the CORSMiddleware patch is applied, as it fixes the root cause by allowing Bearer tokens to bypass CORS/CSRF checks at the framework level. Validation: - Restarted Nextcloud with user_oidc patch disabled - Ran all 11 Keycloak integration tests - All tests passed without the user_oidc patch Updated documentation in 10-install-user_oidc-app.sh to explain why the patch is no longer needed. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
22 lines
1.0 KiB
Bash
Executable File
22 lines
1.0 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
set -euox pipefail
|
|
|
|
echo "Installing and configuring user_oidc app for testing..."
|
|
|
|
# Enable the user_oidc app (OIDC client for bearer token validation)
|
|
php /var/www/html/occ app:enable user_oidc
|
|
|
|
# Configure user_oidc to validate bearer tokens from the OIDC Identity Provider
|
|
php /var/www/html/occ config:system:set user_oidc oidc_provider_bearer_validation --value=true --type=boolean
|
|
php /var/www/html/occ config:system:set user_oidc httpclient.allowselfsigned --value=true --type=boolean
|
|
|
|
# Allow Nextcloud to connect to local/internal servers (required for external IdP mode)
|
|
# This enables user_oidc to fetch JWKS from internal Keycloak container
|
|
php /var/www/html/occ config:system:set allow_local_remote_servers --value=true --type=boolean
|
|
|
|
# Note: The user_oidc app_api session flag patch is NOT required when using the
|
|
# CORSMiddleware Bearer token patch (20-apply-cors-bearer-token-patch.sh).
|
|
# The CORSMiddleware patch fixes the root cause by allowing Bearer tokens to bypass
|
|
# CORS/CSRF checks at the framework level.
|