brandon/nextcloud-mcp-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ea468889ce34facef3dcf9985a5a7e8d43dba67f
nextcloud-mcp-server/docs/oauth-setup.md
T
Chris Coutinho 2489a714b8 docs: Update README and docs
2025-10-14 01:23:37 +02:00

226 lines
6.3 KiB
Markdown
Raw Blame History

# OAuth Setup Guide
This guide walks you through setting up OAuth2/OIDC authentication for the Nextcloud MCP server.
## Prerequisites
- Nextcloud instance with administrator access
- Python 3.11+ installed
- Nextcloud MCP server installed (see [Installation Guide](installation.md))
## Step 1: Install Nextcloud OIDC App
1. Open your Nextcloud instance as an administrator
2. Navigate to **Apps****Security**
3. Find and install the **OpenID Connect user backend** app
4. Enable the app
## Step 2: Enable Dynamic Client Registration
1. Navigate to **Settings****OIDC** (in Administration settings)
2. Find the **Dynamic Client Registration** section
3. Enable **"Allow dynamic client registration"**
4. (Optional) Configure client expiration time:
```bash
# Via Nextcloud CLI (occ) - optional, default is 3600 seconds (1 hour)
php occ config:app:set oidc expire_time --value "86400" # 24 hours
```
## Step 3: Choose Your Setup Approach
You have two options for configuring OAuth clients:
### Approach A: Automatic Registration (Zero-config)
**Best for:** Development, testing, short-lived deployments
**How it works:** The MCP server automatically registers a new OAuth client with Nextcloud at startup using dynamic client registration.
**Pros:**
- Zero configuration required
- Quick to set up
- No manual client management
**Cons:**
- Clients expire (default: 1 hour)
- Server must re-register on restart if expired
- Not recommended for long-running production deployments
[Jump to Approach A setup →](#approach-a-automatic-registration)
### Approach B: Pre-configured Client (Production)
**Best for:** Production, long-running deployments
**How it works:** You manually create an OAuth client via Nextcloud CLI and provide credentials to the MCP server.
**Pros:**
- Credentials don't expire
- Stable for production use
- More control over client configuration
**Cons:**
- Requires manual setup
- Needs access to Nextcloud server CLI
[Jump to Approach B setup →](#approach-b-pre-configured-client)
---
## Approach A: Automatic Registration
### 1. Configure Environment
Create your `.env` file with only the Nextcloud host:
```dotenv
# .env file
NEXTCLOUD_HOST=https://your.nextcloud.instance.com
# Leave these EMPTY for OAuth mode
NEXTCLOUD_USERNAME=
NEXTCLOUD_PASSWORD=
```
### 2. Start the MCP Server
```bash
# Load environment variables
export $(grep -v '^#' .env | xargs)
# Start server with OAuth enabled
uv run nextcloud-mcp-server --oauth
```
### 3. Verify Registration
The server will automatically register a new OAuth client. Look for these log messages:
```
INFO OAuth mode detected (NEXTCLOUD_USERNAME/PASSWORD not set)
INFO Configuring MCP server for OAuth mode
INFO Performing OIDC discovery: https://your.nextcloud.instance.com/.well-known/openid-configuration
INFO OIDC discovery successful
INFO Attempting dynamic client registration...
INFO Dynamic client registration successful
INFO OAuth client ready: <client-id>...
INFO Saved OAuth client credentials to .nextcloud_oauth_client.json
INFO OAuth initialization complete
```
### 4. Client Credential Storage
Registered client credentials are saved to `.nextcloud_oauth_client.json` by default. The server will:
- Load existing credentials on startup
- Check if they've expired
- Re-register automatically if expired or missing
**Note:** Since dynamically registered clients expire (default: 1 hour), the server checks credentials at startup. For long-running deployments, consider using Approach B (pre-configured clients) instead.
---
## Approach B: Pre-configured Client
### 1. Register Client via Nextcloud CLI
SSH into your Nextcloud server and run:
```bash
# Create OAuth client
php occ oidc:create \
--name="Nextcloud MCP Server" \
--type=confidential \
--redirect-uri="http://localhost:8000/oauth/callback"
# Example output:
# Client ID: abc123xyz
# Client Secret: secret456def
```
**Note:** Adjust the `--redirect-uri` to match your MCP server URL if different from `http://localhost:8000`.
### 2. Configure Environment
Add the client credentials to your `.env` file:
```dotenv
# .env file
NEXTCLOUD_HOST=https://your.nextcloud.instance.com
# OAuth Client Credentials
NEXTCLOUD_OIDC_CLIENT_ID=abc123xyz
NEXTCLOUD_OIDC_CLIENT_SECRET=secret456def
# Optional: Custom OAuth configuration
NEXTCLOUD_MCP_SERVER_URL=http://localhost:8000
NEXTCLOUD_OIDC_CLIENT_STORAGE=.nextcloud_oauth_client.json
# Leave these EMPTY for OAuth mode
NEXTCLOUD_USERNAME=
NEXTCLOUD_PASSWORD=
```
See [Configuration Guide](configuration.md#oauth2oidc-configuration) for all available options.
### 3. Start the MCP Server
```bash
# Load environment variables
export $(grep -v '^#' .env | xargs)
# Start server - it will use pre-configured credentials
uv run nextcloud-mcp-server --oauth
```
### 4. Verify Configuration
Look for these log messages:
```
INFO OAuth mode detected (NEXTCLOUD_USERNAME/PASSWORD not set)
INFO Configuring MCP server for OAuth mode
INFO Performing OIDC discovery: https://your.nextcloud.instance.com/.well-known/openid-configuration
INFO OIDC discovery successful
INFO Using pre-configured OAuth client: abc123xyz
INFO OAuth initialization complete
```
**Benefits:** Pre-configured clients don't expire automatically and are more stable for production use.
---
## Step 4: Test Authentication
The MCP server is now configured for OAuth. When clients connect:
1. Client connects to MCP server
2. Server provides OAuth authorization URL
3. User opens URL in browser and authenticates to Nextcloud
4. Nextcloud redirects back with authorization code
5. Client exchanges code for access token
6. Client uses Bearer token to access MCP server
7. All Nextcloud API requests use the user's OAuth token
### Test with MCP Inspector
```bash
# Start MCP Inspector
uv run mcp dev
# In the browser UI:
# 1. Enter your MCP server URL (e.g., http://localhost:8000)
# 2. Complete OAuth flow in browser
# 3. Test tools and resources
```
## Next Steps
- [Running the Server](running.md) - Additional server options
- [Configuration](configuration.md) - All environment variables
- [Troubleshooting](troubleshooting.md) - Common OAuth issues
## See Also
- [Authentication Overview](authentication.md) - OAuth vs BasicAuth comparison
- [OAuth Bearer Token Issue](oauth2-bearer-token-session-issue.md) - Required patch for non-OCS endpoints
Reference in New Issue View Git Blame Copy Permalink