Skip to content

Implement token exchange from OCM#57234

Open
enriquepablo wants to merge 66 commits intonextcloud:masterfrom
enriquepablo:master
Open

Implement token exchange from OCM#57234
enriquepablo wants to merge 66 commits intonextcloud:masterfrom
enriquepablo:master

Conversation

@enriquepablo
Copy link
Copy Markdown

@enriquepablo enriquepablo commented Dec 23, 2025
edited by mickenordin
Loading

See #57152 #57166

Summary

This PR implements the token exchange flow from OCM, allowing Nextcloud to use bearer auth with short lived tokens. This opens up interoperability with OpenCloud/ownCloud OCIS and the possibility to implement webapp shares in the future, which requires this.

Discussion

This is a preliminary PR for discussion. If this goes through there are some things missing with which we'll be grateful to get some guidance:

  • docs and tests
  • keeping retrieved access tokens in the db
  • removing tokens when removing shares

There is also the question that for access tokens, we are keeping a reference to the corresponding refresh token in the uid field of the access token db record.

Prerequisite

This needs nextcloud/3rdparty#2413 before merging

@enriquepablo enriquepablo requested review from a team and nickvergessen as code owners December 23, 2025 13:00
@enriquepablo enriquepablo requested review from come-nc, icewind1991, nfebe and provokateurin and removed request for a team December 23, 2025 13:00
@susnux susnux requested a review from ArtificialOwl December 23, 2025 20:19
This was referenced Jan 2, 2026
Open
Closed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jan 7, 2026

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!

(If you believe you should not receive this message, you can add yourself to the blocklist.)

@enriquepablo enriquepablo force-pushed the master branch 2 times, most recently from 869318e to fa85a7c Compare January 29, 2026 10:53
@enriquepablo
Copy link
Copy Markdown
Author

enriquepablo commented Jan 29, 2026

Disclaimer: Some of the code in this PR (mainly regarding the tests) was generated by Claude Opus 4.5. I have provided it with very specific prompts, and thoroughly reviewed the output.

@enriquepablo enriquepablo force-pushed the master branch 2 times, most recently from af0f4f2 to 736b3ff Compare February 2, 2026 16:40
@mickenordin mickenordin force-pushed the master branch 2 times, most recently from 6e14936 to 84713bc Compare February 3, 2026 20:43
enriquepablo and others added 26 commits May 6, 2026 09:51
@enriquepablo @mickenordin
fix(files_sharing): refactor refreshing access tokens
997ee61 
Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
@enriquepablo @mickenordin
fix(dav): keep refresh tokens in its own db table
ffb9928 
Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
@enriquepablo @mickenordin
fix(dav): validate token exchange response before using it
ce2b21e 
Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
@enriquepablo @mickenordin
fix(dav): keep refresh tokens in its own db table, add migration for …
0f5e3e6 
…old shares

Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
@enriquepablo @mickenordin
fix(files_sharing): keep access tokens in its own field in the extern…
b3dd956 
…al shares table

Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
@enriquepablo @mickenordin
fix(files_sharing): prevent concurrent requests to refresh token inde…
ba12a9f 
…pendently

Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
@enriquepablo @mickenordin
fix(dav): cleanup expired access tokens
55327ac 
Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
@enriquepablo @mickenordin
fix(files_sharing): prevent infinite loop trying unsuccessfully to re…
d8f036f 
…fresh access tokens

Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
@enriquepablo @mickenordin
fix(files_sharing): missing autoloads
e295ad6 
Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
@enriquepablo @mickenordin
test(dav): test bearer token login
1e921cf 
Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
@enriquepablo @mickenordin
test(dav): test cleanup of expired access tokens
2a434b5 
Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
@enriquepablo @mickenordin
test(federatedfilesharing): test federated shares
2b4c27f 
Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
@enriquepablo @mickenordin
test(files_sharing): test access tokens
272f47f 
Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
@enriquepablo @mickenordin
fix(files_sharing): correct access level for appConfig
66c20d7 
Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
@enriquepablo @mickenordin
fix: backwards compatibility for shares from instances before upgrading
1fc3f22 
Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
@enriquepablo @mickenordin
fix: backwards compatibility for shares for instances before upgrading
a2ba7e7 
Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
@enriquepablo @mickenordin
fix: backwards compatibility for shares for instances before upgrading
0376454 
Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
@enriquepablo @mickenordin
fix: re-order imports
f4ef06d 
Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
@enriquepablo @mickenordin
fix: avoid changing the IUserSession interface
4699378 
Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
@enriquepablo @mickenordin
fix[dav]: composer autoload
8310ae0 
Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
@enriquepablo @mickenordin
fix[federatedfilesharing]: replace deprecated import
4b5c3f4 
Signed-off-by: Enrique Pérez Arnaud <enrique@cazalla.net>
@mickenordin
chore: bump 3rdparty and update psalm baseline
cd60258 
- Align 3rdparty submodule with master
- Add baseline entry for the extra getFederationIdFromSharedSecret call
  introduced for refresh-token flow in RequestHandlerController

Signed-off-by: Micke Nordin <kano@sunet.se>
@mickenordin
fix(dav): respect storage scheme when discovering token endpoint
c03c681 
exchangeRefreshToken hardcoded https:// for OCM discovery, breaking
federated shares against http remotes (e.g. integration test setup).
Use $this->secure to pick the scheme.

Signed-off-by: Micke Nordin <kano@sunet.se>
@mickenordin
fix(auth): allow OCM access tokens via Bearer header
e593289 
Master's TEMPORARY_TOKEN-via-Bearer rejection (725f5be) blocked the
PR's own OCM access tokens, which are intentionally TEMPORARY_TOKEN
delivered via Bearer. Mark the OCM tokens with a well-known name and
exempt them from the rejection.

Signed-off-by: Micke Nordin <kano@sunet.se>
@mickenordin
chore: add missing Override attributes flagged by psalm
cadbb66 
Signed-off-by: Micke Nordin <kano@sunet.se>
@mickenordin
fix(dav): regenerate composer autoloader for new migration
dffe478 
Re-run build/autoloaderchecker.sh so the new
Version1037Date20260306120000 migration is picked up and the duplicate
entries for Version1038/Version1039 are removed.

Signed-off-by: Micke Nordin <kano@sunet.se>
@mickenordin mickenordin requested a review from provokateurin as a code owner May 6, 2026 07:51
@mickenordin
feat(JWT): Switch the access_token to a JWT
c406ccb 
By using a JWT that the receiver can verify against a public key, we
make it easy for third party services to validate the token
independently. This is relevant for example in the context of webapp
shares that may defer to a separate service to deliver the actual
webapp.

NOTE: This requires nextcloud/3rdparty#2413 to
be merged before this.

Signed-off-by: Micke Nordin <kano@sunet.se>
mickenordin added a commit to enriquepablo/server that referenced this pull request May 6, 2026
@mickenordin
Merge enriquepablo/master (PR nextcloud#57234) into server-integration
f969595 
Combines the rebased kano-dual-stack-rfc-9421-http-sig PR (RFC 9421
HTTP signature support, OCM Ed25519 keys, JWKS endpoint, occ key
management) with enriquepablo's OCM token-exchange and JWT access
tokens. The exchange-token flow lives on top of the new RFC 9421
signing path (see the follow-up federatedfilesharing fix).

# Conflicts:
#	lib/private/OCM/OCMDiscoveryService.php
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nickvergessen nickvergessen Awaiting requested review from nickvergessen nickvergessen is a code owner

@icewind1991 icewind1991 Awaiting requested review from icewind1991 icewind1991 is a code owner automatically assigned from nextcloud/server-backend

@nfebe nfebe Awaiting requested review from nfebe nfebe is a code owner automatically assigned from nextcloud/server-backend

@come-nc come-nc Awaiting requested review from come-nc come-nc is a code owner automatically assigned from nextcloud/server-backend

@ArtificialOwl ArtificialOwl Awaiting requested review from ArtificialOwl

@sorbaugh sorbaugh Awaiting requested review from sorbaugh

@susnux susnux Awaiting requested review from susnux susnux was automatically assigned from nextcloud/server-frontend

@provokateurin provokateurin Awaiting requested review from provokateurin provokateurin is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

3. to review Waiting for reviews feedback-requested

Projects

None yet

Milestone

Nextcloud 34

Development

Successfully merging this pull request may close these issues.

3 participants

@enriquepablo @mickenordin @joshtrichards