OpenID Connect support

[azmeuk]

At the moment DAVx⁵ only supports authentication with login/password. I would love OIDC to be also supported.

Use case

There is no support for Bearer token authentication on every DAV server at the moment (AFAIK radicale or xandikos for instance dont support Bearer token authentication) but for instance nextcloud combined with an OIDC app like oidc_login or user_oidc gets the job done very well.

My use-case is that I only rely on OpenID Connect as the userbase for all my services (nextcloud, matrix/element, mail stack with postfix/dovecot etc.). As DAVx⁵ does only support password authentication, I must support the OAuth2 password flow on my identity server and my DAV server, so DAVx⁵ can perform a password based authentication against my Nextcloud DAV endpoint (that then perform a password authentication flow against my Identity Server thanks to the nextcloud OIDC plugins). However this OIDC password flow will be deprecated soon, letting me with no way to plug DAVx⁵ to my existing stack.

Service discovery

The OIDC Discovery specification defines ways to make the user experience quite easy:

1. Extract the domain name from the email [email protected] given by an user

• If the DAV server implements OAuth 2.0 Authorization Server Discovery extract the resource server endpoint from the WWW-Authenticate response header, and read that endpoint to know which identity server is supported.
• Else, look for the OIDC Webfinger endpoint at mydomain.tld/.well-known/webfinger.
  Post the user email at the Webfinger endpoint to get the OIDC server address, say https://auth.mydomain.tld.

3. Request the OIDC Provider Information Endpoint, say https://auth.mydomain.tld/.well-known/openid-configuration to know the identity provider capabilities and endpoint addresses.
4. Read the registration_endpoint claim, say https://auth.mydomain.tld/oauth/authorize, register against this endpoint and get credentials for DAVx⁵.
5. Read the authorization_endpoint claim, say https://auth.mydomain.tld/oauth/authorize and redirect the users to this endpoint, authenticate them with the credentials obtained during the registration
6. Do the OAuth2 dance, get an access token
7. Authenticate against DAV servers using the token.

From the DAVx⁵ end-user point of view, this would allow a quite straightforward experience : just fill your email address, let the magic be done, and get redirected to your identity provider authorization page.

I remember this subject being discussed on the old forum, and the decision was that Bearer token authentication support was not good enough on the DAV servers side to put energy on a OIDC DAVx⁵ implementation. Now that a bit of time have passed, I wanted to reopen the conversation.

What do you think?

[rfc2822]

Hi,

Thanks for your idea. We have put it to our internal list of ideas. However, at the moment we don't have resources to do it.

If you would like to contribute this feature with a pull request, please let us know before so that we can talk about the necessary API changes / abstractions. But I guess it's quite a bit of work…

[kuhlmannmarkus]

@azmeuk Thank you for the detailed description!
I would also like to use this feature.