OIDC dynamic client registration

[azmeuk]

I suggest implementing the OIDC dynamic client registration protocol.

I understand that it seems in contradiction with the one single OIDC provider policy, but I have a concrete usecase for this feature:

I have a script that automatically deploys a nextcloud instance (with nextcloud-oidc-login) and canaille OIDC provider instance. I would love nextcloud-oidc-login to be able to automatically connect to my OIDC provider.

Allowing nextcloud-oidc-login to automatically register to the provider would allow me to simply give a initial access token to both the provider and nextcloud-oidc-login, and let them plug together.

What do you think?

[pulsejet]

I have no issues with this, though I don't understand why you're deploying a new instance of the OIDC provider every time with Nextcloud.

AFAIK there is some way to update config.php at runtime, that would be worth looking into. The client_id and secret should be updated only if dynamic registration is enabled AND client_id is blank (or not present) in the configuration.

Feel free to make a PR.

[azmeuk]

I have no issues with this, though I don't understand why you're deploying a new instance of the OIDC provider every time with Nextcloud.

This is because those are different user bases, hosted at different places.

[pulsejet]

This is because those are different user bases, hosted at different places.

Regardless, why does that require you to deploy a new OIDC instance? Isn't this a one-time config?

[azmeuk]

Because the people for who I deploy nextcloud and the OIDC provider want to host their data on their own infrastructures. There is no way for me to mutualize.

[azmeuk]

It seems to be supported by OpenID-Connect-PHP