nextcloud-docs/developer_manual/digging_deeper/oidc.rst

=====================
OpenID Connect (Oidc)
=====================

There are multiple ways for apps to interact with the ``user_oidc`` and ``oidc`` apps.
It is possible to get tokens from those apps and to ask them to validate tokens.
All available events are in the ``user_oidc`` app even if some use case don't involve the main feature of this app.

`user_oidc events doc <https://github.com/nextcloud/user_oidc/tree/main/docs>`_

Getting the login token
-----------------------

When using ``user_oidc``, which uses an external identity provider, the login token can be stored so apps can later
get it via an event.

The ``store_login_token`` config flag must be enabled.
The login token is automatically refreshed by ``user_oidc`` when needed during the user session.
The login token can be obtained by apps by emitting the ``OCA\UserOIDC\Event\ExternalTokenRequestedEvent`` event.

Token exchange
--------------

If the external identity provider supports token exchange, apps can ask ``user_oidc`` to perform one
and deliver the exchanged token by emitting the ``OCA\UserOIDC\Event\ExchangedTokenRequestedEvent`` event.

Generating a token if Nextcloud is the provider
-----------------------------------------------

If the ``oidc`` app is used to make Nextcloud an identity provider, some Nextcloud apps might need to ask
Nextcloud to generate a token that they will use to authenticate against an external service.
This requires both ``oidc`` and ``user_oidc`` apps installed (even if ``user_oidc`` is not used as a user backend).
The token can be generated by emitting the ``OCA\UserOIDC\Event\InternalTokenRequestedEvent`` event.