Authorization
In its default configuration, OpenCloud supports three authentication methods as outlined on the OIDC official site:
- Authorization Code Flow
- Implicit Flow
- Hybrid Flow
For detailed information on OpenCloud's support for OpenID Connect (OIDC), please consult the Official Documentation.
While selecting an OpenCloud client for authentication, take note of specific limitations such as the Redirect URI:
| Source | Redirect URI |
|---|---|
| Android | oc://android.opencloud.eu |
| iOS | oc://ios.opencloud.eu |
| Desktop | http://127.0.0.1 http://localhost |
In this example, the desktop app's client_id are being used.
client_id=OpenCloudDesktop
Authorization Code Flow
-
Requesting authorization
To initiate the OIDC Code Flow, you can use tools like curl and a web browser. The user should be directed to a URL to authenticate and give their consent (bypassing consent is against the standard):
https://cloud.opencloud.test/signin/v1/identifier/_/authorize?client_id=client_id&scope=openid+profile+email+offline_access&response_type=code&redirect_uri=http://path-to-redirect-uriAfter a successful authentication, the browser will redirect to a URL that looks like this:
http://path-to-redirect-uri?code=mfWsjEL0mc8gx0ftF9LFkGb__uFykaBw&scope=openid%20profile%20email%20offline_access&session_state=32b08dd...&state=For the next step extract the code from the URL.
In the above example, the code is
mfWsjEL0mc8gx0ftF9LFkGb__uFykaBw -
Requesting an access token
The next step in the OIDC Code Flow involves an HTTP POST request to the token endpoint of the OpenCloud Identity Server.
curl -vk -X POST https://cloud.opencloud.test/konnect/v1/token \
-d "grant_type=authorization_code" \
-d "code=3a3PTcO-WWXfN3l1mDN4u7G5PzWFxatU" \
-d "redirect_uri=http:path-to-redirect-uri" \
-d "client_id=client_id"Response looks like this:
{
"access_token": "eyJhbGciOid...",
"token_type": "Bearer",
"id_token": "eyJhbGciOi...",
"refresh_token": "eyJhbGciOiJ...",
"expires_in": 300
} -
Refreshing an access token
If the access token has expired, you can get a new one using the refresh token.
curl -vk -X POST https://cloud.opencloud.test/konnect/v1/token \
-d "grant_type=refresh_token" \
-d "refresh_token=eyJhbGciOiJ..." \
-d "redirect_uri=http://path-to-redirect-uri" \
-d "client_id=client_id"Response looks like this:
{
"access_token": "eyJhbGciOi...",
"token_type": "Bearer",
"expires_in": 300
}
Implicit Code Flow
When using the implicit flow, tokens are provided in a URI fragment of the redirect URL.
Valid values for the response_type request parameter are:
- token
- id_token token
If you are using the implicit flow, nonce parameter is required in the initial /authorize request.
nonce=pL3UkpAQPZ8bTMGYOmxHY/dQABin8yrqipZ7iN0PY18=
bash command to generate cryptographically random value
openssl rand -base64 32
The user should be directed to a URL to authenticate and give their consent (bypassing consent is against the standard):
https://cloud.opencloud.test/signin/v1/identifier/_/authorize?client_id=client_id&scope=openid+profile+email+offline_access&response_type=id_token+token&redirect_uri=http://path-to-redirect-uri&nonce=pL3UkpAQPZ8bTMGYOmxHY/dQABin8yrqipZ7iN0PY18=
After a successful authentication, the browser will redirect to a URL that looks like this:
http://path-to-redirect-uri#access_token=eyJhbGciOiJQUzI...&expires_in=300&id_token=eyJhbGciOiJ...&scope=email%20openid%20profile&session_state=c8a1019f5e054d...&state=&token_type=Bearer
For the next step, extract the access_token from the URL.
access_token = 'eyJhbGciOiJQ...'
Hybrid Flow
The Hybrid Flow in OpenID Connect melds features from both the Implicit and Authorization Code flows. It allows clients to directly retrieve certain tokens from the Authorization Endpoint, yet also offers the option to acquire additional tokens from the Token Endpoint.
The Authorization Server redirects back to the client with appropriate parameters in the response, based on the value of the response_type request parameter:
- code token
- code id_token
- code id_token token