From 61eb9a3aed3378a982a14e248cbd051e019a8011 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Tue, 25 Feb 2025 19:59:58 +0100
Subject: [PATCH] Optimized OIDC for Nextcloud

---
 group_vars/all/07_applications.yml            |  2 +-
 .../templates/import/realm.json.j2            | 65 ++++++++++++++++++-
 .../ldif/schema/01_nextcloud.schema.ldif      | 16 +++--
 .../templates/docker-compose.yml.j2           |  2 +-
 4 files changed, 77 insertions(+), 8 deletions(-)

diff --git a/group_vars/all/07_applications.yml b/group_vars/all/07_applications.yml
index e0bf8e0b..6456626c 100644
--- a/group_vars/all/07_applications.yml
+++ b/group_vars/all/07_applications.yml
@@ -252,7 +252,7 @@ defaults_applications:
       # Available options: oidc_login, sociallogin
       # @see https://apps.nextcloud.com/apps/oidc_login
       # @see https://apps.nextcloud.com/apps/sociallogin
-      flavor:               "sociallogin"                         # Keeping on sociallogin because the other option is not implemented yet                                             
+      flavor:               "oidc_login"                          # Keeping on sociallogin because the other option is not implemented yet                                             
     force_import:           False                                 # Forces the import of the LDIF files
     database:
       central_storage:      True
diff --git a/roles/docker-keycloak/templates/import/realm.json.j2 b/roles/docker-keycloak/templates/import/realm.json.j2
index 0e43919b..a781dcd4 100644
--- a/roles/docker-keycloak/templates/import/realm.json.j2
+++ b/roles/docker-keycloak/templates/import/realm.json.j2
@@ -1192,6 +1192,39 @@
         }
       ]
     },
+    {
+      "id": "15dd4961-5b4f-4635-a3f1-a21e1fa7bf3a",
+      "name": "nextcloud",
+      "description": "",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "false",
+        "display.on.consent.screen": "true",
+        "gui.order": "",
+        "consent.screen.text": ""
+      },
+      "protocolMappers": [
+        {
+          "id": "62190b21-f649-4aa2-806a-2bf7ba103ce1",
+          "name": "nextcloudQuota",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "aggregate.attrs": "false",
+            "introspection.token.claim": "true",
+            "multivalued": "false",
+            "userinfo.token.claim": "true",
+            "user.attribute": "nextcloudQuota",
+            "id.token.claim": "true",
+            "lightweight.claim": "false",
+            "access.token.claim": "true",
+            "claim.name": "nextcloudQuota",
+            "jsonType.label": "int"
+          }
+        }
+      ]
+    },
     {
       "id": "c07f07bc-c4f9-48c7-87e6-0a09fca6bfa0",
       "name": "web-origins",
@@ -1584,6 +1617,7 @@
     "basic"
   ],
   "defaultOptionalClientScopes": [
+    "nextcloud",
     "offline_access",
     "address",
     "phone",
@@ -1790,6 +1824,35 @@
                 ]
               }
             },
+            {
+              "id": "12b99578-e0bf-4eeb-b0fb-8e400c0cd73e",
+              "name": "nextcloudQuota",
+              "providerId": "user-attribute-ldap-mapper",
+              "subComponents": {},
+              "config": {
+                "ldap.attribute": [
+                  "nextcloudQuota"
+                ],
+                "is.mandatory.in.ldap": [
+                  "false"
+                ],
+                "attribute.force.default": [
+                  "false"
+                ],
+                "is.binary.attribute": [
+                  "false"
+                ],
+                "always.read.value.from.ldap": [
+                  "false"
+                ],
+                "read.only": [
+                  "false"
+                ],
+                "user.model.attribute": [
+                  "nextcloudQuota"
+                ]
+              }
+            },
             {
               "id": "1ffab19c-4aeb-4038-a3e4-6444254fdd53",
               "name": "modify date",
@@ -1987,7 +2050,7 @@
             "false"
           ],
           "userObjectClasses": [
-            "person, inetOrgPerson"
+            "person, inetOrgPerson, nextcloudUser"
           ],
           "rdnLDAPAttribute": [
             "uid"
diff --git a/roles/docker-ldap/templates/ldif/schema/01_nextcloud.schema.ldif b/roles/docker-ldap/templates/ldif/schema/01_nextcloud.schema.ldif
index aa562319..ba3eac99 100644
--- a/roles/docker-ldap/templates/ldif/schema/01_nextcloud.schema.ldif
+++ b/roles/docker-ldap/templates/ldif/schema/01_nextcloud.schema.ldif
@@ -3,11 +3,17 @@
 dn: cn=nextcloud,cn=schema,cn=config
 objectClass: olcSchemaConfig
 cn: nextcloud
-olcAttributeTypes: ( 1.3.6.1.4.1.99999.1 NAME 'nextcloudQuota'
+olcAttributeTypes: ( 1.3.6.1.4.1.99999.1
+  NAME 'nextcloudQuota'
   DESC 'Quota for Nextcloud'
-  EQUALITY caseIgnoreMatch
-  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} )
-olcObjectClasses: ( 1.3.6.1.4.1.99999.2 NAME 'nextcloudUser'
+  EQUALITY integerMatch
+  ORDERING integerOrderingMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE
+)
+olcObjectClasses: ( 1.3.6.1.4.1.99999.2
+  NAME 'nextcloudUser'
   DESC 'Auxiliary class for Nextcloud attributes'
   AUXILIARY
-  MAY ( nextcloudQuota ) )
+  MAY ( nextcloudQuota )
+)
diff --git a/roles/docker-nextcloud/templates/docker-compose.yml.j2 b/roles/docker-nextcloud/templates/docker-compose.yml.j2
index c9504921..34b0e202 100644
--- a/roles/docker-nextcloud/templates/docker-compose.yml.j2
+++ b/roles/docker-nextcloud/templates/docker-compose.yml.j2
@@ -9,7 +9,7 @@ services:
     container_name: {{nextcloud_application_container_name}}
     volumes:
       - data:{{nextcloud_docker_path}}
-{% if applications[application_id].oidc.flavor == "login" %}
+{% if applications[application_id].oidc.flavor == "oidc_login" %}
       - {{nextcloud_host_oidc_login_path}}:{{nextcloud_docker_oidc_login_config_path}}:ro
 {% endif %}
     healthcheck: