feat: allow self-signed SSL verification and support for oidc prompt

[elyerr]

Pull Request: Add support for self-signed certificates and custom OIDC prompt

Summary

This PR introduces two key improvements to enhance development and integration flexibility with custom OAuth2/OIDC providers:

• Features Added

  • Self-signed certificate support: A new system config flag httpclient.allowselfsigned enables accepting self-signed SSL certificates during development or internal deployments. When enabled, SSL verification is disabled (verify => false) in HTTP client requests.

• Custom OIDC prompt support:

  • Adds support for the standard OIDC prompt values: none, login, and consent.
    Introduces a custom internal prompt designed specifically for private applications using OAuth2 Passport Server.

    Documentation for this prompt is available here: Prompts Supported

Note

Use of self-signed certificates is intended only for development or trusted internal networks. It should be disabled in production environments to ensure secure communication.

[julien-nc]

Nice, thank you. Can you remove all the formatting changes and make sure your additions use the same code style?
You can run composer run cs:fix if you want.
I will try this out and give another review.

[julien-nc]

Works fine with Keycloak. I checked with prompt set to none, login and consent (with Consent required enabled on the IdP side).

Not sure how the user is supposed to log in when prompt is none. It seems like the IdP expects the credentials in the authorization request because it returns login_required when the flow is initiated by user_oidc.

Maybe you should add an extra detail in the README: For the consent page to be displayed with Keycloak, prompt=consent must be set in user_oidc AND Consent required must be enable on the Keycloak side.

[DaphneMuller]

@elyerr hi! would you be up for doing the changes or would you prefer if we finish the pr?

[julien-nc]

@elyerr Thanks for the adjustment.
I rebased on main, ran composer run cs:fix and adjusted the README.

One last thing: the httpclient.allowselfsigned option only affects user_oidc so it makes sense if it is inside the user_oidc array in config.php. Could make that change?

[github-actions]

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!

(If you believe you should not receive this message, you can add yourself to the blocklist.)

[YeapGuy]

This broke my Nextcloud instance's intended behavior. What am I supposed to do here when I just want it to act the way it did before this PR??
Whatever I set in the config, it goes with prompt=consent in the Authentik URL, and my users have to approve login every single time. And I feel like none of the options would work for me anyway based on their descriptions in the attached external docs. Authentik doesn't support the non-standard 'internal' option iirc, and I've no idea how I would emulate that behavior now (‒ it acted like that by itself before this PR)

[elyerr]

@YeapGuy, In OAuth2 and OpenID Connect, the use of these three prompts (consent, login, none) is a standard.
You can use none in the prompt parameter to make your authorization server skip asking the user for consent, but this requires that the user has already signed in and authorized the application beforehand.
If you want something more customized, you can modify your authorization server and create a new prompt that only works with your server. For example, in my server I have a custom prompt called "internal", which allows the owner’s applications to skip asking for consent even the first time the app is used. If the user is not logged in, it will force them to log in and then redirect them back to the application without asking for consent. However, this should only be applied to 100% trusted applications.
On my server (https://github.com/elyerr/oauth2-passport-server), you can check it out and try it.
Apps are registered in admin → clients, and then you can replicate that setup in your own authorization server.