Nextcloud MCP-Server an OAuth

[gitanix]

Add OAuth 2.1 (Auth Code + PKCE) to the built-in MCP server and support per-user access control

Is your feature request related to a problem? Please describe.

Nextcloud’s Context Agent already exposes an MCP server, but it currently authenticates via app password using Authorization: Bearer <token> only. This prevents using it as a ChatGPT connector, because the ChatGPT admin UI for remote MCP servers supports OAuth or no authentication, not custom bearer headers. As a result, organizations cannot easily add the Nextcloud MCP server as a workspace-wide connector in ChatGPT.

Describe the solution you’d like

Please add first-class OAuth 2.1 Authorization Code with PKCE to the built-in MCP server, along with per-user access enforcement:

1. OAuth 2.1 / OIDC-compatible endpoints (/authorize, /token) so ChatGPT can complete user consent and store user-bound tokens.
2. Per-user binding: the MCP server should execute requests as the consenting Nextcloud user, honoring existing shares/ACLs (files, Talk, calendar, etc.).
3. Server-enforced “soft scopes” for MCP (even if core OAuth lacks scopes): e.g., files.read, files.write, talk.read, calendar.read. The MCP server would internally restrict exposed tools/routes accordingly.
4. Admin controls to constrain exposure, e.g., allowlist of folders/namespaces or group-based eligibility.
5. Transport compatibility with ChatGPT MCP (SSE/streaming HTTP) and token revocation/rotation.

Describe alternatives you’ve considered

• Context Chat (built-in): indexes data into a vector DB; tight content scoping can be difficult depending on setup.
• AI as a Service / integration_openai: works, but typically requires an external API provider/account (API key) and is not an MCP server for ChatGPT connectors.
• Community MCP servers for Nextcloud: often authenticate with app passwords and don’t solve the ChatGPT OAuth requirement for workspace rollout.

Why this matters

• ChatGPT workspace admins can publish connectors for all users; with OAuth, each user authorizes their own access and only sees what they can already access in Nextcloud. This aligns with least privilege and simplifies enterprise rollout.

Acceptance criteria (suggestion)

• In ChatGPT, an admin adds “Nextcloud MCP” as a remote server and chooses OAuth.
• A user starts a chat, picks the connector, completes the OAuth consent, and can list/search only files they already have rights to.
• Revoking consent in Nextcloud (or the connector) immediately invalidates access.
• Optional admin policy: restrict tools (read-only vs read/write) and/or allowlist top-level paths.

Security & privacy

• Use Auth Code + PKCE, short-lived access tokens, refresh tokens, and proper token revocation.
• Because core OAuth may lack granular scopes, implement server-side scoping within the MCP server (tool exposure + path allowlists) until upstream scopes are available.

References

• Nextcloud MCP server docs (example shows Authorization: Bearer <app-password>): https://docs.nextcloud.com/server/latest/admin_manual/ai/app_context_agent.html#using-nextcloud-mcp-server
• Closed ticket referencing MCP in Nextcloud: Official Nextcloud MCP Server server#53211
• OpenAI MCP (for connector context): https://platform.openai.com/docs/mcp

[kesselb]

That issue should go to context_agent as the implementation lies there? #62

cc @lukasdotcom @janepie

[marcelklehr]

Yes, please open on the context_agent repository.

[janepie]

This would indeed be nice, but at the moment we do not have the capacity to work on this ourselves. We'd be happy to review a PR for this and to give pointers how to do it!