Group provisioning does not work when user is auto-provisioned via Bearer token (only works with interactive login)

[joarley]

Description

When using the user_oidc app with Zitadel as the OpenID Connect provider, group provisioning only works during interactive login through the Nextcloud web login page.
However, when the user is auto-provisioned via Bearer token (API or WebDAV request), the user is created correctly, but no groups are assigned, even though the identity provider sends the correct groups claim.

Expected behavior

When:

• Check Bearer token on API and WebDAV requests is enabled
• Auto provision user when accessing API and WebDAV with Bearer token is enabled
• The Identity Provider (Zitadel) sends the groups claim containing the user’s groups

→ The Nextcloud user should be created with the same group assignments as if logging in through the web interface.

Actual behavior

• When logging in via the browser → groups are created, added, and removed correctly according to what Zitadel provides.
• When accessing any API endpoint or WebDAV using a valid OIDC Bearer token → user is auto-provisioned, but the groups claim is ignored. No groups are created or assigned.

Identity Provider

• Zitadel (version 4)
• Zitadel correctly sends the groups claim during both interactive login and Bearer-token authentication.
• The decoded ID token / access token contains the same groups in both cases.

What I verified

• The groups claim is present in the token received by Nextcloud (verified with token debugger).
• Group provisioning is enabled in the user_oidc provider configuration.
• No group whitelist regex is blocking or filtering the groups.
• The same configuration works perfectly when using the web login flow.
• Issue happens only during API/WebDAV auto-provisioning.

Steps to reproduce

1. Configure user_oidc with Identity Provider(any), enabling:
   • Group provisioning
   • Check Bearer token on API and WebDAV requests
   • Auto provision user when accessing API and WebDAV with Bearer token
2. Send an API or WebDAV request using a valid OIDC access token.
3. Nextcloud auto-creates the user, but no groups are assigned.
4. Log in with the same account via the browser → groups are provisioned correctly.

Environment

• Nextcloud version: Nextcloud Hub 25 Autumn (32.0.1)
• user_oidc app version: 8.1.0
• Deployment: Docker

Impact

This prevents using OIDC for machine-to-machine or API-based workflows, since auto-provisioned users do not receive their required group permissions.

Additional information

I can provide debug logs showing that the groups claim is included in the token but not processed when the user is provisioned via Bearer token.

[julien-nc]

Hi, thank you for reporting this with so many details.
I had a look at the implementation and it is supposed to provision the groups when provisioning a user on bearer token validation.
I will try to reproduce the issue on my side to investigate further.

[julien-nc]

Hey. I could reproduce the issue when using an access token. The user provisioning on API request authenticated with an access token is not yet implemented.
See

user_oidc/lib/User/Validator/UserInfoValidator.php

Line 36 in c3f4401

// TODO implement provisioning over user info endpoint

The authentication still works, as you could see, but the user attributes are not yet requested from the userinfo endpoint.

I can also confirm that the user provisioning works when using an "ID token" because this token contains the user attributes so we have enough information to provision the groups.

#1258 is describing this change. Someone might jump into that. I might do it when I find some time.