I agree with the requirements. Maybe we need to add that the process can be asynchonous and take some time because we are crossing a lot of boundaries between different systems.

Not for Lico, right?

fine for me.

I suggest users with the role "admin"

default: guest user accounts expire after 120 days of inactivity (=no login), can be configured. the invitation expires after 30 days per default. can be configured.

yes. there needs to be a lowlevel option to manage guest users eg. via cmd.
Guest user management must also be possible via a dashboard which is by default an external system with these options in the ui (same options should be availbale via cmd):

list all email adresses:

• email adress (=guest user)
• status (invitation accepted / pending)
• invited by
• invitation date
• if accepted: invitation accepted date
• last login
• days left until expiration + absolute date (updates after every login)

actions:

• export list as CSV
• deactivate/activate login (triggers infomail to guestuser)
• delete invite/user (triggers infomail to guestuser)

list of all guest users: users with the role oc-admin

yes

• guestusers can not share or invite other users to a space or create public links. (primary focus of the feature is to provide a simple way to grant external, authorized access. anything else like resharing would undermine regular user accounts).
• the default should be, that guestusers can not see who else has access. postponed for now
• guestusers can use the desktop and mobile client to access their shares or spaces
• guest users can not get the role "can manage" spaces postponed for now

guest users should get access to the system via a share or space membership.
could you give some examples what you mean with "other contexts"?

Can guest users be converted to "regular" users and keep their shares?

Ideally yes. I guess we should add that to the requirements.

Ideally yes.

I suggest to explicitly not support the internal IDP

ok

yep. I consider the internal IDP to become a legacy system in the next years, as long as it does not support MFA. Having no MFA or other strong authentication like passkeys will become a nogo in the next years i guess.

By default invitations expire after 30 days. can be configured

That is not enough. We need to be in control of that EMail probably.

What exactly do you mean by that?

Why does the share manager need to know about invited or even accepted guest users? Is't that just a second call to the invitation manager to get that info where needed?

Is't that just a second call to the invitation manager to get that info where needed?

Could you please elaborate on that?

Good point! I was wondering also, if that could simplify things in the future and let us get rid of the LDAP dependency.

AFAICT always having opencloud generate a userid would allow us to get rid of the shared ldap deployment mode. The ldap server would only be used to find recipients (users or groups) in an organization. We always only send invitations into some form of inbox of a user. This could literally be an email. Or an internal nats queue with invites.
Then, when he follows the invite link, we not only provision their personal space (guest users don't have one) but the invite they followed (the creat home call can add the grant). Invites are actually not a new concept. IMO it is just a better name for a pending share (they have three states: pending, accepted and declined).
When sharing with 'internal' users the invite service can take the responsibility of creating grants and accepting them instead of creating invites.

Anyway, IIRC we bounced around the idea of exchanging the sub+iss, basic auth or app password credentials in the proxy with a userid generated by opencloud years ago already. It has seeveral benefits:

1. we can assign credentials and multiple identities (as in multiple Identity Providers) to an account. This allows migrating accounts from one IdP to another as the grants on disk can keep the same userid.
2. we can add a scim_id as an identitiy, which would make some use cases follow the standard integration of SCIM and OpenID Connect we could use SCIM to provision a guest account in the Identity management system.

The last point addresses the problem that if a user shares with a guest, aka an email address, that needs to trigger an onboarding process for the new guest. If we just create a new user in a keycloak that we have write permission to we are back at the same shadow it user management as before.

We could use OpenID Connect Discovery to find the external issuer and trust that to authenticate users. OIDC in theory is federated. However, in practice our clients would have to dynamically register with the guests IdP ... which does not seem to be widely supported, yet.

I think we should use a list of trusted identity providers, this would allow a single instance to use multiple identity providers, eg for multi tenancy use cases or when organization merge and multiple idps exist for a wile or to better reflect the sovereignty of organizations.

If no idp is responsible for the guest email, we can use a fallback idp that is only used for guest accounts. We already have the webfinger service that we can use for the issuer discovery.

So ... yes, please ... make opencloud generate a userid.