nextcloud / user_oidc Goto Github PK

documentation for the app is still needed.
@rullzer will provide @schiessle with the necessary info to write something as agreed.

The audience claim can be an array. In this case the check fails, even if audience is correct:

See OpenID Connect specification: https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken

The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more than one element. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.

When logged in via a cusom oidc provider (keycloak in my case), I'm prompted for my account password if I try to create an app password. Since I'm not logging in via nextcloud, it's not possible to satisfy this password check.

This seems to be the same issue experienced by the dev of the nextcloud social login plugin: nextcloud/server#9474

Setup:
Fresh install of nextcloud (version 24.0.0),
LDAP user backend plugin enabled and handling user provisioning
OIDC user backend plugin enabled and connected to keycloak. OIDC plugin user id mapped to the ID in ldap, and configured with:

  'user_oidc' => [
    'single_logout' => true,
    'auto_provision' => false,
  ],

Is there a way to configure the providers in the config file? I haven't found any examples of that anywhere.

I tried to install this app on 3 different instances of nextcloud 20, it doesn't work.
I Get this message after downloading :

Column name "oc_user_oidc"."display_name" is NotNull, but has empty string or null as default.

Any idea please ?
Thank you/

Hi
I've followed Björn Schießle Guide to setup the connection with openID Connect.
When i click on Login with ...i get an error message:

Der Server konnte die Anfrage nicht fertig stellen.
Sollte dies erneut auftreten, sende bitte die nachfolgenden technischen Einzelheiten an Deinen Server-Administrator.
Weitere Details können im Server-Protokoll gefunden werden.
Technische Details
    Entfernte Adresse: 127.0.0.1
    Anfragekennung: 4j97lhpsxGk1cERkG74W

The nextcloud server log returns:

[index] Error: GuzzleHttp\Exception\ClientException: Client error: `GET http://192.168.20.50:8081/auth/realms/myrealm/protocol/openid-connect/auth` resulted in a `400 Bad Request` response:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd (truncated...)
 at <<closure>>

 0. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Middleware.php line 65
    GuzzleHttp\Exception\RequestException::create(GuzzleHttp\Psr7\Request {}, "*** sensitive parameter replaced ***")
 1. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 203
    GuzzleHttp\Middleware::GuzzleHttp\{closure}("*** sensitive parameters replaced ***")
 2. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 156
    GuzzleHttp\Promise\Promise::callHandler(1, "*** sensitive parameter replaced ***", [GuzzleHttp\Prom ... l])
 3. /var/www/html/3rdparty/guzzlehttp/promises/src/TaskQueue.php line 47
    GuzzleHttp\Promise\Promise::GuzzleHttp\Promise\{closure}("*** sensitive parameters replaced ***")
 4. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 246
    GuzzleHttp\Promise\TaskQueue->run(true)
 5. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 223
    GuzzleHttp\Promise\Promise->invokeWaitFn()
 6. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 267
    GuzzleHttp\Promise\Promise->waitIfPending()
 7. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 225
    GuzzleHttp\Promise\Promise->invokeWaitList()
 8. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 62
    GuzzleHttp\Promise\Promise->waitIfPending()
 9. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Client.php line 183
    GuzzleHttp\Promise\Promise->wait()
10. /var/www/html/lib/private/Http/Client/Client.php line 233
    GuzzleHttp\Client->request("get", "http://192.168. ... h", {verify: "/var/w ... e})
11. /var/www/html/custom_apps/user_oidc/lib/Controller/LoginController.php line 264
    OC\Http\Client\Client->get("http://192.168. ... h")
12. /var/www/html/custom_apps/user_oidc/lib/Controller/LoginController.php line 139
    OCA\UserOIDC\Controller\LoginController->obtainDiscovery("http://192.168. ... h")
13. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 169
    OCA\UserOIDC\Controller\LoginController->login("*** sensitive parameters replaced ***")
14. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 100
    OC\AppFramework\Http\Dispatcher->executeController(OCA\UserOIDC\Con ... {}, "login")
15. /var/www/html/lib/private/AppFramework/App.php line 152
    OC\AppFramework\Http\Dispatcher->dispatch(OCA\UserOIDC\Con ... {}, "login")
16. /var/www/html/lib/private/Route/Router.php line 309
    OC\AppFramework\App::main("OCA\\UserOIDC\\ ... r", "login", OC\AppFramework\ ... {}, {providerId: "4" ... "})
17. /var/www/html/lib/base.php line 1008
    OC\Route\Router->match("/apps/user_oidc/login/4")
18. /var/www/html/index.php line 37
    OC::handleRequest()

GET /apps/user_oidc/login/4
from 127.0.0.1 at 2021-02-12T16:50:47+00:00

The keycloak server logs:

16:50:47,537 WARN  [org.keycloak.events] (default task-6) type=LOGIN_ERROR, realmId=myrealm, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_request

Whats a good spot to look next?

OS; Centos 8
Nextcloud 20.1

Upon downloading the official OpenID app i'm unable to enable the app.
Error:

An error occured during the request. Unable to proceed.
Column name "oc_user_oidc"."display_name" is NotNull, but has empty string or null as default.

My Nextcloud implementation works with OpenID Connect (OIDC) via Keycloak but not with OIDC via Google or Paypal. The two platforms create the same issue when I register the provider:

sudo -u www-data php /var/www/nextcloud/occ user_oidc:provider google --clientid="8********************************************.apps.googleusercontent.com" --clientsecret="G**********************************" --discoveryuri="https://accounts.google.com/.well-known/openid-configuration"

The command returns this error on my server:

In DbalException.php line 71:An exception occurred while executing a query: SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'client_id' at row 1

In ExceptionConverter.php line 114: An exception occurred while executing a query: SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'client_id' at row 1

In Exception.php line 26: SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'client_id' at row 1

In Statement.php line 92: SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'client_id' at row 1

The Google client secret has this format: 8********************************************.apps.googleusercontent.com. Each star represents a unique character. I considered dropping the .apps.googleusercontent.com extension, but Google includes the suffix in their own examples: client_id=424911365001.apps.googleusercontent.com.

Paypal has the same problem with Client ID. The service also uses a longer Client Secret. So I get more errors with that service.

ES256 should be supported as a modern cryptograhic standard for signing of oidc id_tokens.

We could support backchannel logout like described in https://openid.net/specs/openid-connect-backchannel-1_0.html

The logic, as I understand it is:

• there's a way to check if it's supported by the provider (attributes of the discovery)
• on login, give the provider our session ID and a backchannel logout URL
• on logout, we call the single logout endpoint (already implemented) and the provider will call the backchannel URL with the session ID as param
• we should close the corresponding session

Since nextcloud/server@5023084, the fix via c960f5c is no longer sufficient and results in the following error message when enabing the app:

Column name "oc_user_oidc"."display_name" is NotNull, but has empty string or null as default.

I'm trying to get v1.0.0 up and running (because SAML is too much of a pain to keep administering longer than I must). I have a server running 22.1.0.1 and tried installing this app. I can still use my instance after enabling it, but I can no longer access the settings/admin endpoint. It just throws a 500 error with no particular information and dies. If I disable the app again (using occ app:disable user_oidc I can get to my settings again.

I did have a legacy config from a previous attempt with an earlier version, but I nuked it with occ user_oidc:provider:delete -- ... and occ config:system:delete user_odic. I've disabled other providers (such as user_saml) for this test.

I don't see anything remotely useful in the log files either.

I have configured my provider:
+----+------------+------------+---------------------------------------------------------------------+----------------------+------------------------------------------------------------------------------------------------------------------------------------+ | ID | Identifier | Client ID | Discovery endpoint | Advanced settings | | +----+------------+------------+---------------------------------------------------------------------+----------------------+------------------------------------------------------------------------------------------------------------------------------------+ | 2 | DCER | dcer-cloud | https://[MY OIDC server URL]/auth/realms/[MY REALM]/protocol/openid-connect/auth | openid email profile | {"mappingDisplayName":"name","mappingEmail":"email","mappingQuota":"quota","mappingUid":"sub","uniqueUid":"0","checkBearer":false} | +----+------------+------------+---------------------------------------------------------------------+----------------------+------------------------------------------------------------------------------------------------------------------------------------+
(Both [MY OIDC server URL] and [MY REALM] are correct and I'm can authenticate with it)
but when I click on the button provider for login, I get the error: Could not the reach OpenID Connect provider.
On the browser I can see a 404 code for request /apps/user_oidc/login/2

Am I missing something here?

When setting up a new provider, unchecking "Use unique user id" has the expected effect and the setting gets set to 0. However when re-opening the settings from the web interface the box is checked again. Per issue #307 the update doesn't work at all anyway, but the checkbox shouldn't be coming back on, it should be reading the current setting. The other values appear to work.

I have followed the instructions in @schiessle article today to setup Nextcloud OpenID sign-on on Keycloak.

I successfully logged in with a user defined in Keycloak, but I noticed that the a reference of the user has not created in Nextcloud.

This means that the user is not searchable in the share panel, for example.

I tried with Social Login OpenID, and the user reference was created as expected.

It would make sense to validate the discovery endpoint on the saving of the settings. just so we know if the endpoint is correct etc.

Using occ to view providers, one of the views has headers miss-matched to columns:

The provider list table is okay

$ occ user_oidc:provider
+----+------------+-------------------------------------------------------------------------+-----------+
| ID | Identifier | Discovery endpoint                                                      | Client ID |
+----+------------+-------------------------------------------------------------------------+-----------+
| 3  | Keycloak   | https://example.com/auth/realms/foobar/.well-known/openid-configuration | nextcloud |
+----+------------+-------------------------------------------------------------------------+-----------+

$ occ user_oidc:provider -- Keycloak
+----+------------+--------------------+-------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+
| ID | Identifier | Discovery endpoint | Client ID                                                               | Advanced settings                                                                                               |
+----+------------+--------------------+-------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+
| 3  | Keycloak   | nextcloud          | https://example.com/auth/realms/foobar/.well-known/openid-configuration | {"mappingDisplayName":"","mappingEmail":"","mappingQuota":"","mappingUid":"preferred_username","uniqueUid":"0"} |
+----+------------+--------------------+-------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+

I've redacted a couple details but these are from a working Keycloak config.

Note in the second detail view that the "Discovery endpoint" label is actually on the "Client ID" column and vise versa

I keep getting 404 after I click the Login button. The endpoint url is reachable using curl on the same server which runs Nextcloud.
If it helps, I'm running ory Hydra and I've configured OpenID on Gitea (running on the same machine as Nextcloud) without issues.

Similar to issue #355, but in his case the cause was Keycloak misconfiguration.

Is there a roadmap for this implementation of OIDC?

I recognize that docs are still pending (#12), but some of the issues (e.g., #7, #42, #90) suggest that it is not believed to be complete-enough yet, but ... I might be misinterpreting them, and some of those will be version-specific. (For instance, does 90 apply only to NC > 20?)

I'm not asking for you to speed up your programming, far from it. I'm migrating one of my installs to keycloak and am weighing how best to connect to it. I have been following https://github.com/pulsejet/nextcloud-oidc-login for a bit, but recognize that it is not a nextcloud-provided plugin. I'd prefer to stay with NC-proper if feasible and stable.

Do you have a milestone indicating when you think this will achieve a "v1" (ready for enterprise) status?

Thank you for everything!

It should be possible to authorize users and limit access either based on group membership (related: #308) or based on the fact that the user exists in Nextcloud because of another source such as LDAP (user_saml can do this).

I used the community openid connect application, which allowed me to define which token property gets mapped to the nextcloud username, quotaSettings, etc.

With this solution, I cannot do that anymore. This results in
a) my users not being able to find their files and
b) creation of new users that
c) cannot be found on the user page

I expect to make this mapping configurable, or at least honor the (preferred_)username property of a token. Right now, it seems to just use the sub of the token. And to be honest, this official user backend should at least provide the same functionality like the community plugin does.

Is it possible to map the user groups from the Identity Provider?

In the graphical wizard I see:

• User ID
• Display Name
• Email
• Quota

OpenID Connect User backend version: 1.0.0
Nextcloud version: 22.1.0

Thanks!

Hi!
After users login via SSO their dirs in "datadirectory" looks like as some hash.
Is it possible use some fix for naming directory by username?

I am working with an openid connect server that only allows client_secret_basic, which is correctly discovered in the openid discovery endpoint. This module appears to ignore that setting, and always uses client_secret_post.

This module should correctly respect the discovered settings.

Would it be possible to implement the logout process using the endsession endpoint as described by the OIDC standard?
Currently this is not supported.

Some systems need a bit of leeway in accepting the issued token.

a snipplet that works:

JWT::$leeway = 60;
$payload = JWT::decode($data['id_token'], $jwks, array_keys(JWT::$supported_algs));

But this then has to be configurable per provider.

I've configured the plugin as per documentation (https://www.schiessle.org/articles/2020/07/26/nextcloud-and-openid-connect/), but with the difference that my OIDC server does not run on the NC VM, it's available via its own domain.

I've configured the correct authentication endpoint for my Keycloak server in the app : https://mykeycloak.de/realms/cloud/protocol/openid-connect/auth

... and of course the correct client id and secret.

Clicking on the "Login with Keycloak" button on the NC login page leads to an error message "Too many redirects".

Watching the network requests in the browser console, at no point the auth endpoint of my Keycloak server is addressed. All requests are done to "https://cloud.mydomain.de/apps/user_oidc/login/1", looking like this:

https://cloud.mydomain.de/apps/user_oidc/login/1?client_id=keycloak&response_type=code&scope=openid+email+profile&redirect_uri=https://cloud.mydomain.de/apps/user_oidc/code&claims={"id_token":{"email":null,"name":null,"quota":null},"userinfo":{"email":null,"name":null,"quota":null}}&state=6XD043WIXV4L979X8087KRG8IVIBBBNC&nonce=B8Z2U1EPG0XYLHFIYIBLAU1TU4XC9NED

Is this issue already known? Anyone got this working with Keycloak on an external domain not running on the NC server itself?

https://datatracker.ietf.org/doc/html/rfc7636

There are some openid connect providers that required PKCE to function correctly, which it appears that this plugin doesn't support in it's requests. It would be great if this could be updated to have PKCE S256 functionality.

For more: https://medium.com/swlh/pkce-flow-of-openid-connect-9b10ddbabd66

Thanks!

Hi,

I was able to log in using OIDC and that seems to work fine, even creates the account an everything. However, after I log out again, I noticed that the new user does not show up in the user list. This makes it impossible (as far as I can tell) to add users to specific groups and apply quotas. Is this intended behaviour or did I do something wrong?

So admittedly this may really be a defect in terms of a missing feature/option elsewhere, but it ends up impacting this plugin,

The gist is that if you run a separate proxy (e.g. use the Apache-type NextCloud with Nginx as a proxy), and for some reason the app is unable to get its IP (e.g. it runs in a Docker container without host networking), then it appears to be impossible to get the OIDC callback url to be correct.

Scenario

• Out-of-box NextCloud, using the Apache-type docker-compose.yml example on the NextCloud site
• An Nginx instance set to proxy the NextCloud instance
• The latest version of this plugin (user_oidc, 0.3.2)
• An OIDC provider configured

Issue
When clicking the button to login with OIDC a redirect occurs to the OIDC endpoint. However, the redirect_uri request parameter goes to http://127.0.0.1:8080/apps/user_oidc/code (8080 being the default port on the example docker-compose.yml, and 127.0.0.1 because it's running in Docker presumably without host networking) which of course won't work as most providers only allow https on their callback URLs, besides that the IP/hostname is wrong in addition to the port (as the http port is hidden by the proxy, with only an https port exposed which NextCloud doesn't know about).

I attempted to use the overwritehost property in config.php to overcome this but don't seem to be able to - upon configuring it to https://<myhost>:<myport> the redirect_uri then states http://https://<myhost>:<myport> (with the double-protocol as stated). Perhaps this would work technically if I did not specify the protocol making NextCloud use http, but my OIDC provider does not allow non-https redirect schemes.

Is there some other option I am missing here? I am not sure if the FPM-type NextCloud docker-compose.yml would resolve the problem, perhaps as it provides the nginx configuration and so it's been written to work with it?

Note - I already have trusted_domains and overwrite.cli.url set to my hostname.

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

Hello,

when Nextcloud is configured to delegate authentification to an OpenID server, and reaching this server is troublesome, the user is presented with this error message:

Could not the reach OpenID Connect provider.

I expect the correct error message to be

Could not reach the OpenID Connect provider.

Additionally, a more detailed message could help, but this is another issue I guess.

Steps to reproduce

1. From a fresh Nextcloud install, install user_oidc:

# example for a Nextcloud from Linuxserver's Docker image, e.g. lscr.io/linuxserver/nextcloud:23.0.0:
sudo -u  "#${PUID}" /config/www/nextcloud/occ \
    user_oidc:provider Authelia \
    --clientid="nextcloud" \
    --clientsecret="(redacted)" \
    --discoveryuri="https://(redacted)/.well-known/openid-configuration" \
    --scope="openid groups email profile" \
    --unique-uid=0 \
    --no-interaction

2. Shut down the OpenId server
3. On Nextcloud login page, click "Login with Authelia"

Observed behavior

Could not the reach OpenID Connect provider.

Expected behavior

Could not reach the OpenID Connect provider.

Installation method

Other

Operating system

Other

PHP engine version

No response

Web server

No response

Database engine version

No response

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

No response

List of activated Apps

Enabled:
  - accessibility: 1.9.0
  - activity: 2.15.0
  - bruteforcesettings: 2.3.0
  - circles: 23.0.0
  - cloud_federation_api: 1.6.0
  - comments: 1.13.0
  - contactsinteraction: 1.4.0
  - dashboard: 7.3.0
  - dav: 1.21.0
  - federatedfilesharing: 1.13.0
  - federation: 1.13.0
  - files: 1.18.0
  - files_pdfviewer: 2.4.0
  - files_rightclick: 1.2.0
  - files_sharing: 1.15.0
  - files_trashbin: 1.13.0
  - files_versions: 1.16.0
  - files_videoplayer: 1.12.0
  - firstrunwizard: 2.12.0
  - logreader: 2.8.0
  - lookup_server_connector: 1.11.0
  - nextcloud_announcements: 1.12.0
  - notifications: 2.11.1
  - oauth2: 1.11.0
  - password_policy: 1.13.0
  - photos: 1.5.0
  - privacy: 1.7.0
  - provisioning_api: 1.13.0
  - recommendations: 1.2.0
  - serverinfo: 1.13.0
  - settings: 1.5.0
  - sharebymail: 1.13.0
  - support: 1.6.0
  - survey_client: 1.11.0
  - systemtags: 1.13.0
  - text: 3.4.0
  - theming: 1.14.0
  - twofactor_backupcodes: 1.12.0
  - updatenotification: 1.13.0
  - user_oidc: 1.1.0
  - user_status: 1.3.1
  - viewer: 1.7.0
  - weather_status: 1.3.0
  - workflowengine: 2.5.0
Disabled:
  - admin_audit
  - encryption
  - files_external
  - user_ldap

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

No response

The README claims:

If there is only one OIDC provider configured, it can be made the default login method and the user would get redirected to the provider immediately for the login.

There doesn't appear to be any UI for this, but it also gives an occ command to set this up. I've run that command at it has no apparent affect, my login screen still has the default form + the new OIDC option. Note I've had a SAML arrangement with user_saml before that did work to take over as the sole authentication mechanism, but I have that app disabled right now. My authentication flow otherwise works as expected against Keycloak.

$ occ config:list user_oidc
{
    "apps": {
        "user_oidc": {
            "allow_multiple_user_backends": "0",
            "enabled": "yes",
            "id4me_enabled": "0",
            "installed_version": "1.0.0",
            "provider-3-mappingUid": "preferred_username",
            "provider-3-uniqueUid": "0",
            "types": "authentication"
        }
    }
}

You can see the value got set (that key didn't exist before running the occ command) but isn't functional as advertised.

• Add option similar to saml (allow use of other login mechanisms)
• Redirect to the provider directly if only one is setup
• Show auth picker if multiple providers have setup

While setting up a provider, the settings screen works fine the first time. Thereafter when I select the edit icon next to a provider to open the "Update provider settings" dialog I am unable to save, it just throws an error saying a provider with the same name already exists. I was able to update the provider settings using occ ocnfig:app:set user_oidc <key> --value <value> and got my provider working after the initial incorrect data, but not using the web interface.

I have an issue with logout via Keycloak.

When a user clicks on the logout button, their see:

Missing parameters: id_token_hint

The Keycloak logout URL is used properly, but id_token_hint which is required is not set.
This token is issued after the user signs in as an id_token value from Keycloak response of auth endpoint.

Could it be fixed, please? Or could you help to clarify it? Because I am not able to use logout.

Right now OpenID Connect users are not searchable and can't enumerated.

This has many drawbacks:

1. They are not shows in the user management so you can't assign them to groups, deactivate them, wipe their devices, set quota etc.
2. It seems like sharing finds OIDC users, so somewhere we have the information?!
3. On the other hand in Talk I don't find the users
4. User counting doesn't work correctly

It would be good to have some basic integration tests for the general login flow with oidc

Hi there,

While testing this module, I noticed what when setting a short test exp of 10 minutes, that sessions from this module were able to live longer than that. This would be a security issue as it means that the expiry is not correctly enforced for openid connect sessions.

I work with OpenID Connect (OIDC) via Keycloak. I cannot find how I can save user's email. I see in the provider configuration Email Mapping however when I set it to 'email' the user's email anyway is not saved.

Could you please explain how the user's email could be saved?

There is an closed issue for nextcloud server, where logings were invalidated within minutes: nextcloud/server#26502

The issue was closed, as pulsejet updated their Social Login app: nextcloud/server#26502 (comment)

However the issue seems still present for this app ( the OIDC backend). It might not work properly with nextcloud 22.

It might be easy to fix. When you look at the fix from pulsejet... pulsejet/nextcloud-oidc-login@3a50a43

... I see the exact same wrong line in the code of this app... https://github.com/nextcloud/user_oidc/blob/master/lib/Controller/LoginController.php#L359

If I want to update an existing provider I get the following error message

Could not update provider. Provider with the given identifier already exists

I provide a short screen recording to show the issue

And the system report:

system-report.md