nextcloud / user_oidc Goto Github PK
View Code? Open in Web Editor NEWOIDC connect user backend for Nextcloud
License: GNU Affero General Public License v3.0
OIDC connect user backend for Nextcloud
License: GNU Affero General Public License v3.0
documentation for the app is still needed.
@rullzer will provide @schiessle with the necessary info to write something as agreed.
The audience claim can be an array. In this case the check fails, even if audience is correct:
user_oidc/lib/Controller/LoginController.php
Line 210 in 1048625
See OpenID Connect specification: https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken
The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more than one element. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
When logged in via a cusom oidc provider (keycloak in my case), I'm prompted for my account password if I try to create an app password. Since I'm not logging in via nextcloud, it's not possible to satisfy this password check.
This seems to be the same issue experienced by the dev of the nextcloud social login plugin: nextcloud/server#9474
Setup:
Fresh install of nextcloud (version 24.0.0),
LDAP user backend plugin enabled and handling user provisioning
OIDC user backend plugin enabled and connected to keycloak. OIDC plugin user id mapped to the ID in ldap, and configured with:
'user_oidc' => [
'single_logout' => true,
'auto_provision' => false,
],
Is there a way to configure the providers in the config file? I haven't found any examples of that anywhere.
I tried to install this app on 3 different instances of nextcloud 20, it doesn't work.
I Get this message after downloading :
Column name "oc_user_oidc"."display_name" is NotNull, but has empty string or null as default.
Any idea please ?
Thank you/
Hi
I've followed Björn Schießle Guide to setup the connection with openID Connect.
When i click on Login with ...
i get an error message:
Der Server konnte die Anfrage nicht fertig stellen.
Sollte dies erneut auftreten, sende bitte die nachfolgenden technischen Einzelheiten an Deinen Server-Administrator.
Weitere Details können im Server-Protokoll gefunden werden.
Technische Details
Entfernte Adresse: 127.0.0.1
Anfragekennung: 4j97lhpsxGk1cERkG74W
The nextcloud server log returns:
[index] Error: GuzzleHttp\Exception\ClientException: Client error: `GET http://192.168.20.50:8081/auth/realms/myrealm/protocol/openid-connect/auth` resulted in a `400 Bad Request` response:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd (truncated...)
at <<closure>>
0. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Middleware.php line 65
GuzzleHttp\Exception\RequestException::create(GuzzleHttp\Psr7\Request {}, "*** sensitive parameter replaced ***")
1. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 203
GuzzleHttp\Middleware::GuzzleHttp\{closure}("*** sensitive parameters replaced ***")
2. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 156
GuzzleHttp\Promise\Promise::callHandler(1, "*** sensitive parameter replaced ***", [GuzzleHttp\Prom ... l])
3. /var/www/html/3rdparty/guzzlehttp/promises/src/TaskQueue.php line 47
GuzzleHttp\Promise\Promise::GuzzleHttp\Promise\{closure}("*** sensitive parameters replaced ***")
4. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 246
GuzzleHttp\Promise\TaskQueue->run(true)
5. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 223
GuzzleHttp\Promise\Promise->invokeWaitFn()
6. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 267
GuzzleHttp\Promise\Promise->waitIfPending()
7. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 225
GuzzleHttp\Promise\Promise->invokeWaitList()
8. /var/www/html/3rdparty/guzzlehttp/promises/src/Promise.php line 62
GuzzleHttp\Promise\Promise->waitIfPending()
9. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Client.php line 183
GuzzleHttp\Promise\Promise->wait()
10. /var/www/html/lib/private/Http/Client/Client.php line 233
GuzzleHttp\Client->request("get", "http://192.168. ... h", {verify: "/var/w ... e})
11. /var/www/html/custom_apps/user_oidc/lib/Controller/LoginController.php line 264
OC\Http\Client\Client->get("http://192.168. ... h")
12. /var/www/html/custom_apps/user_oidc/lib/Controller/LoginController.php line 139
OCA\UserOIDC\Controller\LoginController->obtainDiscovery("http://192.168. ... h")
13. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 169
OCA\UserOIDC\Controller\LoginController->login("*** sensitive parameters replaced ***")
14. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 100
OC\AppFramework\Http\Dispatcher->executeController(OCA\UserOIDC\Con ... {}, "login")
15. /var/www/html/lib/private/AppFramework/App.php line 152
OC\AppFramework\Http\Dispatcher->dispatch(OCA\UserOIDC\Con ... {}, "login")
16. /var/www/html/lib/private/Route/Router.php line 309
OC\AppFramework\App::main("OCA\\UserOIDC\\ ... r", "login", OC\AppFramework\ ... {}, {providerId: "4" ... "})
17. /var/www/html/lib/base.php line 1008
OC\Route\Router->match("/apps/user_oidc/login/4")
18. /var/www/html/index.php line 37
OC::handleRequest()
GET /apps/user_oidc/login/4
from 127.0.0.1 at 2021-02-12T16:50:47+00:00
The keycloak server logs:
16:50:47,537 WARN [org.keycloak.events] (default task-6) type=LOGIN_ERROR, realmId=myrealm, clientId=null, userId=null, ipAddress=127.0.0.1, error=invalid_request
Whats a good spot to look next?
OS; Centos 8
Nextcloud 20.1
Upon downloading the official OpenID app i'm unable to enable the app.
Error:
An error occured during the request. Unable to proceed.
Column name "oc_user_oidc"."display_name" is NotNull, but has empty string or null as default.
My Nextcloud implementation works with OpenID Connect (OIDC) via Keycloak but not with OIDC via Google or Paypal. The two platforms create the same issue when I register the provider:
sudo -u www-data php /var/www/nextcloud/occ user_oidc:provider google --clientid="8********************************************.apps.googleusercontent.com" --clientsecret="G**********************************" --discoveryuri="https://accounts.google.com/.well-known/openid-configuration"
The command returns this error on my server:
In DbalException.php line 71:An exception occurred while executing a query: SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'client_id' at row 1
In ExceptionConverter.php line 114: An exception occurred while executing a query: SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'client_id' at row 1
In Exception.php line 26: SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'client_id' at row 1
In Statement.php line 92: SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'client_id' at row 1
The Google client secret has this format: 8********************************************.apps.googleusercontent.com
. Each star represents a unique character. I considered dropping the .apps.googleusercontent.com
extension, but Google includes the suffix in their own examples: client_id=424911365001.apps.googleusercontent.com
.
Paypal has the same problem with Client ID. The service also uses a longer Client Secret. So I get more errors with that service.
ES256 should be supported as a modern cryptograhic standard for signing of oidc id_tokens.
We could support backchannel logout like described in https://openid.net/specs/openid-connect-backchannel-1_0.html
The logic, as I understand it is:
Since nextcloud/server@5023084, the fix via c960f5c is no longer sufficient and results in the following error message when enabing the app:
Column name "oc_user_oidc"."display_name" is NotNull, but has empty string or null as default.
I'm trying to get v1.0.0 up and running (because SAML is too much of a pain to keep administering longer than I must). I have a server running 22.1.0.1 and tried installing this app. I can still use my instance after enabling it, but I can no longer access the settings/admin
endpoint. It just throws a 500 error with no particular information and dies. If I disable the app again (using occ app:disable user_oidc
I can get to my settings again.
I did have a legacy config from a previous attempt with an earlier version, but I nuked it with occ user_oidc:provider:delete -- ...
and occ config:system:delete user_odic
. I've disabled other providers (such as user_saml) for this test.
I don't see anything remotely useful in the log files either.
I have configured my provider:
+----+------------+------------+---------------------------------------------------------------------+----------------------+------------------------------------------------------------------------------------------------------------------------------------+ | ID | Identifier | Client ID | Discovery endpoint | Advanced settings | | +----+------------+------------+---------------------------------------------------------------------+----------------------+------------------------------------------------------------------------------------------------------------------------------------+ | 2 | DCER | dcer-cloud | https://[MY OIDC server URL]/auth/realms/[MY REALM]/protocol/openid-connect/auth | openid email profile | {"mappingDisplayName":"name","mappingEmail":"email","mappingQuota":"quota","mappingUid":"sub","uniqueUid":"0","checkBearer":false} | +----+------------+------------+---------------------------------------------------------------------+----------------------+------------------------------------------------------------------------------------------------------------------------------------+
(Both [MY OIDC server URL] and [MY REALM] are correct and I'm can authenticate with it)
but when I click on the button provider for login, I get the error: Could not the reach OpenID Connect provider.
On the browser I can see a 404 code for request /apps/user_oidc/login/2
Am I missing something here?
When setting up a new provider, unchecking "Use unique user id" has the expected effect and the setting gets set to 0. However when re-opening the settings from the web interface the box is checked again. Per issue #307 the update doesn't work at all anyway, but the checkbox shouldn't be coming back on, it should be reading the current setting. The other values appear to work.
I have followed the instructions in @schiessle article today to setup Nextcloud OpenID sign-on on Keycloak.
I successfully logged in with a user defined in Keycloak, but I noticed that the a reference of the user has not created in Nextcloud.
This means that the user is not searchable in the share panel, for example.
I tried with Social Login OpenID, and the user reference was created as expected.
It would make sense to validate the discovery endpoint on the saving of the settings. just so we know if the endpoint is correct etc.
Using occ
to view providers, one of the views has headers miss-matched to columns:
The provider list table is okay
$ occ user_oidc:provider
+----+------------+-------------------------------------------------------------------------+-----------+
| ID | Identifier | Discovery endpoint | Client ID |
+----+------------+-------------------------------------------------------------------------+-----------+
| 3 | Keycloak | https://example.com/auth/realms/foobar/.well-known/openid-configuration | nextcloud |
+----+------------+-------------------------------------------------------------------------+-----------+
$ occ user_oidc:provider -- Keycloak
+----+------------+--------------------+-------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+
| ID | Identifier | Discovery endpoint | Client ID | Advanced settings |
+----+------------+--------------------+-------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+
| 3 | Keycloak | nextcloud | https://example.com/auth/realms/foobar/.well-known/openid-configuration | {"mappingDisplayName":"","mappingEmail":"","mappingQuota":"","mappingUid":"preferred_username","uniqueUid":"0"} |
+----+------------+--------------------+-------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------+
I've redacted a couple details but these are from a working Keycloak config.
Note in the second detail view that the "Discovery endpoint" label is actually on the "Client ID" column and vise versa
I keep getting 404 after I click the Login button. The endpoint url is reachable using curl on the same server which runs Nextcloud.
If it helps, I'm running ory Hydra and I've configured OpenID on Gitea (running on the same machine as Nextcloud) without issues.
Similar to issue #355, but in his case the cause was Keycloak misconfiguration.
Is there a roadmap for this implementation of OIDC?
I recognize that docs are still pending (#12), but some of the issues (e.g., #7, #42, #90) suggest that it is not believed to be complete-enough yet, but ... I might be misinterpreting them, and some of those will be version-specific. (For instance, does 90 apply only to NC > 20?)
I'm not asking for you to speed up your programming, far from it. I'm migrating one of my installs to keycloak and am weighing how best to connect to it. I have been following https://github.com/pulsejet/nextcloud-oidc-login for a bit, but recognize that it is not a nextcloud-provided plugin. I'd prefer to stay with NC-proper if feasible and stable.
Do you have a milestone indicating when you think this will achieve a "v1" (ready for enterprise) status?
Thank you for everything!
It should be possible to authorize users and limit access either based on group membership (related: #308) or based on the fact that the user exists in Nextcloud because of another source such as LDAP (user_saml can do this).
I used the community openid connect application, which allowed me to define which token property gets mapped to the nextcloud username, quotaSettings, etc.
With this solution, I cannot do that anymore. This results in
a) my users not being able to find their files and
b) creation of new users that
c) cannot be found on the user page
I expect to make this mapping configurable, or at least honor the (preferred_)username property of a token. Right now, it seems to just use the sub of the token. And to be honest, this official user backend should at least provide the same functionality like the community plugin does.
Is it possible to map the user groups from the Identity Provider?
In the graphical wizard I see:
OpenID Connect User backend version: 1.0.0
Nextcloud version: 22.1.0
Thanks!
Hi!
After users login via SSO their dirs in "datadirectory" looks like as some hash.
Is it possible use some fix for naming directory by username?
I am working with an openid connect server that only allows client_secret_basic, which is correctly discovered in the openid discovery endpoint. This module appears to ignore that setting, and always uses client_secret_post.
This module should correctly respect the discovered settings.
Would it be possible to implement the logout process using the endsession endpoint as described by the OIDC standard?
Currently this is not supported.
Some systems need a bit of leeway in accepting the issued token.
a snipplet that works:
JWT::$leeway = 60;
$payload = JWT::decode($data['id_token'], $jwks, array_keys(JWT::$supported_algs));
But this then has to be configurable per provider.
I've configured the plugin as per documentation (https://www.schiessle.org/articles/2020/07/26/nextcloud-and-openid-connect/), but with the difference that my OIDC server does not run on the NC VM, it's available via its own domain.
I've configured the correct authentication endpoint for my Keycloak server in the app : https://mykeycloak.de/realms/cloud/protocol/openid-connect/auth
... and of course the correct client id and secret.
Clicking on the "Login with Keycloak" button on the NC login page leads to an error message "Too many redirects".
Watching the network requests in the browser console, at no point the auth endpoint of my Keycloak server is addressed. All requests are done to "https://cloud.mydomain.de/apps/user_oidc/login/1", looking like this:
https://cloud.mydomain.de/apps/user_oidc/login/1?client_id=keycloak&response_type=code&scope=openid+email+profile&redirect_uri=https://cloud.mydomain.de/apps/user_oidc/code&claims={"id_token":{"email":null,"name":null,"quota":null},"userinfo":{"email":null,"name":null,"quota":null}}&state=6XD043WIXV4L979X8087KRG8IVIBBBNC&nonce=B8Z2U1EPG0XYLHFIYIBLAU1TU4XC9NED
Is this issue already known? Anyone got this working with Keycloak on an external domain not running on the NC server itself?
https://datatracker.ietf.org/doc/html/rfc7636
There are some openid connect providers that required PKCE to function correctly, which it appears that this plugin doesn't support in it's requests. It would be great if this could be updated to have PKCE S256 functionality.
For more: https://medium.com/swlh/pkce-flow-of-openid-connect-9b10ddbabd66
Thanks!
Hi,
I was able to log in using OIDC and that seems to work fine, even creates the account an everything. However, after I log out again, I noticed that the new user does not show up in the user list. This makes it impossible (as far as I can tell) to add users to specific groups and apply quotas. Is this intended behaviour or did I do something wrong?
So admittedly this may really be a defect in terms of a missing feature/option elsewhere, but it ends up impacting this plugin,
The gist is that if you run a separate proxy (e.g. use the Apache-type NextCloud with Nginx as a proxy), and for some reason the app is unable to get its IP (e.g. it runs in a Docker container without host networking), then it appears to be impossible to get the OIDC callback url to be correct.
Scenario
Issue
When clicking the button to login with OIDC a redirect occurs to the OIDC endpoint. However, the redirect_uri
request parameter goes to http://127.0.0.1:8080/apps/user_oidc/code
(8080 being the default port on the example docker-compose.yml, and 127.0.0.1 because it's running in Docker presumably without host networking) which of course won't work as most providers only allow https on their callback URLs, besides that the IP/hostname is wrong in addition to the port (as the http port is hidden by the proxy, with only an https port exposed which NextCloud doesn't know about).
I attempted to use the overwritehost
property in config.php
to overcome this but don't seem to be able to - upon configuring it to https://<myhost>:<myport>
the redirect_uri then states http://https://<myhost>:<myport>
(with the double-protocol as stated). Perhaps this would work technically if I did not specify the protocol making NextCloud use http, but my OIDC provider does not allow non-https redirect schemes.
Is there some other option I am missing here? I am not sure if the FPM-type NextCloud docker-compose.yml would resolve the problem, perhaps as it provides the nginx configuration and so it's been written to work with it?
Note - I already have trusted_domains
and overwrite.cli.url
set to my hostname.
Hello,
when Nextcloud is configured to delegate authentification to an OpenID server, and reaching this server is troublesome, the user is presented with this error message:
Could not the reach OpenID Connect provider.
I expect the correct error message to be
Could not reach the OpenID Connect provider.
Additionally, a more detailed message could help, but this is another issue I guess.
user_oidc
:# example for a Nextcloud from Linuxserver's Docker image, e.g. lscr.io/linuxserver/nextcloud:23.0.0:
sudo -u "#${PUID}" /config/www/nextcloud/occ \
user_oidc:provider Authelia \
--clientid="nextcloud" \
--clientsecret="(redacted)" \
--discoveryuri="https://(redacted)/.well-known/openid-configuration" \
--scope="openid groups email profile" \
--unique-uid=0 \
--no-interaction
Could not the reach OpenID Connect provider.
Could not reach the OpenID Connect provider.
Other
Other
No response
No response
No response
Fresh Nextcloud Server install
Encryption is Disabled
No response
Enabled:
- accessibility: 1.9.0
- activity: 2.15.0
- bruteforcesettings: 2.3.0
- circles: 23.0.0
- cloud_federation_api: 1.6.0
- comments: 1.13.0
- contactsinteraction: 1.4.0
- dashboard: 7.3.0
- dav: 1.21.0
- federatedfilesharing: 1.13.0
- federation: 1.13.0
- files: 1.18.0
- files_pdfviewer: 2.4.0
- files_rightclick: 1.2.0
- files_sharing: 1.15.0
- files_trashbin: 1.13.0
- files_versions: 1.16.0
- files_videoplayer: 1.12.0
- firstrunwizard: 2.12.0
- logreader: 2.8.0
- lookup_server_connector: 1.11.0
- nextcloud_announcements: 1.12.0
- notifications: 2.11.1
- oauth2: 1.11.0
- password_policy: 1.13.0
- photos: 1.5.0
- privacy: 1.7.0
- provisioning_api: 1.13.0
- recommendations: 1.2.0
- serverinfo: 1.13.0
- settings: 1.5.0
- sharebymail: 1.13.0
- support: 1.6.0
- survey_client: 1.11.0
- systemtags: 1.13.0
- text: 3.4.0
- theming: 1.14.0
- twofactor_backupcodes: 1.12.0
- updatenotification: 1.13.0
- user_oidc: 1.1.0
- user_status: 1.3.1
- viewer: 1.7.0
- weather_status: 1.3.0
- workflowengine: 2.5.0
Disabled:
- admin_audit
- encryption
- files_external
- user_ldap
No response
No response
No response
The README claims:
If there is only one OIDC provider configured, it can be made the default login method and the user would get redirected to the provider immediately for the login.
There doesn't appear to be any UI for this, but it also gives an occ
command to set this up. I've run that command at it has no apparent affect, my login screen still has the default form + the new OIDC option. Note I've had a SAML arrangement with user_saml
before that did work to take over as the sole authentication mechanism, but I have that app disabled right now. My authentication flow otherwise works as expected against Keycloak.
$ occ config:list user_oidc
{
"apps": {
"user_oidc": {
"allow_multiple_user_backends": "0",
"enabled": "yes",
"id4me_enabled": "0",
"installed_version": "1.0.0",
"provider-3-mappingUid": "preferred_username",
"provider-3-uniqueUid": "0",
"types": "authentication"
}
}
}
You can see the value got set (that key didn't exist before running the occ
command) but isn't functional as advertised.
While setting up a provider, the settings screen works fine the first time. Thereafter when I select the edit icon next to a provider to open the "Update provider settings" dialog I am unable to save, it just throws an error saying a provider with the same name already exists. I was able to update the provider settings using occ ocnfig:app:set user_oidc <key> --value <value>
and got my provider working after the initial incorrect data, but not using the web interface.
I have an issue with logout via Keycloak.
When a user clicks on the logout button, their see:
Missing parameters: id_token_hint
The Keycloak logout URL is used properly, but id_token_hint which is required is not set.
This token is issued after the user signs in as an id_token value from Keycloak response of auth endpoint.
Could it be fixed, please? Or could you help to clarify it? Because I am not able to use logout.
Right now OpenID Connect users are not searchable and can't enumerated.
This has many drawbacks:
It would be good to have some basic integration tests for the general login flow with oidc
Hi there,
While testing this module, I noticed what when setting a short test exp of 10 minutes, that sessions from this module were able to live longer than that. This would be a security issue as it means that the expiry is not correctly enforced for openid connect sessions.
I work with OpenID Connect (OIDC) via Keycloak. I cannot find how I can save user's email. I see in the provider configuration Email Mapping however when I set it to 'email' the user's email anyway is not saved.
Could you please explain how the user's email could be saved?
There is an closed issue for nextcloud server, where logings were invalidated within minutes: nextcloud/server#26502
The issue was closed, as pulsejet updated their Social Login app: nextcloud/server#26502 (comment)
However the issue seems still present for this app ( the OIDC backend). It might not work properly with nextcloud 22.
It might be easy to fix. When you look at the fix from pulsejet... pulsejet/nextcloud-oidc-login@3a50a43
... I see the exact same wrong line in the code of this app... https://github.com/nextcloud/user_oidc/blob/master/lib/Controller/LoginController.php#L359
If I want to update an existing provider I get the following error message
Could not update provider. Provider with the given identifier already exists
I provide a short screen recording to show the issue
And the system report:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.