Nextcloud says "Your client is not authorized to connect."

[adam42a]

I've set up the OIDC app on NextCloud and a Wordpress OIDC client on my Wordpress site and I get this message from NextCloud after logging in.

"Your client is not authorized to connect. Please inform the administrator of your client."

I'm using the only user that I have, so it definitely isn't the user I'm using.

I suspect a problem in the way I've configured either the NextCloud app or the Wordpress client plugin. I haven't worked out how to configure NextCloud to serve the discovery endpoint, however the Wordpress client plugin is not giving me any error messages.

Your docs state that "The discovery endpoint should be made available at the URL: /.well-known/openid-configuration. You may have to configure your web server to redirect this url to the discovery endpoint at /index.php/apps/oidc/openid-configuration."

My NextCloud URL is a sub-domain: cloud.ecocounts.community

my Wordpress website is the actual main domain: ecocounts.community

So I assume I should put a redirect for the endpoint at cloud.ecocounts.community/.well-known/openid-configuration however it would help if you could give me advice how to do that.

What other information can I show you that might help overcome my error?

Thanks Adam

[H2CK]

Hi Adam, based on your description it is very hard to find the problem in the configuration. I assume a configuration issue.

For further analysis could you please provide the configuration of the oidc app especially for the Wordpress client. What is the redirect uri and the type (confidential or public)?

Additionally you should provide the configuration of the OpenID Connect Plugin in Wordpress.

Credentials should be masked.

About the topic: "The discovery endpoint should be made available at the URL: /.well-known/openid-configuration. You may have to configure your web server to redirect this url to the discovery endpoint at /index.php/apps/oidc/openid-configuration." The solution in general depends on the web server (nginx or apache) which you are using. Or even a reverse proxy in front of your nextcloud installation could provide this redirection.

[adam42a]

Thanks for responding :) Here is what I have set up on NextCloud for the WP client:

Name: WordPressClient Redirection URI: https://ecocounts.community/wp-admin/admin-ajax.php?action=openid-connect-authorize (specified by WordPress "OpenID Connect Generic Plugin" Client Identifier: HpnvnM.... Secret: ***** Signing Algorithm: RS256 Type: confidential

The client identifier and redirection URI come from the WordPress plugin. Here's how I've set up the WordPress plugin:

Login Type: connect button on login form Client ID: from H2CK OIDC Client Secrety Key: from H2CK OpenID Scope: email profile openid Login Endpoint URL: https://cloud.ecocounts.community/index.php/apps/oidc/authorize (specified by H2CK) Userinfo Endpoint URL: - Token Validation Endpoint URL: - End Session Endpoint URL: - ACR Values: - Identity Key: - (Notes: Where in the user claim array to find the user's identification data. Possible standard values: preferred_username, name, or sub. If you're having trouble, use "sub". Example: preferred_username) Disable SSL Verify: no HTTP Request Timeout: 5 secs Nickname Key: - (Notes: Where in the user claim array to find the user's nickname. Possible standard values: preferred_username, name, or sub. Example: preferred_username) Email Formatting: - (Notes: String from which the user's email address is built. Specify "{email}" as long as the user claim contains an email claim. Example: {email}) Display Name Formatting: - (Notes: String from which the user's display name is built. Example: {given_name} {family_name}) Identify with User Name: no State time limit: - Enable Refresh Token: yes

That's everything that seems relevant, although there is more about user handling, security and logging on the client side.

I detected an error I made here and I've corrected it, and now I believe H2CK redirected me back to WordPress, but the WordPress plugin is not dealing with the response. I will have to investigate further. It is probably because of the lack of the discovery endpoint. I am not sure I can create a redirect on my Apache server because it is a shared server - definitely the Linux OS if not the Apache server too. Just for a sanity check, I should create the discovery endpoint at the NextCloud subdomain, is that correct? I.e. like this:

https://cloud.ecocounts.community/.well-known/openid-configuration

or should it be the top domain like this:

https://ecocounts.community/.well-known/openid-configuration

Thanks

[H2CK]

I created a quick Wordpress installation on my side and installed the plugin you used. But I was not yet able to setup this plugin correctly. It is currently not fully clear why this plugin does not work.

You could try another plugin called "OpenID Connect Login ( OpenID Connect Client)". With this plugin it is possible to login to Wordpress successfully. You do not even have to provide the discovery endpoint. Therefore you do not have to configure any redirect to the well-known endpoint.

Here is how to configure the plugin:

Set Client ID and credentials Scope: openid profiles email roles Authorize Endpoint: https://hostname/index.php/apps/oidc/authorize Token Endpoint: https://hostname/index.php/apps/oidc/token IMPORTANT: Select "Set client credentials in Body" User Info Endpoint: https://hostname/index.php/apps/oidc/userinfo

Under attribute mapping: Set preferred_username as claim for username.

Maybe I have time in the next days to investigate this problem with the other plugin further.

[adam42a]

Oh great, I shall try that out.

I think I should set up the redirect anyway, because I also have to connect clients from a Flarum discussion board and a Mediawiki instance.

Would you confirm which URL I should use for the redirect? With or without the subdomain where NextCloud lives?

Thanks

[H2CK]

Use the sub-domain of your Nextcloud installation for the redirect of well-known endpoint.

[H2CK]

After some more investigation I was able to login using the Nextcloud Account to authenticate . You should set your configuration the following way:

• ClientID and Client Secret Key as show in Nextclouds settings for the OIDC App
• OpenID Scope should be openid profile email roles
• Login Endpoint URL should be https://host/index.php/apps/oidc/authorize
• Userinfo Endpoint URL should be https://host/index.php/apps/oidc/userinfo
• Token Validation Endpoint URL should be https://host/index.php/apps/oidc/token
• Identity Key should be preferred_username

BUT: I found out that this redirect URI uses a non conforming redirect url. Usually redirect url should not contain any query parameters. This currently does not work with this Nextcloud App. I try to analyze if there is a possibility to support this non conformant behavior for redirect uris. Currently a redirect to a non valid redirect url happens. As alternative you could configure the option "Alternate Redirect URI" to have a conforming redirect url. Which is then in the form https://wp-host/openid-connect-authorize In that case the OpenID Connect Flow of this Wordpress Plugin and the Nextcloud OIDC App is successful.

[adam42a]

That's interesting, I'll bear it in mind for the eventuality that the MiniOrange OIDC client fails.

[H2CK]

With #13 the functionality to support redirect uris containing query parameters was introduced. Using version 0.1.6 it should be no longer necessary to set the option "Alternate Redirect URI".