Open OskarsPakers opened 2 months ago
Thanks for reporting this. Could you try to delete lines 263->268, 273 and 281 of apps/user_oidc/lib/Controller/LoginController.php
?
https://github.com/nextcloud/user_oidc/blob/main/lib/Controller/LoginController.php#L263-L268 https://github.com/nextcloud/user_oidc/blob/main/lib/Controller/LoginController.php#L273 https://github.com/nextcloud/user_oidc/blob/main/lib/Controller/LoginController.php#L281
Google's response says it would work with just having the id_token
attribute in the claim GET param.
Thanks for reporting this. Could you try to delete lines 263->268, 273 and 281 of
apps/user_oidc/lib/Controller/LoginController.php
?https://github.com/nextcloud/user_oidc/blob/main/lib/Controller/LoginController.php#L263-L268 https://github.com/nextcloud/user_oidc/blob/main/lib/Controller/LoginController.php#L273 https://github.com/nextcloud/user_oidc/blob/main/lib/Controller/LoginController.php#L281
Google's response says it would work with just having the
id_token
attribute in the claim GET param.
I just tracked down this exact same issue. I can confirm that it works with just the id_token
in claims, but not with userinfo
.
Removing those lines you specify in LoginController.php fixes it!
(side note all my google searching yielded nothing, I did not find this issue until I tracked down this specific repo and searched for "userinfo" after determining it was the difference in the request)
I have configured OIDC provider through configuration with Google.
Discovery endpoint: https://accounts.google.com/.well-known/openid-configuration Scope: openid email profile User ID mapping: email
When logging in, user gets redirected to authentication endpoint https://accounts.google.com/o/oauth2/v2/auth?client_id=... and query parameter claims is appended
claims: {"id_token":{"email":{"essential":true},"name":null,"quota":null,"groups":null},"userinfo":{"email":{"essential":true},"name":null,"quota":null,"groups":null}}
which results in error page on Google loginIf claims parameter is removed, then authentication goes through. Should there be a parameter to avoid claims parameter to be passed?