Owncloud and Keycloak OpenID integration

[eorlovsky]

Expected behaviour

Is it possible in some way or via external plugins to use JBoss Keycloak as an Federation identity for the Owncloud? Another word, we would like to be able to login to Owncloud with a user from the Keycloak. Just because we use owncloud as one of the services in our company. We would like all the user info store in a single place - Keycloak. And Owncloud can use data from Keycloak user to allow login and grand Roles.

Thanks a lot

• Eugene Orlovsky

ownCloud version: Version ownCloud 10.0.8 (stable)

[DeepDiver1975]

I have no in depth knowledge on Keycloak - does it speak OpenId? You might want to try https://github.com/owncloud/sociallogin

[eorlovsky]

yes. Keycloak do support openid-connect protocol this is the information about endpoints from the Keycloak

authorization_endpoint https://kc.my-vpa.com/auth/realms/webapp-poc-01/protocol/openid-connect/auth

token_endpoint https://kc.my-vpa.com/auth/realms/webapp-poc-01/protocol/openid-connect/token

token_introspection_endpoint https://kc.my-vpa.com/auth/realms/webapp-poc-01/protocol/openid-connect/token/introspect

userinfo_endpoint https://kc.my-vpa.com/auth/realms/webapp-poc-01/protocol/openid-connect/userinfo

end_session_endpoint https://kc.my-vpa.com/auth/realms/webapp-poc-01/protocol/openid-connect/logout

jwks_uri https://kc.my-vpa.com/auth/realms/webapp-poc-01/protocol/openid-connect/certs

[ownclouders]

GitMate.io thinks the contributor most likely able to help you is @PVince81.

Possibly related issues are https://github.com/owncloud/core/issues/3468 (Error LDAP integration Owncloud), https://github.com/owncloud/core/issues/10222 (owncloud security), https://github.com/owncloud/core/issues/12200 (OwnCloud Data), https://github.com/owncloud/core/issues/8025 (Owncloud Duplicating), and https://github.com/owncloud/core/issues/3248 (Owncloud Error).

[eorlovsky]

@DeepDiver1975 do you think we can use sociallogin with the Keycloak ?

[DeepDiver1975]

@DeepDiver1975 do you think we can use sociallogin with the Keycloak ?

Looks good - give it a try and let me know about the test results. THX :+1:

[mmattel]

@DeepDiver1975 pls inform me about success

[eorlovsky]

@DeepDiver1975 @mmattel ok. will do !

[eorlovsky]

@DeepDiver1975 @mmattel

1. We can configure Custom Open ID Connection configuration in the Owncloud
2. And we get login / password prompt from the Keycloak with the link https://owncloud.my-vpa.com/index.php/apps/sociallogin/custom_oidc/keycloak

https://kc.my-vpa.com/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=owncloud&redirect_uri=https%3A%2F%2Fowncloud.my-vpa.com%2Findex.php%2Fapps%2Fsociallogin%2Fcustom_oidc%2Fkeycloak&scope=email&state=HA-F3B2KT759YARHG1SLPO4QUCE8DWZ06INXVMJ

3. After we try to login with a user test/123456

We get an error No id_token was found.

https://owncloud.my-vpa.com/index.php/apps/sociallogin/custom_oidc/keycloak?state=HA-F3B2KT759YARHG1SLPO4QUCE8DWZ06INXVMJ&session_state=276f6d0d-9910-42d9-998e-c23d4bbe5a89&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..5gXuDWbbwnS7e8sjOf_9wQ.nRqTo2uUBBZicsss93wUCsnlu1mrxUKhXgns0WQPxKfMFH2R4YNqSQV59EYinK4x9Z0rbX3qdwiDuo3l7XCp996lyacxJaWCFdmoioAUyxlV570jiM0f0pQKffot1xskeAuSr7T1FLQJr_GuLdDXuOhNsJ8F12rBnL7bmZXBVuBhHNUWvGtrDzYL3O8o--Xi6VCQFRxG4zlyTlz19qMfQuQUJjJtCJ7_vqy4dEAqkJS2hH5wiNSrOX7TWqELdZ-k.4iGMsqMRh2kHYV_MAbi6Ww

Could you please please help us debug that ? As we don't see logs in owncloud.log even having DEBUG enabled

[eorlovsky]

{ "issuer": "https://kc.my-vpa.com/auth/realms/master", "authorization_endpoint": "https://kc.my-vpa.com/auth/realms/master/protocol/openid-connect/auth", "token_endpoint": "https://kc.my-vpa.com/auth/realms/master/protocol/openid-connect/token", "token_introspection_endpoint": "https://kc.my-vpa.com/auth/realms/master/protocol/openid-connect/token/introspect", "userinfo_endpoint": "https://kc.my-vpa.com/auth/realms/master/protocol/openid-connect/userinfo", "end_session_endpoint": "https://kc.my-vpa.com/auth/realms/master/protocol/openid-connect/logout", "jwks_uri": "https://kc.my-vpa.com/auth/realms/master/protocol/openid-connect/certs", "check_session_iframe": "https://kc.my-vpa.com/auth/realms/master/protocol/openid-connect/login-status-iframe.html", "grant_types_supported": [ "authorization_code", "implicit", "refresh_token", "password", "client_credentials" ], "response_types_supported": [ "code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token" ], "subject_types_supported": [ "public", "pairwise" ], "id_token_signing_alg_values_supported": [ "RS256" ], "userinfo_signing_alg_values_supported": [ "RS256" ], "request_object_signing_alg_values_supported": [ "none", "RS256" ], "response_modes_supported": [ "query", "fragment", "form_post" ], "registration_endpoint": "https://kc.my-vpa.com/auth/realms/master/clients-registrations/openid-connect", "token_endpoint_auth_methods_supported": [ "private_key_jwt", "client_secret_basic", "client_secret_post" ], "token_endpoint_auth_signing_alg_values_supported": [ "RS256" ], "claims_supported": [ "sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email" ], "claim_types_supported": [ "normal" ], "claims_parameter_supported": false, "scopes_supported": [ "openid", "offline_access" ], "request_parameter_supported": true, "request_uri_parameter_supported": true }

[eorlovsky]

@DeepDiver1975 do you think this could be a SCOPE issue ?

[eorlovsky]

Found that error in a class \OCA\SocialLogin\Provider\CustomOpenIDConnect::validateAccessTokenExchange

Did a print of a collection

[access_token] => eyJhbGciOiJSUz... [expires_in] => 60 [refresh_expires_in] => 1800 [refresh_token] => eyJhbGciOi.... [token_type] => bearer [not-before-policy] => 1546968280 [session_state] => 72dbed34-56c4-4217-a9dc-9484b5fb67a1 [scope] => owncloud

So there is no id_token

[eorlovsky]

Changed that to access_token and now have Requested id scope is unknown!

[eorlovsky]

[eorlovsky]

The very last error message we have

Signed API request has returned an error. HTTP client error: <url> malformed.

[eorlovsky]

After some code update. We've been able to loging via Keycloak

[mmattel]

Can you describe in more detail what you did respectively what to avoid to be successful so we can document that properly ?

[eorlovsky]

validateAccessTokenExchange should support access_token

    if ($collection->exists('access_token')) {
        $idToken = $collection->get('access_token');
        //get payload from id_token
        $parts = explode('.', $idToken);
        list($headb64, $payload) = $parts;
        $data = base64_decode($payload);
        $this->storeData('user_data', $data);
    } else {
        throw new Exception('No id_token was found.' + implode(" ",$collection));
    }

[mmattel]

Did you added this code to lib/Provider/CustomOpenIDConnect.php And could you give me the example for the complete function how you changed it so we can check?

[DeepDiver1975]

We have now two Tickets where you basically discuss the same topic.

Shall we move this issue to the social login repo?

[SophieDCst]

The very last error message we have

Signed API request has returned an error. HTTP client error: <url> malformed.

@eorlovsky I've been trying to achieve the same for the past few days, many thanks for the info in here which has enabled me to get as far as the same error "Signed API request has returned an error. HTTP client error: malformed." however I'm struggling to resolve this one, can you tell me what software you updated to resolve this?

I'm using Keycloak 4.8.3 & Owncloud 10.1.1.1

Many thanks

[rowe42]

I've followed the steps and got it to work. How to prevent the described errors:

• "Signed API request has returned an error. HTTP client error: malformed." --> happens when there is no userinfo-endpoint configured, although the config page claims this is optional
• "Requested id scope is unknown!" --> happens when the entry in field "Scope to be used to identify a user (e.g. LDAP uuid)" cannot be found in the userinfo-reply (altough this field is also marked as optional, which is obivously not correct); worked for me when I entered "preferred_username"

Hope that helps.

It would be necessary of course that the above described code changes are included in the official code.

[mmattel]

@settermjd fyi

[rowe42]

In addition to what I said above: The code change provided by @eorlovsky is NOT necessary, if Keycloak is called with scope openid instead of email as he suggests in his example configuration above.

The reason is that Keycloak provides an ID-Token in addition to an Access-Token in case the scope is set to openid as it considers the communication protocol as "Open-ID-Connect" instead of "Pure OAuth2" (a warning saying so can also be seen in the Keycloak log). An ID-Token is an OpenID-Connect concept only (https://auth0.com/docs/api-auth/why-use-access-tokens-to-secure-apis).

That would mean that the related Issue https://github.com/owncloud/sociallogin/issues/2 could be closed as well.

[pashazz]

How do I set up Owncloud auth in Keycloak? I seem to do everything according to this post:

So OwnCloud successfully redirects to KeyCloak login page here:

So if I input keycloak credentials right:

It redirects back but with an error! this is the resulting webpage: https://gist.github.com/pashazz/bc7f97da58701313624f0d94fd9f0d87

Looks like it renders some webpage instead of token. But I am 100% sure that the token page is OK

[hberrayana]

Can we use the same token to invoke the REST API ?

[DeepDiver1975]

FYI: ownCloud will come with a native OpenIDConnect ingtegration soon. I'll move this issue to the social login app because you are working on this end at the moment - which is perfectly fine. :+1:

[spinus]

any update here by any chance?

[DeepDiver1975]

feel free to use https://github.com/owncloud/openidconnect - this is the official OpenID Connect integration