Open eorlovsky opened 5 years ago
I have no in depth knowledge on Keycloak - does it speak OpenId? You might want to try https://github.com/owncloud/sociallogin
yes. Keycloak do support openid-connect protocol this is the information about endpoints from the Keycloak
authorization_endpoint https://kc.my-vpa.com/auth/realms/webapp-poc-01/protocol/openid-connect/auth
token_endpoint https://kc.my-vpa.com/auth/realms/webapp-poc-01/protocol/openid-connect/token
token_introspection_endpoint https://kc.my-vpa.com/auth/realms/webapp-poc-01/protocol/openid-connect/token/introspect
userinfo_endpoint https://kc.my-vpa.com/auth/realms/webapp-poc-01/protocol/openid-connect/userinfo
end_session_endpoint https://kc.my-vpa.com/auth/realms/webapp-poc-01/protocol/openid-connect/logout
jwks_uri https://kc.my-vpa.com/auth/realms/webapp-poc-01/protocol/openid-connect/certs
GitMate.io thinks the contributor most likely able to help you is @PVince81.
Possibly related issues are https://github.com/owncloud/core/issues/3468 (Error LDAP integration Owncloud), https://github.com/owncloud/core/issues/10222 (owncloud security), https://github.com/owncloud/core/issues/12200 (OwnCloud Data), https://github.com/owncloud/core/issues/8025 (Owncloud Duplicating), and https://github.com/owncloud/core/issues/3248 (Owncloud Error).
@DeepDiver1975 do you think we can use sociallogin with the Keycloak ?
@DeepDiver1975 do you think we can use sociallogin with the Keycloak ?
Looks good - give it a try and let me know about the test results. THX :+1:
@DeepDiver1975 pls inform me about success
@DeepDiver1975 @mmattel ok. will do !
@DeepDiver1975 @mmattel
We get an error No id_token was found.
Could you please please help us debug that ? As we don't see logs in owncloud.log even having DEBUG enabled
{ "issuer": "https://kc.my-vpa.com/auth/realms/master", "authorization_endpoint": "https://kc.my-vpa.com/auth/realms/master/protocol/openid-connect/auth", "token_endpoint": "https://kc.my-vpa.com/auth/realms/master/protocol/openid-connect/token", "token_introspection_endpoint": "https://kc.my-vpa.com/auth/realms/master/protocol/openid-connect/token/introspect", "userinfo_endpoint": "https://kc.my-vpa.com/auth/realms/master/protocol/openid-connect/userinfo", "end_session_endpoint": "https://kc.my-vpa.com/auth/realms/master/protocol/openid-connect/logout", "jwks_uri": "https://kc.my-vpa.com/auth/realms/master/protocol/openid-connect/certs", "check_session_iframe": "https://kc.my-vpa.com/auth/realms/master/protocol/openid-connect/login-status-iframe.html", "grant_types_supported": [ "authorization_code", "implicit", "refresh_token", "password", "client_credentials" ], "response_types_supported": [ "code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token" ], "subject_types_supported": [ "public", "pairwise" ], "id_token_signing_alg_values_supported": [ "RS256" ], "userinfo_signing_alg_values_supported": [ "RS256" ], "request_object_signing_alg_values_supported": [ "none", "RS256" ], "response_modes_supported": [ "query", "fragment", "form_post" ], "registration_endpoint": "https://kc.my-vpa.com/auth/realms/master/clients-registrations/openid-connect", "token_endpoint_auth_methods_supported": [ "private_key_jwt", "client_secret_basic", "client_secret_post" ], "token_endpoint_auth_signing_alg_values_supported": [ "RS256" ], "claims_supported": [ "sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email" ], "claim_types_supported": [ "normal" ], "claims_parameter_supported": false, "scopes_supported": [ "openid", "offline_access" ], "request_parameter_supported": true, "request_uri_parameter_supported": true }
@DeepDiver1975 do you think this could be a SCOPE issue ?
Found that error in a class \OCA\SocialLogin\Provider\CustomOpenIDConnect::validateAccessTokenExchange
Did a print of a collection
[access_token] => eyJhbGciOiJSUz... [expires_in] => 60 [refresh_expires_in] => 1800 [refresh_token] => eyJhbGciOi.... [token_type] => bearer [not-before-policy] => 1546968280 [session_state] => 72dbed34-56c4-4217-a9dc-9484b5fb67a1 [scope] => owncloud
So there is no id_token
Changed that to access_token
and now have
Requested id scope is unknown!
The very last error message we have
Signed API request has returned an error. HTTP client error: <url> malformed.
After some code update. We've been able to loging via Keycloak
Can you describe in more detail what you did respectively what to avoid to be successful so we can document that properly ?
validateAccessTokenExchange
should support access_token
if ($collection->exists('access_token')) {
$idToken = $collection->get('access_token');
//get payload from id_token
$parts = explode('.', $idToken);
list($headb64, $payload) = $parts;
$data = base64_decode($payload);
$this->storeData('user_data', $data);
} else {
throw new Exception('No id_token was found.' + implode(" ",$collection));
}
Did you added this code to lib/Provider/CustomOpenIDConnect.php
And could you give me the example for the complete function how you changed it so we can check?
We have now two Tickets where you basically discuss the same topic.
Shall we move this issue to the social login repo?
The very last error message we have
Signed API request has returned an error. HTTP client error: <url> malformed.
@eorlovsky I've been trying to achieve the same for the past few days, many thanks for the info in here which has enabled me to get as far as the same error "Signed API request has returned an error. HTTP client error:
I'm using Keycloak 4.8.3 & Owncloud 10.1.1.1
Many thanks
I've followed the steps and got it to work. How to prevent the described errors:
Hope that helps.
It would be necessary of course that the above described code changes are included in the official code.
@settermjd fyi
In addition to what I said above:
The code change provided by @eorlovsky is NOT necessary, if Keycloak is called with scope openid
instead of email
as he suggests in his example configuration above.
The reason is that Keycloak provides an ID-Token in addition to an Access-Token in case the scope is set to openid
as it considers the communication protocol as "Open-ID-Connect" instead of "Pure OAuth2" (a warning saying so can also be seen in the Keycloak log).
An ID-Token is an OpenID-Connect concept only (https://auth0.com/docs/api-auth/why-use-access-tokens-to-secure-apis).
That would mean that the related Issue https://github.com/owncloud/sociallogin/issues/2 could be closed as well.
How do I set up Owncloud auth in Keycloak? I seem to do everything according to this post:
So OwnCloud successfully redirects to KeyCloak login page here:
So if I input keycloak credentials right:
It redirects back but with an error! this is the resulting webpage: https://gist.github.com/pashazz/bc7f97da58701313624f0d94fd9f0d87
Looks like it renders some webpage instead of token. But I am 100% sure that the token page is OK
Can we use the same token to invoke the REST API ?
FYI: ownCloud will come with a native OpenIDConnect ingtegration soon. I'll move this issue to the social login app because you are working on this end at the moment - which is perfectly fine. :+1:
any update here by any chance?
feel free to use https://github.com/owncloud/openidconnect - this is the official OpenID Connect integration
Expected behaviour
Is it possible in some way or via external plugins to use JBoss Keycloak as an Federation identity for the Owncloud? Another word, we would like to be able to login to Owncloud with a user from the Keycloak. Just because we use owncloud as one of the services in our company. We would like all the user info store in a single place - Keycloak. And Owncloud can use data from Keycloak user to allow login and grand Roles.
Thanks a lot
ownCloud version: Version ownCloud 10.0.8 (stable)