[OIDC] Default ownCloud desktop app fails to login

[michaelstingl]

I added ownCloud desktop and mobile apps to the appliance IdP:

Android app	iOS app	desktop app

ownCloud Android and iOS apps already work great!!

ownCloud desktop app fails to login with the appliance IdP (konnectd) but works with oCIS IdP (konnectd)

appliance IdP (konnectd)

This is the URL the desktop app opens:

https://ucsd.owncloud.works/signin/v1/identifier/_/authorize?response_type=code&client_id=xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69&redirect_uri=http://localhost:49316&code_challenge=8sQ92KmAK4jyDq1cqztR9xb6IReL0UlayXc4YwAi_9M&code_challenge_method=S256&scope=openid%20offline_access%20email%20profile&prompt=consent&state=-zdAFfv3zwj_IAzJB_wUWjTP0OAmw3l6EetsTrEpVg4%3D

After login, the browser redirects to:

http://localhost:49316/?error=access_denied&error_description=unknown%20client_id%3A%20xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69&state=-zdAFfv3zwj_IAzJB_wUWjTP0OAmw3l6EetsTrEpVg4%3D

oCIS IdP (konnectd)

This is the URL the desktop app opens:

https://ocis-latest.owncloud.com/signin/v1/identifier/_/authorize?response_type=code&client_id=xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69&redirect_uri=http://localhost:49295&code_challenge=1s8UYtKUb9LKNz1KUecyVvFDMEuGBDXhwVDMg300qKs&code_challenge_method=S256&scope=openid%20offline_access%20email%20profile&prompt=consent&state=9hsVgvXby9cK1Ba633nGprHdBTagJ6XYAxytfX2GXTo%3D

After login, the browser redirects to:

http://localhost:49295/?code=1deQ2iw4EzME9jOK2k_SZkf62YyPtiXG&scope=openid%20offline_access%20email%20profile&session_state=87af181e5f6462521c3884591125c9ecf346505b689962c87fddabeba83cc745.Q0c0UILXx5amwjyrcGF-cr7L65IpihyX8ViiTgNVhhA%3D&state=9hsVgvXby9cK1Ba633nGprHdBTagJ6XYAxytfX2GXTo%3D

This is the konnectd config we use for the oCIS konnectd: https://github.com/owncloud/ocis-konnectd/blob/master/assets/identifier-registration.yaml

@voroyam @edamrose could you help me debugging what fails here. How can I access the log from the konnectd container?

[edamrose]

Quick thought: Maybe the http URL is an issue for our oidc provider, as we do not expose the insecure flag for services to be set. On UCS the provider writes to the docker log for its container, so use either univention-app logs openid-connect-provider or find the container and use the regular docker logs <container> command

[michaelstingl]

Maybe the http URL is an issue for our oidc provider

Hm, redirect to localhost is a usual pattern for native desktop apps with OAuth 2.0 or OpenID Connect login capabilities. It‘s well described in the the usual RFC‘s.

Here you can find the flow with our builtin OAuth 2.0 IdP: https://github.com/owncloud/oauth2/wiki/OAuth-code-Flow-Sequence-Diagram

[edamrose]

Konnect allows configuring http URLs, that is correct, but we currently do not expose setting the insecure flag, that may be an issue here.

I looked at the IdP logs, when http://localhost:* is set as redirectURI, the IdP rejects the config: level=warning msg="skipped registration of invalid client" application_type=native client_id=xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69 error="invalid redirect_uri http://localhost:* - invalid uri or no hostname" insecure=true origins="[]" redirect_uris="[http://localhost:*]" trusted=true with_client_secret=true

It even is rejected when i manually add insecure: yes to the konnectd config, see the log above.

In the example config you provided i see there is no redirectURI configured for the desktop app at all. I manually edited the config on ucsd.owncloud.works to look like that and restarted the IdP - at least there are no errors anymore. Can you confirm that the desktop app works against the server?

Notes on how to configure the IdP manually. Warning: The config will be overwritten if the configuration is adapted in the Univention Management Console.

root@ucsd:~# vi /etc/kopano/konnectd-identifier-registration.yaml
root@ucsd:~# univention-app restart openid-connect-provider
root@ucsd:~# univention-app logs openid-connect-provider

[michaelstingl]

Can you confirm that the desktop app works against the server?

Yes, I can confirm, the 2.7 desktop clients work fine with your temporary config.

I found another example where @DeepDiver1975 set up konnect with oC 10, and it seems he choose the same approach.

What can we do? Get in touch with Kopano? You/Univention have a contract with them for such stuff?

[edamrose]

The required redirectURI is part of the OIDC integration in UCS, Kopano konnect works fine as we see. If no value is to be configured we would have to change the OIDC App in UCS. But can we find an alternative valid setting for the redirectURI we can set?

[michaelstingl]

I tried "*", but this isn't accepted in the form validation

[voroyam]

hm, works now.

Can you tell me how I can extend the session lifetime of the UCS session? I am getting a lot of these:

[edamrose]

I tried "*", but this isn't accepted in the form validation

I can set * via CLI but konnect does not accept the configuration.

As i said, either you find a value for redirecturi that konnect accepts and works with the desktop app, and we can add it to the app joinscript. If you require no redirecturi parameter at all for the desktop client, we would have to open a feature request for the UCS OIDC App. How do we proceed?

[edamrose]

hm, works now.

What does work now?

Can you tell me how I can extend the session lifetime of the UCS session? I am getting a lot of these:

When are you getting the popup? On which UCS installation? How can you reproduce the session invalidation?

UCS sessions are valid for 8 hours by default. In another issue or by mail you wrote that you often reset your test environment, that will of course invalidate sessions that were not established when the snapshot was taken.

[voroyam]

I don't know what I was thinking when I wrote "works now" sorry.

The session expired happens when I start a server I have been running tests on. It then comes pretty often. I can't reproduce it. Maybe it's a test environment error case.

Regarding the client and UCS and OpenID: now I get this error, different error than before, so progress? :)

URL: http://localhost:55305/?error=access_denied&error_description=unknown%20client_id%3A%20xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69&state=hvBFf3TtXi8Btoh7l1yHCBQyc5vHyizNXP5Vfg4s49I%3D

There was an error accessing the 'token' endpoint: Error transferring https://ucs-sso.ucs.intranet/konnect/v1/token - server replied: Misdirected Request

[voroyam]

@edamrose can we script the adjustments you made to get the ownCloud desktop client to be able to use OIDC?

[edamrose]

https://forge.univention.org/bugzilla/show_bug.cgi?id=52054 Feature request to extend the UCS OIDC IdP configuration options

[edamrose]

There is a pending update for the OIDC App in UCS. I fixed the above mentioned bug 52054 for it, this should enable everything required to setup a oidc service according to the requirements. App Version is OIDC Provider 2.1-konnect-0.33.6

The following command should create the owncloud desktop app service - if that works, this can be done in the owncloud app joinscript to enable it out of the box.

@michaelstingl can you try this?

udm oidc/rpservice create --position cn=oidc,cn=univention,$(ucr get ldap/base) --set clientid=xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69 --set clientsecret=UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh --set name="ownCloud desktop app" --set applicationtype=native --set insecure=yes --set trusted=yes

[michaelstingl]

@michaelstingl can you try this?

udm oidc/rpservice create --position cn=oidc,cn=univention,$(ucr get ldap/base) --set clientid=xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69 --set clientsecret=UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh --set name="ownCloud desktop app" --set applicationtype=native --set insecure=yes --set trusted=yes

@voroyam could you execute this for us?

[voroyam]

Tried to install 0.33.6.

Got an error.

full cmd output:

https://gist.github.com/voroyam/b67c925006a24cec9e037d95047271be

specific error:

Copying App Center's configure to container's /tmp/openid-connect-provider-configure

OCI runtime exec failed: exec failed: container_linux.go:345: 
starting container process caused "no such file or directory": unknown

updating certificates for openid-connect-provider=2.1-konnect-0.33.6

[edamrose]

Thanks for the feedback, we also found this issue in our QA. The app version has been updated in the test app center, please try to reinstall it

[voroyam]

Okay, for some reason the Android login does not work, maybe I am doing something wrong.

desktop and iOS works flawlessly. Just enter the server URL and you get redirected to the browser, confirm, and you are in.

Android 2.1.7 is bugged. Enter the server URL, a browser opens where I have to login to UCS. and then the browser just stays open.

[voroyam]

@michaelstingl can you confirm my findings?

[voroyam]

https://ucsd.owncloud.works/owncloud

Administrator
ownCloud_1234

[edamrose]

I learned from Kopano that setting the insecure: yes setting disables many checks in the OIDC IdP and should only be used for development and debugging.

Is it possible to change the redirectURI to start with https://? Or, did you test with other OIDC Identity Providers (like keycloak) if they support http:// redirectURIs?

[michaelstingl]

Is it possible to change the redirectURI to start with https://

I don't think so. There is no no SSL on http://localhost:*. And the mobile redirects oc://android.owncloud.com and oc://ios.owncloud.com aren't websites.

[michaelstingl]

Or, did you test with other OIDC Identity Providers (like keycloak) if they support http:// redirectURIs?

Yes, works fine in Keycloak. You can check configuration:

https://keycloak.ocis-keycloak.released.owncloud.works

admin
admin

More information: https://owncloud.dev/ocis/deployment/continuous_deployment/#ocis-with-keycloak

[michaelstingl]

Okay, for some reason the Android login does not work, maybe I am doing something wrong.

@voroyam This issue is about desktop. Open a new issue for the Android problem?

[voroyam]

ah, yes. desktop works fine. will open new issue.