Expansion of OIDC documentation

[mpldr]

Since OCIS no longer has integrated authentication, it would be nice to have a dedicated page with information about setting up OIDC instead of having to search through issues and various blogs that may or may not be available in a month.

Information I found particularly useful:

• OCIS considers itself to be a public client
• (some) relevant Environment variable names

[micbar]

@mpldr Thanks for the ticket.

I would ask back which parts are missing from your POV.

We provide examples for keycloak. https://owncloud.dev/ocis/deployment/ocis_keycloak/

[micbar]

@mmattel FYI

[mpldr]

On Fri Mar 31, 2023 at 10:21 AM CEST, Michael Barz wrote:

We provide examples for keycloak. https://owncloud.dev/ocis/deployment/ocis_keycloak/ And that's just what I imagined for OIDC as well (maybe under Deployment > Authentication > oCIS with OIDC)

I would ask back which parts are missing from your POV. I think in that regard other projects have strengths to adapt and weaknesses to learn from in their documentation:

headscale (https://github.com/juanfont/headscale/blob/main/docs/oidc.md)

• minimal config example
• Step by Step for a popular provider (that can be community-sourced)
• missing cross-references (other relevant parts of the docs)

Synapse (https://matrix-org.github.io/synapse/latest/openid.html)

• ToC with overview over different providers
• too much focus on how to do things with specific providers instead of general instructions

soju (https://soju.im/doc/soju.1.html#CONFIG_FILE) (see auth oauth)

• short, clear and to the point
• linking relevant RFC

CodiMD (https://hackmd.io/c/codimd-documentation/%2F%40codimd%2Fcodimd-generic-oauth-2)

• handy table of configuration variables

Snipe-IT (https://snipe-it.readme.io/docs/ldap-sync-login)

• important information is highlighted
• a table of configuration variables

Drawing inspiration from that, I'd suggest:

• moving Keycloak into their own subsection under deployment
• provide an example configuration/docker-compose.yml (conversion can be left up to the user imho)
• a ToC for long pages
• a community section for people to share instructions for specific providers
• a table of configuration variables
• highlights for important information (if any)

-- Moritz Poldrack https://moritz.sh

[mpldr]

I'll also gladly contribute my findings once I finally manage to convince oCIS to get the ocRole claim from the returned JWT.

-- Moritz Poldrack https://moritz.sh

[mpldr]

Okay, I have successfully made it work, but am not too sure what exactly was the change that actually convinced it.

[mpldr]

Another interesting piece of information: there must only be one role claim. Having group inheritance is not supported at the moment.

[Yasamato]

To pick up on this: https://github.com/owncloud/ocis/issues/2445#issuecomment-907392492

1. Please include the information for not being able to set a client secret into the documentation.
2. This seems to be a technical debt as the client secret provides an additional layer of security (see domain hijacking or man in the middle attacks).

[mpldr]

Please include the information for not being able to set a client secret into the documentation. — @Yasamato

I would honestly prefer that IDP was expanded to include secret-capabilities. This would of course mean that ISP had to keep state, which seems to be against the idea. Going by the definition, I think OCIS should be considered a confidential client. It doesn't act like one though.

[micbar]

I would honestly prefer that IDP was expanded to include secret-capabilities. This would of course mean that ISP had to keep state, which seems to be against the idea. Going by the definition, I think OCIS should be considered a confidential client. It doesn't act like one though.

The ocis desktop and mobile clients use client secrets as you can see in the default ocis configuration. The web client does not, like it was explained above. It uses the PSKE code challenge.

What is exactly the problem you need to solve?

[mpldr]

What is exactly the problem you need to solve?

Users complaining that they get redirected through the identity provider each and every time they access OCIS, which can be especially bad for them if they want to access a file semi-quickly and have bad reception in rural areas. (The OIDC-Providers page isn't exactly lightweight either)

So far I have only received 2 complaints about it (with <10 users), one of which called it "annoying because my screen keeps flashing".

[mpldr]

Patch on the docs is WIP btw.

[micbar]

Users complaining that they get redirected through the identity provider each and every time they access OCIS, which can be especially bad for them if they want to access a file semi-quickly and have bad reception in rural areas. (The OIDC-Providers page isn't exactly lightweight either)

Ok but that is a different issue. That depends on the session lifetime of the IdP.

[mpldr]

Thanks, I'll add it to the OIDC doc page.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 10 days if no further activity occurs. Thank you for your contributions.

[mpldr]

This bot is a bane on the Free Software world