search

owncloud / ocis

:atom_symbol: ownCloud Infinite Scale Stack
https://doc.owncloud.com/ocis/next/
Apache License 2.0
1.32k stars 170 forks source link

Profile photo not being set from external IDP claims #7659

Open pascuflow opened 9 months ago

pascuflow commented 9 months ago

Describe the bug

After sending the picture claim on the access token, the user profile picture is not set on ocis.

Steps to reproduce

1.Set up an external IDP and openid-configuration json. 2.Return an access_token with the picture claim from the token_endpoint. 3.Go through your ocis domain and the OIDC flow with your external IDP, once successfully signed in, the user profile picture is not set.

Expected behavior

The profile picture of the logged in user is shown on the Web UI of ocis.

Actual behavior

There are letters on the profile circle instead of a photo.

Setup

1.Setup an external web server and host your openid-configuration.json:

{
  "issuer": "https://youridp.com",
  "authorization_endpoint": "https://youridp.com/auth",
  "token_endpoint": "https://youridp.com/api/token",
  "userinfo_endpoint": "https://youridp.com/api/userinfo",
  "end_session_endpoint": "https://youridp.com",
  "response_types_supported": [
    "code"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "PS256"
  ],
  "jwks_uri": "https://youridp.com/.well-known/jwks.json",
  "scopes_supported": [
    "openid",
    "email",
    "profile"
  ],
  "code_challenge_methods_supported": [
    "S256"
  ],
  "token_endpoint_auth_methods_supported": [
    "none"
  ],
  "claims_supported": [
    "iss",
    "sub",
    "aud",
    "exp",
    "iat",
    "name",
    "picture",
    "family_name",
    "given_name",
    "email",
    "email_verified"
  ]
}

2.Build the OIDC endpoints. 3.Set the claims and return the access and id tokens to you ocis server:

const accessTokenPayload = {
    iss: youridp,
    sub: user.id,
    aud: "web",
    scp: "profile email openid",
    name: user.name,
    picture: user.profilePhoto,
    email: `${user.email}@example.com`,
    preferred_username: user.name
  };
  ...
  return res.json({
      token_type: "Bearer",
      expires_in: 300,
      id_token: token,
      access_token: accessToken,
 });

4.Setup your ocis server following the docs https://doc.owncloud.com/ocis/next/deployment/container/container-setup.html 5.Configure ocis to use an external IDP using envs like mentioned here https://github.com/owncloud/ocis/blob/master/deployments/examples/ocis_keycloak/docker-compose.yml

micbar commented 9 months ago

This feature is currently not implemented.

micbar commented 9 months ago

@tbsbdr FYI

micbar commented 2 months ago

There is currently no possible way to set up a profile picture in ocis. So this is a feature request.