search

owncloud / ocis

:atom_symbol: ownCloud Infinite Scale Stack
https://doc.owncloud.com/ocis/next/
Apache License 2.0
1.4k stars 182 forks source link

401 Unauthorized Graph Service Errors with External OIDC #8155

Open easez88 opened 10 months ago

easez88 commented 10 months ago

Describe the bug

After enabling an external OIDC (Authentik) I am seeing errors generated in the logs. Authentication seems to work correctly, but I can't identify the issue.

Steps to reproduce

  1. Enable external OIDC
  2. Confirm authentication works
  3. See errors generated in logs

Expected behavior

All authentication to work correctly.

Actual behavior

Getting 401 unauthorized errors spammed in logs. 

Jan 08 13:08:59 mail3.arbetsformedlingen.se ocis[38758]: 2024-01-08T13:08:59-05:00 ERR failed to authenticate the request error="failed to get userinfo: 401 Unauthorized: " authenticator=oidc path=/graph/v1.0/me/drives service=proxy
Jan 08 13:08:59 mail3.arbetsformedlingen.se ocis[38758]: 2024-01-08T13:08:59-05:00 ERR failed to authenticate the request error="failed to get userinfo: 401 Unauthorized: " authenticator=oidc path=/remote.php/webdav/ service=proxy

Setup

Started server with systemd.

ocis.env

OCIS_INSECURE=false
OCIS_URL=https://mydomain.tld

OCIS_CONFIG_DIR=/mnt/data/.config/
OCIS_BASE_DATA_PATH=/mnt/data/

OCIS_OIDC_ISSUER=https://myauthdomain.tld/application/o/owncloud/
WEB_OIDC_CLIENT_ID=RandomClientId

OCIS_EXCLUDE_RUN_SERVICES=idp

proxy.yaml

log_level: debug
enable_basic_auth: true
auto_provision_accounts: true
user_oidc_claim: preferred_username
http:
  addt: 0.0.0.0:9200
  tls: false
oidc:
  access_token_verify_method: none
  rewrite_well_known: true
role_assignment:
  driver: default
  oidc_role_mapper:
      role_claim: groups
      role_mapping:
        - role_name: admin
          claim_value: Admins
        - role_name: user
          claim_value: owncloudUsers
gi-yt commented 4 days ago

@easez88 did you find any solution for this, I am having the same issue..

easez88 commented 3 days ago

no unfortunately i did not sorry.

micbar commented 3 days ago

It looks like ocis tries to call the /userinfo endpoint on authentik and authentik gives you a 401.

micbar commented 3 days ago

Do you have some way to intercept the requests to authentik and paste the payload here?

micbar commented 3 days ago

might be related to https://github.com/goauthentik/authentik/issues/2329