owncloud / ocis

:atom_symbol: ownCloud Infinite Scale Stack
https://doc.owncloud.com/ocis/next/
Apache License 2.0
1.41k stars 184 forks source link

oCIS + Keycloak + desktop app: crash and wrong URL when re-authenticating #8738

Open doruchan opened 8 months ago

doruchan commented 8 months ago

Hello,

I have followed the guide to install owncloud's ocis with keycloak, and everything works as expected using the web browser.

When using the Desktop app, I can authenticate correctly once, but after a few minutes (around 10 minutes) the app kicks me out and I need to re-authenticate. At this point, the URL for the authentication is wrong, and not pointing to the correct keycloak URL.

Steps to reproduce

The only way to get the correct URL again is to forget the account and re-create it.

Additional issues

Setup

I used the docker-compose examples from the Documentation, and imported the oCIS realm in my Keycloak instance.

My environment variables in the ocis docker are:

```console IDM_ADMIN_PASSWORD | admin -- | -- IDM_CREATE_DEMO_USERS | false OCIS_INSECURE | true OCIS_LOG_COLOR | false OCIS_LOG_LEVEL | info OCIS_OIDC_ISSUER | https://keycloak.mydomain.net/realms/oCIS OCIS_URL | https://owncloud.mydomain.net PATH | /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PGID | 1000 PROXY_AUTOPROVISION_ACCOUNTS | true PROXY_ENABLE_BASIC_AUTH | false PROXY_OIDC_ISSUER | https://keycloak.mydomain.net/realms/oCIS PROXY_OIDC_REWRITE_WELLKNOWN | true PROXY_ROLE_ASSIGNMENT_DRIVER | oidc PROXY_TLS | false PROXY_USER_CS3_CLAIM | username PROXY_USER_OIDC_CLAIM | preferred_username PUID | 1000 WEB_OIDC_AUTHORITY | https://keycloak.mydomain.net/realms/oCIS WEB_OIDC_CLIENT_ID | web WEB_OIDC_METADATA_URL | https://keycloak.mydomain.net/realms/oCIS/.well-known/openid-configuration ```

Go Stacktrace when authenticating from the Desktop app:

```console 2024/03/26 14:59:59 http: panic serving 192.168.90.254:35814: runtime error: invalid memory address or nil pointer dereference goroutine 19100 [running]: net/http.(*conn).serve.func1() net/http/server.go:1898 +0xbe panic({0x439f7c0?, 0x6473280?}) runtime/panic.go:770 +0x132 net/http.(*Client).deadline(0x61c385?) net/http/client.go:193 +0xe net/http.(*Client).do(0x0, 0xc0087eb7a0) net/http/client.go:608 +0x1f6 net/http.(*Client).Do(...) net/http/client.go:590 net/http.(*Client).Get(0x0, {0xc0084145a0?, 0x422ba40?}) net/http/client.go:487 +0x5f github.com/owncloud/ocis/v2/services/proxy/pkg/staticroutes.(*StaticRouteHandler).oIDCWellKnownRewrite(0xc00141f188, {0x7f6c1bc96560, 0xc002ff8540}, 0x1?) github.com/owncloud/ocis/v2/services/proxy/pkg/staticroutes/oidc_well-known.go:14 +0x73 net/http.HandlerFunc.ServeHTTP(0xc000fdca50?, {0x7f6c1bc96560?, 0xc002ff8540?}, 0xc008488270?) net/http/server.go:2166 +0x29 github.com/go-chi/chi/v5.(*Mux).routeHTTP(0xc00155c780, {0x7f6c1bc96560, 0xc002ff8540}, 0xc0087eb560) github.com/go-chi/chi/v5@v5.0.12/mux.go:459 +0x2e6 net/http.HandlerFunc.ServeHTTP(0xc00b3fe960?, {0x7f6c1bc96560?, 0xc002ff8540?}, 0xc000bddc40?) net/http/server.go:2166 +0x29 github.com/go-chi/chi/v5.(*Mux).ServeHTTP(0xc00155c780, {0x7f6c1bc96560, 0xc002ff8540}, 0xc0087eb560) github.com/go-chi/chi/v5@v5.0.12/mux.go:73 +0x32f github.com/go-chi/chi/v5.(*Mux).Mount.func1({0x7f6c1bc96560, 0xc002ff8540}, 0xc0087eb560) github.com/go-chi/chi/v5@v5.0.12/mux.go:327 +0x1bb net/http.HandlerFunc.ServeHTTP(0xc000fdca50?, {0x7f6c1bc96560?, 0xc002ff8540?}, 0xc00792bf84?) net/http/server.go:2166 +0x29 github.com/go-chi/chi/v5.(*Mux).routeHTTP(0xc00155c720, {0x7f6c1bc96560, 0xc002ff8540}, 0xc0087eb560) github.com/go-chi/chi/v5@v5.0.12/mux.go:459 +0x2e6 net/http.HandlerFunc.ServeHTTP(0x49527c0?, {0x7f6c1bc96560?, 0xc002ff8540?}, 0x64775b0?) net/http/server.go:2166 +0x29 github.com/go-chi/chi/v5.(*Mux).ServeHTTP(0xc00155c720, {0x7f6c1bc96560, 0xc002ff8540}, 0xc0087eb440) github.com/go-chi/chi/v5@v5.0.12/mux.go:90 +0x2ee github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.createHome.ServeHTTP({{0x4930460, 0xc00155c720}, {{{0x493da90, 0xc001537440}, 0x1, {0x0, 0x0}, {0xc001addc00, 0x12, 0x1f4}, ...}}, ...}, ...) github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/create_home.go:44 +0x642 github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.Policies.func1.1({0x7f6c1bc96560?, 0xc002ff8540?}, 0xea24d5f9b3cb6da0?) github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/policies.go:52 +0x277 net/http.HandlerFunc.ServeHTTP(0x0?, {0x7f6c1bc96560?, 0xc002ff8540?}, 0x0?) net/http/server.go:2166 +0x29 github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.selectorCookie.ServeHTTP({{0x492d278, 0xc0015680a0}, {{{0x493da90, 0xc001537440}, 0x1, {0x0, 0x0}, {0xc001addc00, 0x12, 0x1f4}, ...}}, ...}, ...) github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/selector_cookie.go:36 +0x266 github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.accountResolver.ServeHTTP({{0x4930fc0, 0xc000fe3400}, {{{0x493da90, 0xc001537440}, 0x1, {0x0, 0x0}, {0xc001addc00, 0x12, 0x1f4}, ...}}, ...}, ...) github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/account_resolver.go:89 +0xb68 github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.Authentication.func1.1({0x7f6c1bc96560, 0xc002ff8540}, 0xc0087eb320) github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/authentication.go:71 +0x3b7 net/http.HandlerFunc.ServeHTTP(0x49527c0?, {0x7f6c1bc96560?, 0xc002ff8540?}, 0x677cac0?) net/http/server.go:2166 +0x29 github.com/owncloud/ocis/v2/services/proxy/pkg/router.Middleware.func1.1({0x7f6c1bc96560, 0xc002ff8540}, 0xc0087eb200) github.com/owncloud/ocis/v2/services/proxy/pkg/router/router.go:32 +0x23f net/http.HandlerFunc.ServeHTTP(0xc00b3fe690?, {0x7f6c1bc96560?, 0xc002ff8540?}, 0xc000bdef01?) net/http/server.go:2166 +0x29 github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.HTTPSRedirect.func1({0x7f6c1bc96560, 0xc002ff8540}, 0xc0087eb200) github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/https_redirect.go:17 +0x136 net/http.HandlerFunc.ServeHTTP(0x6483150?, {0x7f6c1bc96560?, 0xc002ff8540?}, 0xc008488000?) net/http/server.go:2166 +0x29 github.com/owncloud/ocis/v2/services/proxy/pkg/command.loadMiddlewares.AccessLog.func37.1({0x7f6c1bc96560, 0xc002ff84c0}, 0xc0087eb200) github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:21 +0x130 net/http.HandlerFunc.ServeHTTP(0x49527c0?, {0x7f6c1bc96560?, 0xc002ff84c0?}, 0x3fbee00?) net/http/server.go:2166 +0x29 github.com/go-chi/chi/v5/middleware.RequestID.func1({0x7f6c1bc96560, 0xc002ff84c0}, 0xc0087eafc0) github.com/go-chi/chi/v5@v5.0.12/middleware/request_id.go:76 +0x20e net/http.HandlerFunc.ServeHTTP(0xc0087eafc0?, {0x7f6c1bc96560?, 0xc002ff84c0?}, 0xc000bdf1d8?) net/http/server.go:2166 +0x29 github.com/go-chi/chi/v5/middleware.RealIP.func1({0x7f6c1bc96560, 0xc002ff84c0}, 0xc0087eafc0) github.com/go-chi/chi/v5@v5.0.12/middleware/realip.go:36 +0x95 net/http.HandlerFunc.ServeHTTP(0x6483170?, {0x7f6c1bc96560?, 0xc002ff84c0?}, 0x6?) net/http/server.go:2166 +0x29 github.com/owncloud/ocis/v2/services/proxy/pkg/command.loadMiddlewares.Instrumenter.func36.1({0x494d170, 0xc001e7c5a0}, 0xc0087eafc0) github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/metrics.go:20 +0x17c net/http.HandlerFunc.ServeHTTP(0xbdf2f0?, {0x494d170?, 0xc001e7c5a0?}, 0x494a310?) net/http/server.go:2166 +0x29 github.com/owncloud/ocis/v2/ocis-pkg/middleware.TraceContext.func1({0x494d170, 0xc001e7c5a0}, 0xc0087eaea0) github.com/owncloud/ocis/v2/ocis-pkg/middleware/tracing.go:19 +0x168 net/http.HandlerFunc.ServeHTTP(0x49527c0?, {0x494d170?, 0xc001e7c5a0?}, 0x494a310?) net/http/server.go:2166 +0x29 github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.tracer.ServeHTTP({{0x492d278?, 0xc00155a438?}, {0x493e210?, 0xc001525c20?}}, {0x494d170, 0xc001e7c5a0}, 0xc0087ead80) github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/tracing.go:50 +0x474 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.(*middleware).serveHTTP(0xc0015509c0, {0x4945f48, 0xc0022edc00}, 0xc0087eab40, {0x492ebc0, 0xc0019a8980}) go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.49.0/handler.go:225 +0x1243 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.NewMiddleware.func1.1({0x4945f48?, 0xc0022edc00?}, 0x4e366f?) go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.49.0/handler.go:83 +0x35 net/http.HandlerFunc.ServeHTTP(0x473479?, {0x4945f48?, 0xc0022edc00?}, 0xc000bdfb68?) net/http/server.go:2166 +0x29 net/http.serverHandler.ServeHTTP({0xc00b4ec930?}, {0x4945f48?, 0xc0022edc00?}, 0x6?) net/http/server.go:3137 +0x8e net/http.(*conn).serve(0xc001c69cb0, {0x49527c0, 0xc00165dbc0}) net/http/server.go:2039 +0x5e8 created by net/http.(*Server).Serve in goroutine 242 net/http/server.go:3285 +0x4b4 2024/03/26 14:59:59 http: panic serving 192.168.90.254:35816: runtime error: invalid memory address or nil pointer dereference goroutine 19102 [running]: net/http.(*conn).serve.func1() net/http/server.go:1898 +0xbe panic({0x439f7c0?, 0x6473280?}) runtime/panic.go:770 +0x132 net/http.(*Client).deadline(0x61c385?) net/http/client.go:193 +0xe net/http.(*Client).do(0x0, 0xc007fae480) net/http/client.go:608 +0x1f6 net/http.(*Client).Do(...) net/http/client.go:590 net/http.(*Client).Get(0x0, {0xc002dccb90?, 0x0?}) net/http/client.go:487 +0x5f github.com/owncloud/ocis/v2/services/proxy/pkg/staticroutes.(*StaticRouteHandler).oIDCWellKnownRewrite(0xc00141f188, {0x7f6c1bc96560, 0xc001091ec0}, 0x1?) github.com/owncloud/ocis/v2/services/proxy/pkg/staticroutes/oidc_well-known.go:14 +0x73 net/http.HandlerFunc.ServeHTTP(0xc000fdc870?, {0x7f6c1bc96560?, 0xc001091ec0?}, 0xc00934fe30?) net/http/server.go:2166 +0x29 github.com/go-chi/chi/v5.(*Mux).routeHTTP(0xc00155c780, {0x7f6c1bc96560, 0xc001091ec0}, 0xc007fae240) github.com/go-chi/chi/v5@v5.0.12/mux.go:459 +0x2e6 net/http.HandlerFunc.ServeHTTP(0xc00b4ed1a0?, {0x7f6c1bc96560?, 0xc001091ec0?}, 0xc00257dc40?) net/http/server.go:2166 +0x29 github.com/go-chi/chi/v5.(*Mux).ServeHTTP(0xc00155c780, {0x7f6c1bc96560, 0xc001091ec0}, 0xc007fae240) github.com/go-chi/chi/v5@v5.0.12/mux.go:73 +0x32f github.com/go-chi/chi/v5.(*Mux).Mount.func1({0x7f6c1bc96560, 0xc001091ec0}, 0xc007fae240) github.com/go-chi/chi/v5@v5.0.12/mux.go:327 +0x1bb net/http.HandlerFunc.ServeHTTP(0xc000fdc870?, {0x7f6c1bc96560?, 0xc001091ec0?}, 0xc00934fb34?) net/http/server.go:2166 +0x29 github.com/go-chi/chi/v5.(*Mux).routeHTTP(0xc00155c720, {0x7f6c1bc96560, 0xc001091ec0}, 0xc007fae240) github.com/go-chi/chi/v5@v5.0.12/mux.go:459 +0x2e6 net/http.HandlerFunc.ServeHTTP(0x49527c0?, {0x7f6c1bc96560?, 0xc001091ec0?}, 0x64775b0?) net/http/server.go:2166 +0x29 github.com/go-chi/chi/v5.(*Mux).ServeHTTP(0xc00155c720, {0x7f6c1bc96560, 0xc001091ec0}, 0xc007fae120) github.com/go-chi/chi/v5@v5.0.12/mux.go:90 +0x2ee github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.createHome.ServeHTTP({{0x4930460, 0xc00155c720}, {{{0x493da90, 0xc001537440}, 0x1, {0x0, 0x0}, {0xc001addc00, 0x12, 0x1f4}, ...}}, ...}, ...) github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/create_home.go:44 +0x642 github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.Policies.func1.1({0x7f6c1bc96560?, 0xc001091ec0?}, 0x49a3a0eef93fc216?) github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/policies.go:52 +0x277 net/http.HandlerFunc.ServeHTTP(0x0?, {0x7f6c1bc96560?, 0xc001091ec0?}, 0x0?) net/http/server.go:2166 +0x29 github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.selectorCookie.ServeHTTP({{0x492d278, 0xc0015680a0}, {{{0x493da90, 0xc001537440}, 0x1, {0x0, 0x0}, {0xc001addc00, 0x12, 0x1f4}, ...}}, ...}, ...) github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/selector_cookie.go:36 +0x266 github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.accountResolver.ServeHTTP({{0x4930fc0, 0xc000fe3400}, {{{0x493da90, 0xc001537440}, 0x1, {0x0, 0x0}, {0xc001addc00, 0x12, 0x1f4}, ...}}, ...}, ...) github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/account_resolver.go:89 +0xb68 github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.Authentication.func1.1({0x7f6c1bc96560, 0xc001091ec0}, 0xc007fae000) github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/authentication.go:71 +0x3b7 net/http.HandlerFunc.ServeHTTP(0x49527c0?, {0x7f6c1bc96560?, 0xc001091ec0?}, 0x677cac0?) net/http/server.go:2166 +0x29 github.com/owncloud/ocis/v2/services/proxy/pkg/router.Middleware.func1.1({0x7f6c1bc96560, 0xc001091ec0}, 0xc0074f5e60) github.com/owncloud/ocis/v2/services/proxy/pkg/router/router.go:32 +0x23f net/http.HandlerFunc.ServeHTTP(0xc00b4ecea0?, {0x7f6c1bc96560?, 0xc001091ec0?}, 0xc002322f01?) net/http/server.go:2166 +0x29 github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.HTTPSRedirect.func1({0x7f6c1bc96560, 0xc001091ec0}, 0xc0074f5e60) github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/https_redirect.go:17 +0x136 net/http.HandlerFunc.ServeHTTP(0x6483150?, {0x7f6c1bc96560?, 0xc001091ec0?}, 0xc00934fc80?) net/http/server.go:2166 +0x29 github.com/owncloud/ocis/v2/services/proxy/pkg/command.loadMiddlewares.AccessLog.func37.1({0x7f6c1bc96560, 0xc001091e40}, 0xc0074f5e60) github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:21 +0x130 net/http.HandlerFunc.ServeHTTP(0x49527c0?, {0x7f6c1bc96560?, 0xc001091e40?}, 0x3fbee00?) net/http/server.go:2166 +0x29 github.com/go-chi/chi/v5/middleware.RequestID.func1({0x7f6c1bc96560, 0xc001091e40}, 0xc0074f5c20) github.com/go-chi/chi/v5@v5.0.12/middleware/request_id.go:76 +0x20e net/http.HandlerFunc.ServeHTTP(0xc0074f5c20?, {0x7f6c1bc96560?, 0xc001091e40?}, 0xc0023231d8?) net/http/server.go:2166 +0x29 github.com/go-chi/chi/v5/middleware.RealIP.func1({0x7f6c1bc96560, 0xc001091e40}, 0xc0074f5c20) github.com/go-chi/chi/v5@v5.0.12/middleware/realip.go:36 +0x95 net/http.HandlerFunc.ServeHTTP(0x6483170?, {0x7f6c1bc96560?, 0xc001091e40?}, 0x6?) net/http/server.go:2166 +0x29 github.com/owncloud/ocis/v2/services/proxy/pkg/command.loadMiddlewares.Instrumenter.func36.1({0x494d170, 0xc0017aa900}, 0xc0074f5c20) github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/metrics.go:20 +0x17c net/http.HandlerFunc.ServeHTTP(0x23232f0?, {0x494d170?, 0xc0017aa900?}, 0x494a310?) net/http/server.go:2166 +0x29 github.com/owncloud/ocis/v2/ocis-pkg/middleware.TraceContext.func1({0x494d170, 0xc0017aa900}, 0xc0074f5b00) github.com/owncloud/ocis/v2/ocis-pkg/middleware/tracing.go:19 +0x168 net/http.HandlerFunc.ServeHTTP(0x49527c0?, {0x494d170?, 0xc0017aa900?}, 0x494a310?) net/http/server.go:2166 +0x29 github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.tracer.ServeHTTP({{0x492d278?, 0xc00155a438?}, {0x493e210?, 0xc001525c20?}}, {0x494d170, 0xc0017aa900}, 0xc0074f59e0) github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/tracing.go:50 +0x474 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.(*middleware).serveHTTP(0xc0015509c0, {0x4945f48, 0xc001408c40}, 0xc0074f57a0, {0x492ebc0, 0xc0019a8980}) go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.49.0/handler.go:225 +0x1243 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.NewMiddleware.func1.1({0x4945f48?, 0xc001408c40?}, 0x4e366f?) go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.49.0/handler.go:83 +0x35 net/http.HandlerFunc.ServeHTTP(0x473479?, {0x4945f48?, 0xc001408c40?}, 0xc002622b68?) net/http/server.go:2166 +0x29 net/http.serverHandler.ServeHTTP({0xc00b4ece70?}, {0x4945f48?, 0xc001408c40?}, 0x6?) net/http/server.go:3137 +0x8e net/http.(*conn).serve(0xc002009830, {0x49527c0, 0xc00165dbc0}) net/http/server.go:2039 +0x5e8 created by net/http.(*Server).Serve in goroutine 242 net/http/server.go:3285 +0x4b4 ```

ownCloud Desktop app HTTP log:

```console 24-03-26 15:16:48:383 [ info gui.account.state ]: Invalid credentials for "https://owncloud.mydomain.net" 24-03-26 15:16:48:383 [ info gui.account.state ]: refreshing oauth 24-03-26 15:16:48:383 [ info gui.account.state ]: refreshing oauth failed 24-03-26 15:16:48:383 [ info gui.account.state ]: asking user 24-03-26 15:16:48:383 [ info gui.account.state ]: AccountState state change: OCC::AccountState::Connected -> OCC::AccountState::AskingCredentials 24-03-26 15:16:48:383 [ debug gui.account.settings ] [ OCC::AccountSettings::slotAccountStateChanged ]: showing modal dialog asking user to log in again via OAuth2 24-03-26 15:16:48:435 [ debug sync.credentials.oauth ] [ OCC::AccountBasedOAuth::startAuthentication ]: fetching dynamic registration data 24-03-26 15:16:48:435 [ info sync.credentials.manager ]: get "ownCloud_credentials:owncloud.mydomain.net:f35dd146-7a56-44d1-95ab-d9faa93137e1:http/clientSecret" 24-03-26 15:16:48:435 [ debug sync.credentials.manager ] [ OCC::CredentialJob::start ]: We don't know "http/clientSecret" skipping retrieval from keychain 24-03-26 15:16:48:439 [ debug sync.credentials.oauth ] [ OCC::AccountBasedOAuth::startAuthentication::::operator() ]: fetched dynamic registration data successfully 24-03-26 15:16:48:439 [ debug sync.credentials.oauth ] [ `anonymous-namespace'::logCredentialsJobResult ]: credentials job has finished 24-03-26 15:16:48:439 [ info sync.credentials.oauth ]: Failed to read client id "" 24-03-26 15:16:48:439 [ debug sync.credentials.oauth ] [ OCC::OAuth::startAuthentication ]: starting authentication 24-03-26 15:16:48:439 [ debug sync.credentials.oauth ] [ OCC::AccountBasedOAuth::fetchWellKnown ]: starting CheckServerJob before fetching "/.well-known/openid-configuration" 24-03-26 15:16:48:483 [ info sync.httplogger ]: "847ab280-8a2c-429b-bd31-fafb97fe4ac5: Request: GET https://owncloud.mydomain.net/status.php Header: { OC-Connection-Validator: desktop, User-Agent: Mozilla/5.0 (Windows) mirall/5.2.1.13040 (ownCloud, windows-10.0.22635 ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, Accept-Language: en_NZ, X-Request-ID: 847ab280-8a2c-429b-bd31-fafb97fe4ac5, Original-Request-ID: 847ab280-8a2c-429b-bd31-fafb97fe4ac5, } Data: []" 24-03-26 15:16:48:681 [ info sync.httplogger ]: "847ab280-8a2c-429b-bd31-fafb97fe4ac5: Response: GET 200 (197ms) https://owncloud.mydomain.net/status.php Header: { Date: Tue, 26 Mar 2024 14:16:48 GMT, Content-Type: application/json, Transfer-Encoding: chunked, Connection: keep-alive, content-security-policy: default-src 'none';, permissions-policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=(), referrer-policy: same-origin, strict-transport-security: max-age=63072000; includeSubDomains; preload, vary: Accept-Encoding, Origin, x-content-type-options: nosniff, x-download-options: noopen, x-frame-options: SAMEORIGIN, x-permitted-cross-domain-policies: none, x-request-id: 847ab280-8a2c-429b-bd31-fafb97fe4ac5, x-robots-tag: none,noarchive,nosnippet,notranslate,noimageindex,, x-xss-protection: 1; mode=block, CF-Cache-Status: DYNAMIC, Report-To: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v4?s=DKSGN%2BxXxHIFMm2fPf5%2B0dKs3u0fr4hKn4C79CYcVNQWUsY9KRqvLWnPBm8hHhfk5QpNGLfwtVjKhm13KJpRlt9uj2tED%2BVQM7L680xehEE50NtWeZq602lp6%2Bwup8lmR79frTV8Ag%3D%3D\"}],\"group\":\"cf-nel\",\"max_age\":604800}, NEL: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}, Server: cloudflare, CF-RAY: 86a7c2b55db92f87-MAD, Content-Encoding: br, alt-svc: h3=\":443\"; ma=86400, } Data: [{\n \"installed\": true,\n \"maintenance\": false,\n \"needsDbUpgrade\": false,\n \"version\": \"10.11.0.0\",\n \"versionstring\": \"10.11.0\",\n \"edition\": \"Community\",\n \"productname\": \"Infinite Scale\",\n \"product\": \"Infinite Scale\",\n \"productversion\": \"5.1.0-prealpha+8f0b536ef\"\n}]" 24-03-26 15:16:48:681 [ info sync.checkserverjob ]: status.php returns: QJsonDocument({"edition":"Community","installed":true,"maintenance":false,"needsDbUpgrade":false,"product":"Infinite Scale","productname":"Infinite Scale","productversion":"5.1.0-prealpha+8f0b536ef","version":"10.11.0.0","versionstring":"10.11.0"}) QNetworkReply::NoError Reply: QNetworkReplyHttpImpl(0x1e1bd842750) 24-03-26 15:16:48:681 [ debug sync.credentials.oauth ] [ OCC::AccountBasedOAuth::fetchWellKnown::::operator() ]: CheckServerJob succeeded, fetching "/.well-known/openid-configuration" 24-03-26 15:16:48:681 [ debug sync.credentials.oauth ] [ OCC::OAuth::fetchWellKnown ]: fetching "/.well-known/openid-configuration" 24-03-26 15:16:48:725 [ info sync.httplogger ]: "fe9ce41f-3b17-46b5-aa62-3f93f3d39c07: Request: GET https://owncloud.mydomain.net/.well-known/openid-configuration Header: { User-Agent: Mozilla/5.0 (Windows) mirall/5.2.1.13040 (ownCloud, windows-10.0.22635 ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, Accept-Language: en_NZ, X-Request-ID: fe9ce41f-3b17-46b5-aa62-3f93f3d39c07, Original-Request-ID: fe9ce41f-3b17-46b5-aa62-3f93f3d39c07, } Data: []" 24-03-26 15:16:48:826 [ info sync.httplogger ]: "fe9ce41f-3b17-46b5-aa62-3f93f3d39c07: Response: GET 502 (Error: Error transferring https://owncloud.mydomain.net/.well-known/openid-configuration - server replied: Bad Gateway,101ms) https://owncloud.mydomain.net/.well-known/openid-configuration Header: { Date: Tue, 26 Mar 2024 14:16:48 GMT, Content-Type: text/html; charset=UTF-8, Content-Length: 6360, Connection: keep-alive, Report-To: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v4?s=YXdXNTsgTw%2BO%2BEdAoBF80NlI9SI%2BuEeyARPPeTQ275MgP1X3tPjC0XP1A79g8FuOcDM2rsmIrol2bVl4rw1tGTULDyO4oeFL6sIu1P5CcejUdEpRoasYRX2oMnvGB5r4oom8w%2BHybg%3D%3D\"}],\"group\":\"cf-nel\",\"max_age\":604800}, NEL: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}, X-Frame-Options: SAMEORIGIN, Referrer-Policy: same-origin, Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, Expires: Thu, 01 Jan 1970 00:00:01 GMT, Server: cloudflare, CF-RAY: 86a7c2b6df9f8675-MAD, alt-svc: h3=\":443\"; ma=86400, } Data: [\n\n\n\n \n\n\n\nowncloud.mydomain.net | 502: Bad gateway\n\n\n\n\n\n\n\n\n\n\n

\n
\n
\n

\n Bad gateway\n Error code 502\n

\n
\n Visit cloudflare.com for more information.\n
\n
2024-03-26 14:16:48 UTC
\n
\n
\n
\n
\n \n
\n
\n \n \n \n \n
\n You\n

\n \n Browser\n \n

\n Working\n
\n\n
\n
\n \n \n \n \n
\n Madrid\n

\n \n Cloudflare\n \n

\n Working\n
\n\n
\n
\n \n \n \n \n
\n owncloud.mydomain.net\n

\n \n Host\n \n

\n Error\n
\n\n
\n
\n
\n\n
\n
\n
\n

What happened?

\n

The web server reported a bad gateway error.

\n
\n
\n

What can I do?

\n

Please try again in a few minutes.

\n
\n
\n
\n\n \n\n\n
\n
\n\n\n]" ```

I'm using the latest version of both the Desktop app and the ocis / keycloak containers:

~ $ ocis version
Version: 5.1.0-prealpha+8f0b536ef
Compiled: 2024-03-26 00:00:00 +0000 UTC

thanks!

micbar commented 8 months ago

@TheOneRing Do you have a hunch why this happens?

The URL https://owncloud.mydomain.net/index.php/apps/oauth2/authorize? is from oc10?

@doruchan Is it possible, that this local user has been used against ownCloud10 before?

doruchan commented 8 months ago

No, I haven't used owncloud before. Everything has been installed from scratch so it's unlikely. I can try logging in with one of the test accounts that came with the keycloak imported realm tho.

doruchan commented 8 months ago

Is this a normal response for the page "owncloud.mydomain.net/status.php"?

{
    "installed": true,
    "maintenance": false,
    "needsDbUpgrade": false,
    "version": "10.11.0.0",
    "versionstring": "10.11.0",
    "edition": "Community",
    "productname": "Infinite Scale",
    "product": "Infinite Scale",
    "productversion": "5.1.0-prealpha+8f0b536ef"
}

version 10.11.0?

TheOneRing commented 8 months ago

The client only uses the .well-known from the system entered during setup. So https://owncloud.mydomain.net/.well-known/openid-configuration should point to your keycloak server.

micbar commented 8 months ago

Is this a normal response for the page "owncloud.mydomain.net/status.php"?

{
    "installed": true,
    "maintenance": false,
    "needsDbUpgrade": false,
    "version": "10.11.0.0",
    "versionstring": "10.11.0",
    "edition": "Community",
    "productname": "Infinite Scale",
    "product": "Infinite Scale",
    "productversion": "5.1.0-prealpha+8f0b536ef"
}

version 10.11.0?

That is correct. Compatibility fir oc10.

micbar commented 8 months ago

The client only uses the .well-known from the system entered during setup. So https://owncloud.mydomain.net/.well-known/openid-configuration should point to your keycloak server.

But how can an oc10 Oauth2 url come from the ocis well known?

Is there an oc10 running behind the same reverse proxy?

doruchan commented 8 months ago

The client only uses the .well-known from the system entered during setup.

By setup you mean the environment variable WEB_OIDC_METADATA_URL? It's set to the keycloak's well-known, and I also have the PROXY_OIDC_REWRITE_WELLKNOWN set to true. Do I miss anything else?

Is there an oc10 running behind the same reverse proxy?

No :/ Only keycloak, owncloud (ocis) and traefik.

TheOneRing commented 7 months ago

Could it be manually configured?

micbar commented 7 months ago

@doruchan

Has the issue been resolved after recreating the account?

doruchan commented 7 months ago

No unfortunately - I have backed up my config folder and reconfigured my ocis from scratch with ocis init, but I can already see that this page returns a 404:

https://owncloud.mydomain.net/.well-known/openid-configuration

when in the testing server with keycloak I can see that this works: https://ocis.ocis-keycloak.released.owncloud.works/.well-known/openid-configuration

So there's something wrong in my configuration. I haven't set anything manually, just using the environment variables from my docker-compose to drive the configuration.

micbar commented 7 months ago

There is a config var in our example deployment to rewrite the well known.

doruchan commented 7 months ago

Oh, interesting, I'm trying the example from the "latest" deployment and it doesn't work: https://ocis.ocis-keycloak.latest.owncloud.works/.well-known/openid-configuration

Bad Gateway

So maybe it's something to do with the latest version?

doruchan commented 7 months ago

Oh, interesting, I'm trying the example from the "latest" deployment and it doesn't work: https://ocis.ocis-keycloak.latest.owncloud.works/.well-known/openid-configuration

Bad Gateway

So maybe it's something to do with the latest version?

So I locked the 5.0.0 version instead of "latest", and I can now see this page working correctly:

https://owncloud.mydomain.net/.well-known/openid-configuration

It's definitely an issue with the latest.

cheers

micbar commented 5 months ago

Latest is working fine now.

@TheOneRing I also saw that URL https://owncloud.mydomain.net/index.php/apps/oauth2/authorize? in another ticket.

It was a new central post https://central.owncloud.org/t/ocis-5-x-and-keycloak-25-auto-relogin-fails-after-restart-of-the-desktop-client/49527

How on earth could something like this happen with a Desktop Client connected to ocis? That is an old oc10 URL.

@dragotin @DeepDiver1975 Please check this out. This doesn't make any sense.

rhafer commented 5 months ago

Hm, I guess the client just using index.php/apps/oauth2/authorize as a fallback when it can't read the .well-known endpoint. See:

https://github.com/owncloud/client/blob/af2cdbbea907c5e8bbda21c0e573a490a7c3ba3a/src/libsync/creds/oauth.cpp#L463C4-L466C1

So something might wrong with the PROXY_OIDC_REWRITE_WELLKNOWN settings. (Or implementation). It seems to work on the demo instances though.

TheOneRing commented 5 months ago

@rhafer yes you're right, thank you for looking it up. That something went wrong can also be seen in the client log in the top post.


24-03-26 15:16:48:725 [ info sync.httplogger ]: "fe9ce41f-3b17-46b5-aa62-3f93f3d39c07: Request: GET https://owncloud.mydomain.net/.well-known/openid-configuration Header: { User-Agent: Mozilla/5.0 (Windows) mirall/5.2.1.13040 (ownCloud, windows-10.0.22635 ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, Accept-Language: en_NZ, X-Request-ID: fe9ce41f-3b17-46b5-aa62-3f93f3d39c07, Original-Request-ID: fe9ce41f-3b17-46b5-aa62-3f93f3d39c07, } Data: []"
24-03-26 15:16:48:826 [ info sync.httplogger ]: "fe9ce41f-3b17-46b5-aa62-3f93f3d39c07: Response: GET 502 (Error: Error transferring https://owncloud.mydomain.net/.well-known/openid-configuration - server replied: Bad Gateway,101ms) https://owncloud.mydomain.net/.well-known/openid-configuration Header: { Date: Tue, 26 Mar 2024 14:16:48 GMT, Content-Type: text/html; charset=UTF-8, Content-Length: 6360, Connection: keep-alive, Report-To: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v4?s=YXdXNTsgTw%2BO%2BEdAoBF80NlI9SI%2BuEeyARPPeTQ275MgP1X3tPjC0XP1A79g8FuOcDM2rsmIrol2bVl4rw1tGTULDyO4oeFL6sIu1P5CcejUdEpRoasYRX2oMnvGB5r4oom8w%2BHybg%3D%3D\"}],\"group\":\"cf-nel\",\"max_age\":604800}, NEL: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}, X-Frame-Options: SAMEORIGIN, Referrer-Policy: same-origin, Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, Expires: Thu, 01 Jan 1970 00:00:01 GMT, Server: cloudflare, CF-RAY: 86a7c2b6df9f8675-MAD, alt-svc: h3=\":443\"; ma=86400, } Data: [<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js ie7 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 8]>    <html class=\"no-js ie8 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if gt IE 8]><!--> <html class=\"no-js\" lang=\"en-US\"> <!--<![endif]-->\n<head>\n\n\n<title>owncloud.mydomain.net | 502: Bad gateway</title>\n<meta charset=\"UTF-8\" />\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\n<meta http-equiv=\"X-UA-Compatible\" content=\"IE=Edge\" />\n<meta name=\"robots\" content=\"noindex, nofollow\" />\n<meta name=\"viewport\" content=\"width=device-width,initial-scale=1\" />\n<link rel=\"stylesheet\" id=\"cf_styles-css\" href=\"/cdn-cgi/styles/main.css\" />\n\n\n</head>\n<body>\n<div id=\"cf-wrapper\">\n    <div id=\"cf-error-details\" class=\"p-0\">\n        <header class=\"mx-auto pt-10 lg:pt-6 lg:px-8 w-240 lg:w-full mb-8\">\n            <h1 class=\"inline-block sm:block sm:mb-2 font-light text-60 lg:text-4xl text-black-dark leading-tight mr-2\">\n              <span class=\"inline-block\">Bad gateway</span>\n              <span class=\"code-label\">Error code 502</span>\n            </h1>\n            <div>\n               Visit <a href=\"https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_502&utm_campaign=owncloud.mydomain.net\" target=\"_blank\" rel=\"noopener noreferrer\">cloudflare.com</a> for more information.\n            </div>\n            <div class=\"mt-3\">2024-03-26 14:16:48 UTC</div>\n        </header>\n        <div class=\"my-8 bg-gradient-gray\">\n            <div class=\"w-240 lg:w-full mx-auto\">\n                <div class=\"clearfix md:px-8\">\n                  \n<div id=\"cf-browser-status\" class=\" relative w-1/3 md:w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border-0 md:border-b md:border-gray-400 overflow-hidden float-left md:float-none text-center\">\n  <div class=\"relative mb-10 md:m-0\">\n    \n    <span class=\"cf-icon-browser block md:hidden h-20 bg-center bg-no-repeat\"></span>\n    <span class=\"cf-icon-ok w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top-0 -ml-6 -bottom-4\"></span>\n    \n  </div>\n  <span class=\"md:block w-full truncate\">You</span>\n  <h3 class=\"md:inline-block mt-3 md:mt-0 text-2xl text-gray-600 font-light leading-1.3\">\n    \n    Browser\n    \n  </h3>\n  <span class=\"leading-1.3 text-2xl text-green-success\">Working</span>\n</div>\n\n<div id=\"cf-cloudflare-status\" class=\" relative w-1/3 md:w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border-0 md:border-b md:border-gray-400 overflow-hidden float-left md:float-none text-center\">\n  <div class=\"relative mb-10 md:m-0\">\n    <a href=\"https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_502&utm_campaign=owncloud.mydomain.net\" target=\"_blank\" rel=\"noopener noreferrer\">\n    <span class=\"cf-icon-cloud block md:hidden h-20 bg-center bg-no-repeat\"></span>\n    <span class=\"cf-icon-ok w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top-0 -ml-6 -bottom-4\"></span>\n    </a>\n  </div>\n  <span class=\"md:block w-full truncate\">Madrid</span>\n  <h3 class=\"md:inline-block mt-3 md:mt-0 text-2xl text-gray-600 font-light leading-1.3\">\n    <a href=\"https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_502&utm_campaign=owncloud.mydomain.net\" target=\"_blank\" rel=\"noopener noreferrer\">\n    Cloudflare\n    </a>\n  </h3>\n  <span class=\"leading-1.3 text-2xl text-green-success\">Working</span>\n</div>\n\n<div id=\"cf-host-status\" class=\"cf-error-source relative w-1/3 md:w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border-0 md:border-b md:border-gray-400 overflow-hidden float-left md:float-none text-center\">\n  <div class=\"relative mb-10 md:m-0\">\n    \n    <span class=\"cf-icon-server block md:hidden h-20 bg-center bg-no-repeat\"></span>\n    <span class=\"cf-icon-error w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top-0 -ml-6 -bottom-4\"></span>\n    \n  </div>\n  <span class=\"md:block w-full truncate\">owncloud.mydomain.net</span>\n  <h3 class=\"md:inline-block mt-3 md:mt-0 text-2xl text-gray-600 font-light leading-1.3\">\n    \n    Host\n    \n  </h3>\n  <span class=\"leading-1.3 text-2xl text-red-error\">Error</span>\n</div>\n\n                </div>\n            </div>\n        </div>\n\n        <div class=\"w-240 lg:w-full mx-auto mb-8 lg:px-8\">\n            <div class=\"clearfix\">\n                <div class=\"w-1/2 md:w-full float-left pr-6 md:pb-10 md:pr-0 leading-relaxed\">\n                    <h2 class=\"text-3xl font-normal leading-1.3 mb-4\">What happened?</h2>\n                    <p>The web server reported a bad gateway error.</p>\n                </div>\n                <div class=\"w-1/2 md:w-full float-left leading-relaxed\">\n                    <h2 class=\"text-3xl font-normal leading-1.3 mb-4\">What can I do?</h2>\n                    <p class=\"mb-6\">Please try again in a few minutes.</p>\n                </div>\n            </div>\n        </div>\n\n        <div class=\"cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300\">\n  <p class=\"text-13\">\n    <span class=\"cf-footer-item sm:block sm:mb-1\">Cloudflare Ray ID: <strong class=\"font-semibold\">86a7c2b6df9f8675</strong></span>\n    <span class=\"cf-footer-separator sm:hidden\">&bull;</span>\n    <span id=\"cf-footer-item-ip\" class=\"cf-footer-item hidden sm:block sm:mb-1\">\n      Your IP:\n      <button type=\"button\" id=\"cf-footer-ip-reveal\" class=\"cf-footer-ip-reveal-btn\">Click to reveal</button>\n      <span class=\"hidden\" id=\"cf-footer-ip\">89.130.253.140</span>\n      <span class=\"cf-footer-separator sm:hidden\">&bull;</span>\n    </span>\n    <span class=\"cf-footer-item sm:block sm:mb-1\"><span>Performance &amp; security by</span> <a rel=\"noopener noreferrer\" href=\"https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_502&utm_campaign=owncloud.mydomain.net\" id=\"brand_link\" target=\"_blank\">Cloudflare</a></span>\n    \n  </p>\n  <script>(function(){function d(){var b=a.getElementById(\"cf-footer-item-ip\"),c=a.getElementById(\"cf-footer-ip-reveal\");b&&\"classList\"in b&&(b.classList.remove(\"hidden\"),c.addEventListener(\"click\",function(){c.classList.add(\"hidden\");a.getElementById(\"cf-footer-ip\").classList.remove(\"hidden\")}))}var a=document;document.addEventListener&&a.addEventListener(\"DOMContentLoaded\",d)})();</script>\n</div><!-- /.error-footer -->\n\n\n    </div>\n</div>\n</body>\n</html>\n]"
thommierother commented 5 months ago

another logfile from client Bildschirmfoto_20240621_222131

thommierother commented 5 months ago

[Uploading ownCloud.log…]() ownCloud.log

I am using two sync accounts, one for OC 10, the other for OCIS, with separate local directories. Both are connected to a keycloak IDP and use the same user in the realm. The re-login of an already created OCIS account after the restart of the client fails completely. Its only possible to create a new OCIS account in the client and login one time then.

thommierother commented 5 months ago

for reference, here is the well-known json from my IDP, https://login.netzwissen.de/realms/netzwissen/.well-known/openid-configuration

[new-request.json](https://github.com/user-attachments/files/15935612/new-request.json

micbar commented 5 months ago

The issue seems to be that the .well-known endpoint on the ocis domain was not reachable or returned an empty data set.

thommierother commented 5 months ago

ok, is that an OCIS bug or desktop app bug? Or mis-config on my side? I see no config settings for the .well-known endpoint, except the boolean for the rewrite ... My *.env:

# basic setup for reverse proxy
OCIS_URL=https://ocis.netzwissen.de
PROXY_HTTP_ADDR=0.0.0.0:9200
PROXY_TLS=false
OCIS_INSECURE=false
OCIS_CONFIG_DIR=/etc/ocis
OCIS_BASE_DATA_PATH=/mnt/data/ocis
OCIS_LOG_LEVEL=debug
OCIS_LOG_FILE=/var/log/ocis/ocis.log
# idp setup keycloak
OCIS_EXCLUDE_RUN_SERVICES=idp
OCIS_OIDC_ISSUER=https://login.netzwissen.de/realms/netzwissen
WEB_OIDC_CLIENT_ID=ocis-web
PROXY_AUTOPROVISION_ACCOUNTS=true
PROXY_OIDC_REWRITE_WELLKNOWN=true
thommierother commented 5 months ago

can we do anything else to help solving this issue? Anything for testing? I could activate a second OCIS instance at ocisd.netzwissen.de for testing ...

micbar commented 5 months ago

I need to understand your setup better.

I know, that these things do not happen with https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_keycloak

The challenge is, that it is not that easy to "show me your keycloak" configuration.

  1. Each client is configurable on its own, which icreases the complexity (see our client json examples)
  2. You are doing autoprovisioning
  3. oCIS reads OIDC claims from the user during login and creates the user in the interal LDAP. You need to be sure that the user can always be mapped from OIDC to the internal user.
  4. you need to make sure, that the desktop client has offline_access in the scopes to obtain a refresh token. The refresh token is needed after the restart of your desktop

These are the configs on ocis master and 6.0.0 Rolling to control the auto provisioning mapping.

PROXY_AUTOPROVISION_ACCOUNTS bool false Set this to ’true’ to automatically provision users that do not yet exist in the users service on-demand upon first sign-in. To use this a write-enabled libregraph user backend needs to be setup an running.
PROXY_AUTOPROVISION_CLAIM_USERNAME string preferred_username The name of the OIDC claim that holds the username.
PROXY_AUTOPROVISION_CLAIM_EMAIL string email The name of the OIDC claim that holds the email.
PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME string name The name of the OIDC claim that holds the display name.
thommierother commented 5 months ago

Hi @micbar , thanks for the insights, I will check my own config, and try to modify if necessary. My idea behind the auto provision feature: I wanted that users already existing on the IDP and the old OC10 can seamlessly login into the OCIS instance. And then -in a second step- just move (or copy) their sync data to the new OCIS sync directory on their device.

"offline_access" is a good point. I updated to keycloak 25 just recently and played with the persistant user sessions https://www.keycloak.org/2024/06/keycloak-2500-released Maybe i have a mistake in the configfuration there ...

thommierother commented 4 months ago

I changed the client scope in keycloak 25. In the default configuration, the offline_access scope is optional, now it is "default". Hope that helps ...

grafik

thommierother commented 4 months ago

unfortunately no change. The first OIDC login of the desktop sync client is successful, but the re-login still fails. I am a bit lost ...