search

owncloud / ocis

:atom_symbol: ownCloud Infinite Scale Stack
https://doc.owncloud.com/ocis/next/
Apache License 2.0
1.25k stars 169 forks source link

OCIS 6.0 - No redirect to external IDP #9441

Closed BEBU88 closed 1 week ago

BEBU88 commented 1 week ago

Describe the bug

After upgrading to OCIS 6.0 the browser is not redirecting to external IDP (Authentik). Users with active sessions are not able to logout. The button has no effect anymore.

Steps to reproduce

  1. Upgrade from OCIS 5 with external IDP to OCIS 6 with external IDP
  2. Try to login.
  3. Browser is stuck at OCIS_URL/login?redirectUrl=%2Ffiles%2Fspaces%2Fpersonal

Expected behavior

The Browser should redirect to external IDP for login.

Actual behavior

Browser is stuck at OCIS_URL/login?redirectUrl=%2Ffiles%2Fspaces%2Fpersonal

Setup

I'm using OCIS as systemd service on Debian 12

```console OCIS_OIDC_ISSUER=https://IDP-URL PROXY_OIDC_INSECURE=false PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=jwt PROXY_USER_OIDC_CLAIM=preferred_username PROXY_USER_CS3_CLAIM=username PROXY_AUTOPROVISION_ACCOUNTS=true PROXY_ROLE_ASSIGNMENT_DRIVER=oidc PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM=ocis_role OCIS_OIDC_CLIENT_ID=CLIENT-ID PROXY_OIDC_REWRITE_WELLKNOWN=true WEB_OIDC_METADATA_URL=https://IDP-URL/.well-known/openid-configuration WEB_OIDC_SCOPE: openid profile email offline_access ```

Additional context

Already deleted browser cache and tried in private window.

micbar commented 1 week ago

@kulmann @JammingBen ?

kulmann commented 1 week ago

Hey @BEBU88 could you make your openid-configuration available? I'm specifically interested in whether or not your authentik has an end_session_endpoint

BEBU88 commented 1 week ago

Hi @kulmann available endpoints are:

Endpoint URL Authorization /application/o/authorize/ Token /application/o/token/ User Info /application/o/userinfo/ Token Revoke /application/o/revoke/ End Session /application/o/ocis/end-session/ JWKS /application/o/ocis/jwks/ OpenID Configuration /application/o/ocis/.well-known/openid-configuration

My OCIS 5 instance is just working fine. The OIDC config and env vars in my OCIS 6 instance are the same.

kulmann commented 1 week ago

That looks good...

Could you please check if there are any error messages in the browser console and paste them here?

BEBU88 commented 1 week ago

In Firefox console I get this error: Content-Security-Policy: The page’s settings blocked the loading of a resource (connect-src) at https://idp-url/application/o/ocis/.well-known/openid-configuration because it violates the following directive: “connect-src 'self'”

kulmann commented 1 week ago

Ah, now I know what this is :-(

  1. Copy this file: https://github.com/owncloud/ocis/blob/master/deployments/examples/ocis_keycloak/config/ocis/csp.yaml
  2. Mount it: https://github.com/owncloud/ocis/blob/b1f1fafd684778b003f3e4aa61694f5661f9eba7/deployments/examples/ocis_keycloak/docker-compose.yml#L86
  3. Set this env var: https://github.com/owncloud/ocis/blob/b1f1fafd684778b003f3e4aa61694f5661f9eba7/deployments/examples/ocis_keycloak/docker-compose.yml#L82

Then restart your ocis. That should fix it. I wonder why we don't have a sane default here...

kulmann commented 1 week ago

Ah sorry, one more step, you need to edit the csp.yaml file and either enter your own idp domain or rename the var in there and set it in your .env file or your docker compose env or whatever you use accordingly

BEBU88 commented 1 week ago

Thank You @kulmann it's working as expected now.