How can I add OpenID for Android and IOS

[max-1004]

Hi guys,

I have set up OIDC for Owncloud for the company where I work. It works fine for Owncloud in the browser. From the other tickets and docs, unfortunately I don't understand how to add OIDC for Android and IOS. Do I need to add it in the config.php file of owncloud? I'm using as OIDC provider "cidaas" and here I have to decide between IOS & Android & Webpage.

About help where I can do the configuration for android and ios I would be very thankful :smile:

[DeepDiver1975]

@michaelstingl

[max-1004]

What I forgot. When I go into the app, I am redirected to the normal login page. Then when I press the button for OIDC, then the page starts loading. But after it loads I am still on the login page

[michaelstingl]

No, experience with cidaas, sorry. Normally you need to register the ownCloud apps in your IdP. Here you can find the parameters: https://doc.owncloud.com/server/10.6/admin_manual/configuration/user/oidc/#set-up-and-configure-the-identity-provider

[max-1004]

In the browser it works fine, so I think the parameters should be ok. But I don't understand how to use the desktop, Android and IOS clients. Do I need a separate client_ID and client_secret for each client? And the client information for web I can change in config.php file, but where can I do it for the other apps?

[DeepDiver1975]

@max-1004 the clients have some pre-defined client ids and secrets inside. These need to be setup in the Idp - if possible.

If this is not possible customer build will be necessary - which is something to be done as part of an enterprise subscription.

An alternative approach is to wait a while until the client support dynamic client registration ....

[max-1004]

We have now a new client with the pre-defined client_id & client_secret. By trying to use the Owncloud desktop-app we get this error: { "code": "invalid_request", "moreInfo": "", "type": "UserAuthRequestException", "status": 400, "referenceNumber": "1608047869310-c24b790b-0e28-4a0c-acd6-9efbb4f27f1e", "error": "invalid_request: given url is not allowed by the application configuration." } In the IdP I allowed as redirect URLs this https://owncloud.XX.de/apps/openidconnect/redirect https://owncloud.XX.de/index.php/apps/openidconnect/redirect https://owncloud.XX.de/.well-known/openid-configuration

Do I have to redirect to an other URL? For Android & IOS there are Redirect URIs in the Doc but not for the desktop-app. Or is it somewhere else where I have to allow the given url

[DeepDiver1975]

@max-1004 as far as I understood the issues have been resolved - correct? Can we close this issue now? THX

[michaelstingl]

For Android & IOS there are Redirect URIs in the Doc but not for the desktop-app

Desktop app has redirect URI http://localhost:*, but this syntax isn't supported in the Kopano Konnect IdP that was used for testing. I hope, more mature IdP's out there support this.

It's also used in ownCloud's own OAuth 2.0 implementation: https://github.com/owncloud/oauth2/blob/ccee1229d2149c308382fd650546b3996f2c1e75/appinfo/Migrations/Version20170329194544.php#L15-L17

[longsleep]

Desktop app has redirect URI http://localhost:*, but this syntax isn't supported in the Kopano Konnect IdP that was used for testing. I hope, more mature IdP's out there support this.

@michaelstingl we can easily support if if that is a thing. For Kopano Konnect this would be "http://localhost/" - the port is actually ignored for native applications. In your http://localhost:* example though you are missing the "path" - not sure if that should be allowed or considered a valid redirect_uri.

[michaelstingl]

we can easily support if if that is a thing.

This would be perfect, it is the recommended method: https://tools.ietf.org/html/rfc8252#section-7.3 https://tools.ietf.org/html/rfc8252#section-8.3 https://docs.microsoft.com/en-us/azure/active-directory/develop/reply-url#localhost-exceptions

Our workarounds always felt a little cheaty for me: https://github.com/owncloud/ocis-konnectd/blob/master/assets/identifier-registration.yaml#L27-L31

UCS also had to work around this: https://forge.univention.org/bugzilla/show_bug.cgi?id=52054

In your http://localhost:* example though you are missing the "path" - not sure if that should be allowed or considered a valid redirect_uri.

I'd rely on @DeepDiver1975 or @TheOneRing 's judgement. /cc @IljaN @C0rby

[longsleep]

we can easily support if if that is a thing.

This would be perfect, it is the recommended method: https://tools.ietf.org/html/rfc8252#section-7.3 https://tools.ietf.org/html/rfc8252#section-8.3 https://docs.microsoft.com/en-us/azure/active-directory/develop/reply-url#localhost-exceptions

@michaelstingl thanks - though i cannot see anything there related to "wildcard". I only read the definition like implemented in Kopano Konnect that the port is ignored when validating. * is not a valid port and thus is not allowed. Do you have a reference to a standard which explicitly defines this * use as port wildcard?

[max-1004]

@DeepDiver1975 yes, it is solved for us. I think it's not a good way, but it works now. You can close it, thanks for your help

[michaelstingl]

Implementation of dynamic client registration is finished for iOS. @max-1004 I could send you a build for testing.

For desktop, implementation is work in progress, but I expect availability in one of the daily builds soon…

Android didn't start yet.

[max-1004]

@michaelstingl ios is the device that I do not use but other colleagues so for me the desktop or andorid application would be better to test but thanks

[max-1004]

At the moment ios and Android is working better than the normal web owncloud. If I want to enter the owncloud site with our oidc provider than it stays at the same page but gives me a 301 redirect. But nothing happen I'm still on the normal login page. Only when I'm in the same network it works. For e.g the Android App I dont have this issue

[michaelstingl]

At the moment ios and Android is working better than the normal web owncloud. If I want to enter the owncloud site with our oidc provider than it stays at the same page but gives me a 301 redirect. But nothing happen I'm still on the normal login page. Only when I'm in the same network it works.

Please open new issue for this.

[michaelstingl]

the desktop or andorid application would be better to test but thanks

Here we have the first desktop daily builds from master branch: https://download.owncloud.com/desktop/ownCloud/daily/2.8/ (Linux pending)

[michaelstingl]

andorid application would be better

We track the Android progress here: https://github.com/owncloud/android/issues/3054

[michaelstingl]

Android pull request: https://github.com/owncloud/android-library/pull/367

@max-1004 can you build the Android client, or should we send you an APK?

[longsleep]

@michaelstingl i looked into the wildcard situation and i came to the conclusion that wildcards on the hostname are discouraged because of security implications and this should not be used or supported.

Wildcard support for the port is not required as for native applications listening http://localhost:* , the port must be ignored when validating the redirect_uri target with the registration (this is also what Kopano Konnect does). Since the registration requires a valid URL, just register any port (or none) (for example http://localhost/yourapp, will happily work when the application requests redirect to https://localhost:23456/yourapp).

And finally, in your example of registering a redirect_uri without a path, that is something Kopano Konnect will eventually support. If no path is registered, the path part of the redirect_uri will be ignored when validating .

[michaelstingl]

Okay, sounds good 👍

[michaelstingl]

@longsleep we want to switch desktop redirect URI from http://localhost to http://127.0.0.1 (https://github.com/owncloud/client/pull/8593) as recommended in RFC 8252, but this is what we get:

Request: POST https://ocis.ocis-traefik.latest.owncloud.works/konnect/v1/register
Header: { Content-Type: application/json, 
User-Agent: Mozilla/5.0 (Windows) mirall/2.9.0git (ownCloud, 
windows-10.0.19042 ClientArchitecture: x86_64 OsArchitecture: x86_64), 
Accept: */*, 
X-Request-ID: 9dc324c9-dabc-4a55-a804-d20185b7fb0f, 
Original-Request-ID: 9dc324c9-dabc-4a55-a804-d20185b7fb0f, 
Content-Length: 191, 
}
Data: [{
    \"application_type\": \"native\",
    \"client_name\": \"ownCloud 2.9.0git\",
    \"redirect_uris\": [
        \"http://127.0.0.1\"
    ],
    \"token_endpoint_auth_method\": \"client_secret_basic\"
    }
]

Response: POST 400 https://ocis.ocis-traefik.latest.owncloud.works/konnect/v1/register
Header: { Access-Control-Allow-Origin: *, 
Cache-Control: no-cache, 
no-store, 
must-revalidate, 
Content-Length: 127, 
Content-Type: application/json; encoding=utf-8, 
Date: Thu, 06 May 2021 13:59:07 GMT, 
Expires: Thu, 01 Jan 1970 00:00:00 GMT, 
Last-Modified: Thu, 06 May 2021 13:59:07 GMT, 
Pragma: no-cache, 
Referrer-Policy: origin, 
X-Content-Type-Options: nosniff, 
X-Frame-Options: DENY, 
X-Idp-Version: 0.0.0, 
X-Xss-Protection: 1; mode=block, 
}
Data: [{
  \"error\": \"invalid_redirect_uri\",
  \"error_description\": \"native clients must only use localhost redirect_uris with http\"
  }
]"

More information:

• https://tools.ietf.org/html/rfc8252#section-7.3
• https://tools.ietf.org/html/rfc8252#section-8.3
• https://docs.microsoft.com/en-us/azure/active-directory/develop/reply-url#prefer-127001-over-localhost

/cc @TheOneRing

[longsleep]

@michaelstingl this has been fixed in https://github.com/Kopano-dev/konnect/commit/3e79432a63f75135eb373490c504d2c8d9a7c96c - there was no release which included that fix yet, thus i just tagged v0.34.0.

[michaelstingl]

@longsleep very nice!! Thanks 👍