owncloud / openidconnect

OpenId Connect (OIDC) Integration for ownCloud
GNU General Public License v2.0
6 stars 3 forks source link

[QA] openidconnect no longer works with the kopano IDP #181

Closed jnweiger closed 3 years ago

jnweiger commented 3 years ago

Seen with openidconnect 2.1.0-rc1 on core 10.8.0

Started in compose-plaground/compose via docker-compose -f owncloud-base.yml -f owncloud-official.yml -f cache/redis.yml -f database/mariadb.yml -f ldap/openldap.yml -f ldap/openldap-mount-ldif.yml -f owncloud-exported-ports.yml -f ldap/openldap-autoconfig-base.yml -f kopano/konnect/docker-compose.yml

When logging in a user at the Web-UI this error message is seen:

image

This is from vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php getWellKnownConfigValue() as the .well-known/openid-configuration returned by kopano does not have a code_challenge_methods_supported element.

As per https://datatracker.ietf.org/doc/html/rfc8414 the code_challenge_methods_supported element is optional.

Expected behaviour: Code continues to function as if the method were S256 -- that would be consistent with lib/Client.php, which has a hardocded

  public function getCodeChallengeMethod() {
    return 'S256';
  }
jnweiger commented 3 years ago

An identical setup with openidconnect-2.0.0 works flawlessly without code_challenge_methods_supported in the openid-configuation.

jnweiger commented 3 years ago

Possible workaround: Patch vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php to default to 'S256':

        if (!empty($this->getCodeChallengeMethod()) && in_array($this->getCodeChallengeMethod(), $this->getProviderConfigValue('code_challenge_methods_supported', 'S256'))) {

Now kopano IDP can log in its LDAP users.

DeepDiver1975 commented 3 years ago

https://github.com/owncloud/openidconnect/pull/170 fixes this

wkloucek commented 3 years ago

170 breaks my setup with Keycloak:

image

openidconnect app config:

<?php

# reference: https://doc.owncloud.com/server/admin_manual/configuration/user/oidc/

function getOIDCConfigFromEnv()
{
    $config = [
        'openid-connect' => [
            'provider-url' => getenv('IDP_OIDC_ISSUER'),
            'client-id' => 'oc10',
            'client-secret' => getenv('IDP_OIDC_CLIENT_SECRET'),
            'loginButtonName' => 'OpenId Connect',
            'search-attribute' => 'preferred_username',
            'mode' => 'userid',
            'autoRedirectOnLoginPage' => true,
            'insecure' => true,
            'post_logout_redirect_uri' => 'https://' . getenv('CLOUD_DOMAIN'),
        ],
    ];
    return $config;
}

$CONFIG = getOIDCConfigFromEnv();

Keycloak client:

{
    "clientId": "oc10",
    "rootUrl": "https://cloud.owncloud.test",
    "adminUrl": "https://cloud.owncloud.test",
    "surrogateAuthRequired": false,
    "enabled": true,
    "alwaysDisplayInConsole": false,
    "clientAuthenticatorType": "client-secret",
    "redirectUris": [
        "https://cloud.owncloud.test/*"
    ],
    "webOrigins": [
        "https://cloud.owncloud.test"
    ],
    "notBefore": 0,
    "bearerOnly": false,
    "consentRequired": false,
    "standardFlowEnabled": true,
    "implicitFlowEnabled": false,
    "directAccessGrantsEnabled": true,
    "serviceAccountsEnabled": false,
    "publicClient": false,
    "frontchannelLogout": false,
    "protocol": "openid-connect",
    "attributes": {
        "id.token.as.detached.signature": "false",
        "saml.assertion.signature": "false",
        "saml.force.post.binding": "false",
        "saml.multivalued.roles": "false",
        "saml.encrypt": "false",
        "oauth2.device.authorization.grant.enabled": "false",
        "backchannel.logout.revoke.offline.tokens": "false",
        "saml.server.signature": "false",
        "saml.server.signature.keyinfo.ext": "false",
        "use.refresh.tokens": "true",
        "exclude.session.state.from.auth.response": "false",
        "oidc.ciba.grant.enabled": "false",
        "saml.artifact.binding": "false",
        "backchannel.logout.session.required": "true",
        "client_credentials.use_refresh_token": "false",
        "saml_force_name_id_format": "false",
        "saml.client.signature": "false",
        "tls.client.certificate.bound.access.tokens": "false",
        "saml.authnstatement": "false",
        "display.on.consent.screen": "false",
        "saml.onetimeuse.condition": "false"
    },
    "authenticationFlowBindingOverrides": {},
    "fullScopeAllowed": true,
    "nodeReRegistrationTimeout": -1,
    "defaultClientScopes": [
        "web-origins",
        "profile",
        "roles",
        "owncloud",
        "email"
    ],
    "optionalClientScopes": [
        "address",
        "phone",
        "offline_access",
        "microprofile-jwt"
    ],
    "access": {
        "view": true,
        "configure": true,
        "manage": true
    }
}

@DeepDiver1975 do you have an idea?

wkloucek commented 3 years ago

Logs:

oc10_1          | [Thu Sep 16 09:12:16.596564 2021] [php7:notice] [pid 451] [client 172.17.6.7:58790] {"reqId":"NWgQkMPq6IhOyRvHx7qG","level":0,"time":"2021-09-16T09:12:16+00:00","remoteAddr":"172.17.6.7","user":"--","app":"OpenID","method":"GET","url":"\\/apps\\/openidconnect\\/redirect","message":"Before openid->authenticate"}
oc10_1          | 172.17.6.7 - - [16/Sep/2021:09:12:16 +0000] "GET /apps/openidconnect/redirect HTTP/1.1" 302 1020 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"
oc10_1          | [Thu Sep 16 09:12:32.008432 2021] [php7:notice] [pid 452] [client 172.17.6.7:58792] {"reqId":"N4H9hcCfo7QrhwTc02Z5","level":0,"time":"2021-09-16T09:12:32+00:00","remoteAddr":"172.17.6.7","user":"--","app":"OpenID","method":"GET","url":"\\/apps\\/openidconnect\\/redirect?state=0f4109c8f9d98ac65794535e20217a86&session_state=e0097a1e-331c-41ff-8032-f5984c03cd7e&code=07b4c388-b1e6-49cb-9d09-59c4fd9586bc.e0097a1e-331c-41ff-8032-f5984c03cd7e.d7a10629-dba5-4fdb-8da6-3e6e88cc297b","message":"Entering LoginFlowController::login"}
oc10_1          | [Thu Sep 16 09:12:32.008795 2021] [php7:notice] [pid 452] [client 172.17.6.7:58792] {"reqId":"N4H9hcCfo7QrhwTc02Z5","level":0,"time":"2021-09-16T09:12:32+00:00","remoteAddr":"172.17.6.7","user":"--","app":"OpenID","method":"GET","url":"\\/apps\\/openidconnect\\/redirect?state=0f4109c8f9d98ac65794535e20217a86&session_state=e0097a1e-331c-41ff-8032-f5984c03cd7e&code=07b4c388-b1e6-49cb-9d09-59c4fd9586bc.e0097a1e-331c-41ff-8032-f5984c03cd7e.d7a10629-dba5-4fdb-8da6-3e6e88cc297b","message":"Before openid->authenticate"}
oc10_1          | [Thu Sep 16 09:12:32.075323 2021] [php7:notice] [pid 452] [client 172.17.6.7:58792] {"reqId":"N4H9hcCfo7QrhwTc02Z5","level":3,"time":"2021-09-16T09:12:32+00:00","remoteAddr":"172.17.6.7","user":"--","app":"OpenID","method":"GET","url":"\\/apps\\/openidconnect\\/redirect?state=0f4109c8f9d98ac65794535e20217a86&session_state=e0097a1e-331c-41ff-8032-f5984c03cd7e&code=07b4c388-b1e6-49cb-9d09-59c4fd9586bc.e0097a1e-331c-41ff-8032-f5984c03cd7e.d7a10629-dba5-4fdb-8da6-3e6e88cc297b","message":"Exception: {\\"Exception\\":\\"Jumbojett\\\\\\\\OpenIDConnectClientException\\",\\"Message\\":\\"Client secret not provided in request\\",\\"Code\\":0,\\"Trace\\":\\"#0 \\\\\\/mnt\\\\\\/data\\\\\\/apps\\\\\\/openidconnect\\\\\\/lib\\\\\\/Client.php(206): Jumbojett\\\\\\\\OpenIDConnectClient->authenticate()\\\\n#1 \\\\\\/mnt\\\\\\/data\\\\\\/apps\\\\\\/openidconnect\\\\\\/lib\\\\\\/Controller\\\\\\/LoginFlowController.php(126): OCA\\\\\\\\OpenIdConnect\\\\\\\\Client->authenticate()\\\\n#2 \\\\\\/var\\\\\\/www\\\\\\/owncloud\\\\\\/lib\\\\\\/private\\\\\\/AppFramework\\\\\\/Http\\\\\\/Dispatcher.php(170): OCA\\\\\\\\OpenIdConnect\\\\\\\\Controller\\\\\\\\LoginFlowController->login(*** sensitive parameters replaced ***)\\\\n#3 \\\\\\/var\\\\\\/www\\\\\\/owncloud\\\\\\/lib\\\\\\/private\\\\\\/AppFramework\\\\\\/Http\\\\\\/Dispatcher.php(89): OC\\\\\\\\AppFramework\\\\\\\\Http\\\\\\\\Dispatcher->executeController()\\\\n#4 \\\\\\/var\\\\\\/www\\\\\\/owncloud\\\\\\/lib\\\\\\/private\\\\\\/AppFramework\\\\\\/App.php(100): OC\\\\\\\\AppFramework\\\\\\\\Http\\\\\\\\Dispatcher->dispatch()\\\\n#5 \\\\\\/var\\\\\\/www\\\\\\/owncloud\\\\\\/lib\\\\\\/private\\\\\\/AppFramework\\\\\\/Routing\\\\\\/RouteActionHandler.php(47): OC\\\\\\\\AppFramework\\\\\\\\App::main()\\\\n#6 \\\\\\/var\\\\\\/www\\\\\\/owncloud\\\\\\/lib\\\\\\/private\\\\\\/Route\\\\\\/Router.php(343): OC\\\\\\\\AppFramework\\\\\\\\Routing\\\\\\\\RouteActionHandler->__invoke()\\\\n#7 \\\\\\/var\\\\\\/www\\\\\\/owncloud\\\\\\/lib\\\\\\/base.php(927): OC\\\\\\\\Route\\\\\\\\Router->match()\\\\n#8 \\\\\\/var\\\\\\/www\\\\\\/owncloud\\\\\\/index.php(54): OC::handleRequest()\\\\n#9 {main}\\",\\"File\\":\\"\\\\\\/mnt\\\\\\/data\\\\\\/apps\\\\\\/openidconnect\\\\\\/vendor\\\\\\/jumbojett\\\\\\/openid-connect-php\\\\\\/src\\\\\\/OpenIDConnectClient.php\\",\\"Line\\":305}"}
oc10_1          | 172.17.6.7 - - [16/Sep/2021:09:12:31 +0000] "GET /apps/openidconnect/redirect?state=0f4109c8f9d98ac65794535e20217a86&session_state=e0097a1e-331c-41ff-8032-f5984c03cd7e&code=07b4c388-b1e6-49cb-9d09-59c4fd9586bc.e0097a1e-331c-41ff-8032-f5984c03cd7e.d7a10629-dba5-4fdb-8da6-3e6e88cc297b HTTP/1.1" 503 9183 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"
DeepDiver1975 commented 3 years ago

Current 2.1.0 does support PKCE - but PKCE is broken for some setups due to upstream bugs.

@wkloucek grab https://github.com/owncloud/openidconnect/pull/183 ...

@jnweiger we should incorporate this PR into 2.1.0 - https://github.com/owncloud/openidconnect/pull/183 - THX