Closed jnweiger closed 3 years ago
An identical setup with openidconnect-2.0.0 works flawlessly without code_challenge_methods_supported in the openid-configuation.
Possible workaround: Patch vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php to default to 'S256':
if (!empty($this->getCodeChallengeMethod()) && in_array($this->getCodeChallengeMethod(), $this->getProviderConfigValue('code_challenge_methods_supported', 'S256'))) {
Now kopano IDP can log in its LDAP users.
openidconnect app config:
<?php
# reference: https://doc.owncloud.com/server/admin_manual/configuration/user/oidc/
function getOIDCConfigFromEnv()
{
$config = [
'openid-connect' => [
'provider-url' => getenv('IDP_OIDC_ISSUER'),
'client-id' => 'oc10',
'client-secret' => getenv('IDP_OIDC_CLIENT_SECRET'),
'loginButtonName' => 'OpenId Connect',
'search-attribute' => 'preferred_username',
'mode' => 'userid',
'autoRedirectOnLoginPage' => true,
'insecure' => true,
'post_logout_redirect_uri' => 'https://' . getenv('CLOUD_DOMAIN'),
],
];
return $config;
}
$CONFIG = getOIDCConfigFromEnv();
Keycloak client:
{
"clientId": "oc10",
"rootUrl": "https://cloud.owncloud.test",
"adminUrl": "https://cloud.owncloud.test",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"https://cloud.owncloud.test/*"
],
"webOrigins": [
"https://cloud.owncloud.test"
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"id.token.as.detached.signature": "false",
"saml.assertion.signature": "false",
"saml.force.post.binding": "false",
"saml.multivalued.roles": "false",
"saml.encrypt": "false",
"oauth2.device.authorization.grant.enabled": "false",
"backchannel.logout.revoke.offline.tokens": "false",
"saml.server.signature": "false",
"saml.server.signature.keyinfo.ext": "false",
"use.refresh.tokens": "true",
"exclude.session.state.from.auth.response": "false",
"oidc.ciba.grant.enabled": "false",
"saml.artifact.binding": "false",
"backchannel.logout.session.required": "true",
"client_credentials.use_refresh_token": "false",
"saml_force_name_id_format": "false",
"saml.client.signature": "false",
"tls.client.certificate.bound.access.tokens": "false",
"saml.authnstatement": "false",
"display.on.consent.screen": "false",
"saml.onetimeuse.condition": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"defaultClientScopes": [
"web-origins",
"profile",
"roles",
"owncloud",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
],
"access": {
"view": true,
"configure": true,
"manage": true
}
}
@DeepDiver1975 do you have an idea?
Logs:
oc10_1 | [Thu Sep 16 09:12:16.596564 2021] [php7:notice] [pid 451] [client 172.17.6.7:58790] {"reqId":"NWgQkMPq6IhOyRvHx7qG","level":0,"time":"2021-09-16T09:12:16+00:00","remoteAddr":"172.17.6.7","user":"--","app":"OpenID","method":"GET","url":"\\/apps\\/openidconnect\\/redirect","message":"Before openid->authenticate"}
oc10_1 | 172.17.6.7 - - [16/Sep/2021:09:12:16 +0000] "GET /apps/openidconnect/redirect HTTP/1.1" 302 1020 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"
oc10_1 | [Thu Sep 16 09:12:32.008432 2021] [php7:notice] [pid 452] [client 172.17.6.7:58792] {"reqId":"N4H9hcCfo7QrhwTc02Z5","level":0,"time":"2021-09-16T09:12:32+00:00","remoteAddr":"172.17.6.7","user":"--","app":"OpenID","method":"GET","url":"\\/apps\\/openidconnect\\/redirect?state=0f4109c8f9d98ac65794535e20217a86&session_state=e0097a1e-331c-41ff-8032-f5984c03cd7e&code=07b4c388-b1e6-49cb-9d09-59c4fd9586bc.e0097a1e-331c-41ff-8032-f5984c03cd7e.d7a10629-dba5-4fdb-8da6-3e6e88cc297b","message":"Entering LoginFlowController::login"}
oc10_1 | [Thu Sep 16 09:12:32.008795 2021] [php7:notice] [pid 452] [client 172.17.6.7:58792] {"reqId":"N4H9hcCfo7QrhwTc02Z5","level":0,"time":"2021-09-16T09:12:32+00:00","remoteAddr":"172.17.6.7","user":"--","app":"OpenID","method":"GET","url":"\\/apps\\/openidconnect\\/redirect?state=0f4109c8f9d98ac65794535e20217a86&session_state=e0097a1e-331c-41ff-8032-f5984c03cd7e&code=07b4c388-b1e6-49cb-9d09-59c4fd9586bc.e0097a1e-331c-41ff-8032-f5984c03cd7e.d7a10629-dba5-4fdb-8da6-3e6e88cc297b","message":"Before openid->authenticate"}
oc10_1 | [Thu Sep 16 09:12:32.075323 2021] [php7:notice] [pid 452] [client 172.17.6.7:58792] {"reqId":"N4H9hcCfo7QrhwTc02Z5","level":3,"time":"2021-09-16T09:12:32+00:00","remoteAddr":"172.17.6.7","user":"--","app":"OpenID","method":"GET","url":"\\/apps\\/openidconnect\\/redirect?state=0f4109c8f9d98ac65794535e20217a86&session_state=e0097a1e-331c-41ff-8032-f5984c03cd7e&code=07b4c388-b1e6-49cb-9d09-59c4fd9586bc.e0097a1e-331c-41ff-8032-f5984c03cd7e.d7a10629-dba5-4fdb-8da6-3e6e88cc297b","message":"Exception: {\\"Exception\\":\\"Jumbojett\\\\\\\\OpenIDConnectClientException\\",\\"Message\\":\\"Client secret not provided in request\\",\\"Code\\":0,\\"Trace\\":\\"#0 \\\\\\/mnt\\\\\\/data\\\\\\/apps\\\\\\/openidconnect\\\\\\/lib\\\\\\/Client.php(206): Jumbojett\\\\\\\\OpenIDConnectClient->authenticate()\\\\n#1 \\\\\\/mnt\\\\\\/data\\\\\\/apps\\\\\\/openidconnect\\\\\\/lib\\\\\\/Controller\\\\\\/LoginFlowController.php(126): OCA\\\\\\\\OpenIdConnect\\\\\\\\Client->authenticate()\\\\n#2 \\\\\\/var\\\\\\/www\\\\\\/owncloud\\\\\\/lib\\\\\\/private\\\\\\/AppFramework\\\\\\/Http\\\\\\/Dispatcher.php(170): OCA\\\\\\\\OpenIdConnect\\\\\\\\Controller\\\\\\\\LoginFlowController->login(*** sensitive parameters replaced ***)\\\\n#3 \\\\\\/var\\\\\\/www\\\\\\/owncloud\\\\\\/lib\\\\\\/private\\\\\\/AppFramework\\\\\\/Http\\\\\\/Dispatcher.php(89): OC\\\\\\\\AppFramework\\\\\\\\Http\\\\\\\\Dispatcher->executeController()\\\\n#4 \\\\\\/var\\\\\\/www\\\\\\/owncloud\\\\\\/lib\\\\\\/private\\\\\\/AppFramework\\\\\\/App.php(100): OC\\\\\\\\AppFramework\\\\\\\\Http\\\\\\\\Dispatcher->dispatch()\\\\n#5 \\\\\\/var\\\\\\/www\\\\\\/owncloud\\\\\\/lib\\\\\\/private\\\\\\/AppFramework\\\\\\/Routing\\\\\\/RouteActionHandler.php(47): OC\\\\\\\\AppFramework\\\\\\\\App::main()\\\\n#6 \\\\\\/var\\\\\\/www\\\\\\/owncloud\\\\\\/lib\\\\\\/private\\\\\\/Route\\\\\\/Router.php(343): OC\\\\\\\\AppFramework\\\\\\\\Routing\\\\\\\\RouteActionHandler->__invoke()\\\\n#7 \\\\\\/var\\\\\\/www\\\\\\/owncloud\\\\\\/lib\\\\\\/base.php(927): OC\\\\\\\\Route\\\\\\\\Router->match()\\\\n#8 \\\\\\/var\\\\\\/www\\\\\\/owncloud\\\\\\/index.php(54): OC::handleRequest()\\\\n#9 {main}\\",\\"File\\":\\"\\\\\\/mnt\\\\\\/data\\\\\\/apps\\\\\\/openidconnect\\\\\\/vendor\\\\\\/jumbojett\\\\\\/openid-connect-php\\\\\\/src\\\\\\/OpenIDConnectClient.php\\",\\"Line\\":305}"}
oc10_1 | 172.17.6.7 - - [16/Sep/2021:09:12:31 +0000] "GET /apps/openidconnect/redirect?state=0f4109c8f9d98ac65794535e20217a86&session_state=e0097a1e-331c-41ff-8032-f5984c03cd7e&code=07b4c388-b1e6-49cb-9d09-59c4fd9586bc.e0097a1e-331c-41ff-8032-f5984c03cd7e.d7a10629-dba5-4fdb-8da6-3e6e88cc297b HTTP/1.1" 503 9183 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36"
Current 2.1.0 does support PKCE - but PKCE is broken for some setups due to upstream bugs.
@wkloucek grab https://github.com/owncloud/openidconnect/pull/183 ...
@jnweiger we should incorporate this PR into 2.1.0 - https://github.com/owncloud/openidconnect/pull/183 - THX
Seen with openidconnect 2.1.0-rc1 on core 10.8.0
Started in compose-plaground/compose via
docker-compose -f owncloud-base.yml -f owncloud-official.yml -f cache/redis.yml -f database/mariadb.yml -f ldap/openldap.yml -f ldap/openldap-mount-ldif.yml -f owncloud-exported-ports.yml -f ldap/openldap-autoconfig-base.yml -f kopano/konnect/docker-compose.yml
When logging in a user at the Web-UI this error message is seen:
This is from vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php getWellKnownConfigValue() as the .well-known/openid-configuration returned by kopano does not have a
code_challenge_methods_supported
element.As per https://datatracker.ietf.org/doc/html/rfc8414 the
code_challenge_methods_supported
element is optional.Expected behaviour: Code continues to function as if the method were
S256
-- that would be consistent with lib/Client.php, which has a hardocded