How to connect clients when IDP doesn't allow custom clientId's

[stijnbrouwers]

I have done the complete setup for OpenID Connect to my IDP (AWS Cognito) which works like a charm when logging in with the browser. I also setup service discovery as described in the documentation: https://doc.owncloud.com/server/next/admin_manual/configuration/user/oidc/oidc.html#set-up-service-discovery When using the mobile app or Desktop app, they successfully discover OpenID is enabled and open up a browser to login.

But this is where things go wrong. I get an error, which is normal since the clientID/clientSecret combination of the client as described here are not known to my IDP. The simple reason I can't resolve this, is because my IDP (AWS Cognito) doesn't allow a custom Client ID when creating an app client (and I think it's the same use case when using Azure AD). They are always generated and cannot be edited.

Can this be resolved in some way? And if so, how? Is there any documentation on this?

[DeepDiver1975]

Can this be resolved in some way? And if so, how?

One option is to use dynamic client registration which is partially available already on the individual clients. If this is not possible you would need to build your own clients to get your specific client id/ secret into these clients. Not the most convenient approach but no other option :shrug:

[stijnbrouwers]

@DeepDiver1975

Thanks for your quick response! Option 1: I understand. It's a feature that some IDP's provide (which is not the case for AWS if I'm not mistaking). The OwnCloud features support it and if my IDP should provide it, it would work "automatically". Option 2: I'm not sure I understand. Do you mean: You can't use the official clients and need to build your own iOS, Android, Desktop apps? Or that I need to create some kind of wrapper around the OwnCloud clients that do some kind of clientid/secret mapping?

[DeepDiver1975]

Option 1: I understand. It's a feature that some IDP's provide (which is not the case for AWS if I'm not mistaking). The OwnCloud features support it and if my IDP should provide it, it would work "automatically".

yes

Option 2: I'm not sure I understand. Do you mean: You can't use the official clients and need to build your own iOS, Android, Desktop apps? Or that I need to create some kind of wrapper around the OwnCloud clients that do some kind of clientid/secret mapping?

As of today client id and secret are compiled into the code base of desktop client and the mobile apps. So if you cannot use dynamic client registration or the hard coded "default" credential you are doomed to recompile the clients yourself. This is then classic open source business - get the code and compile yourself ;-)

For enterprise customers this is something which is handled within the enterprise edition/subscription .....

I understand that this is not the most optimal situation for the community - but open id is currently considered as a feature which is mainly of interest for enterprises.

[stijnbrouwers]

Ah ok, that's actually extremely stupid of me not to think of this solution :-)

I think it's acceptable since I know you can set your own download links for the clients through the config.php file. This way we can point to the custom compiled versions with our credentials.

Thanks for your help!