search

owncloud / openidconnect

OpenId Connect (OIDC) Integration for ownCloud
GNU General Public License v2.0
5 stars 2 forks source link

Password Policy App and OIDC login #270

Closed T0mWz closed 1 year ago

T0mWz commented 1 year ago

When you have the Password Policy App enabled for local accounts and try to log in via OIDC, you will hit this password policy.

Steps to reproduce

  1. Enable Password Policy app
  2. Set Minimum password requirements
  3. Try to login via OIDC

Expected behaviour

I think you can guess what I should expect šŸ˜‰

Actual behaviour

{"reqId":"Y3daTbtqL@32yxAFTWMtTwAAABo","level":3,"time":"18\/Nov\/2022:11:11:26","remoteAddr":"10.234.0.3","user":"--","app":"index","method":"GET","url":"\/index.php\/apps\/openidconnect\/redirect?state=c6426bd111abd25b72c02545ffd9582e&session_state=958481b8-bc8f-4300-8f36-a2447481a45e&code=a350d4ce-46ec-4ac8-aa2b-80ce3594a55d.958481b8-bc8f-4300-8f36-a2447481a45e.d7a10629-dba5-4fdb-8da6-3e6e88cc297b","message":"Exception: {\"Exception\":\"OCA\\\\PasswordPolicy\\\\Rules\\\\PolicyException\",\"Message\":\"The password contains too few uppercase letters. At least one uppercase letter is required.\",\"Code\":0,\"Trace\":\"#0 \\\/var\\\/www\\\/owncloud\\\/apps\\\/password_policy\\\/lib\\\/Engine.php(134): OCA\\\\PasswordPolicy\\\\Rules\\\\Uppercase->verify()\\n#1 \\\/var\\\/www\\\/owncloud\\\/apps\\\/password_policy\\\/lib\\\/HooksHandler.php(172): OCA\\\\PasswordPolicy\\\\Engine->verifyPassword()\\n#2 \\\/var\\\/www\\\/owncloud\\\/apps\\\/password_policy\\\/lib\\\/HooksHandler.php(149): OCA\\\\PasswordPolicy\\\\HooksHandler->verifyPassword()\\n#3 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/symfony\\\/event-dispatcher\\\/EventDispatcher.php(264): OCA\\\\PasswordPolicy\\\\HooksHandler->verifyUserPassword()\\n#4 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/symfony\\\/event-dispatcher\\\/EventDispatcher.php(239): Symfony\\\\Component\\\\EventDispatcher\\\\EventDispatcher->doDispatch()\\n#5 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/symfony\\\/event-dispatcher\\\/EventDispatcher.php(73): Symfony\\\\Component\\\\EventDispatcher\\\\EventDispatcher->callListeners()\\n#6 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/User\\\/Manager.php(393): Symfony\\\\Component\\\\EventDispatcher\\\\EventDispatcher->dispatch()\\n#7 \\\/var\\\/www\\\/owncloud\\\/lib\\\/public\\\/Events\\\/EventEmitterTrait.php(50): OC\\\\User\\\\Manager->OC\\\\User\\\\{closure}(*** sensitive parameters replaced ***)\\n#8 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/User\\\/Manager.php(410): OC\\\\User\\\\Manager->emittingCall()\\n#9 \\\/var\\\/www\\\/owncloud\\\/apps\\\/openidconnect\\\/lib\\\/Service\\\/AutoProvisioningService.php(121): OC\\\\User\\\\Manager->createUser()\\n#10 \\\/var\\\/www\\\/owncloud\\\/apps\\\/openidconnect\\\/lib\\\/Service\\\/UserLookupService.php(110): OCA\\\\OpenIdConnect\\\\Service\\\\AutoProvisioningService->createUser()\\n#11 \\\/var\\\/www\\\/owncloud\\\/apps\\\/openidconnect\\\/lib\\\/Controller\\\/LoginFlowController.php(143): OCA\\\\OpenIdConnect\\\\Service\\\\UserLookupService->lookupUser()\\n#12 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(170): OCA\\\\OpenIdConnect\\\\Controller\\\\LoginFlowController->login(*** sensitive parameters replaced ***)\\n#13 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(89): OC\\\\AppFramework\\\\Http\\\\Dispatcher->executeController()\\n#14 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/App.php(100): OC\\\\AppFramework\\\\Http\\\\Dispatcher->dispatch()\\n#15 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/Routing\\\/RouteActionHandler.php(47): OC\\\\AppFramework\\\\App::main()\\n#16 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/Route\\\/Router.php(344): OC\\\\AppFramework\\\\Routing\\\\RouteActionHandler->__invoke()\\n#17 \\\/var\\\/www\\\/owncloud\\\/lib\\\/base.php(933): OC\\\\Route\\\\Router->match()\\n#18 \\\/var\\\/www\\\/owncloud\\\/index.php(54): OC::handleRequest()\\n#19 {main}\",\"File\":\"\\\/var\\\/www\\\/owncloud\\\/apps\\\/password_policy\\\/lib\\\/Rules\\\/Uppercase.php\",\"Line\":33}"}

Config ownCloud 10.9.1 openidconnect: 2.1.0 password_policy: 2.1.3

DeepDiver1975 commented 1 year ago

for password creation this code needs to be used: https://github.com/owncloud/guests/blob/84ea22147750b73cd957b2ff013356d4e62fec3a/lib/Controller/UsersController.php#L175-L181

T0mWz commented 1 year ago

for password creation this code needs to be used: https://github.com/owncloud/guests/blob/84ea22147750b73cd957b2ff013356d4e62fec3a/lib/Controller/UsersController.php#L175-L181

Um, sorry I mis your point? My user is logged in via an OIDC provider. There isn't a local user account here, configured with a password. The Password Policy should not hook in here, like with Shibboleth or an LDAP integration.

DeepDiver1975 commented 1 year ago

When creating a new user in owncloud using the openid connect auto provisioning feature a valid password has to be set. Password policy app can help to create a valid password as we do with guests ....

T0mWz commented 1 year ago

When creating a new user in owncloud using the openid connect auto provisioning feature a valid password has to be set. Password policy app can help to create a valid password as we do with guests ....

How is a valid password set? I have quite the same config as described here; https://github.com/owncloud/openidconnect#setup-auto-provisioning-mode

I can create an user by forehand, with the correct backend and a valid password, but then it isn't auto provisioning anymore.

See also not an option in the Password Policy App, next of the password requirements.

Can extend the app that it will generate a password when the user will be provisioned by the OIDC app. But tja, I see OIDC as an external identifier like Shibboleth or LDAP. Where a session token is provided and never a password...

DeepDiver1975 commented 1 year ago

This is something we developers need to change in the opening connect app.

T0mWz commented 1 year ago

Maybe this helps too regarding this issue; https://github.com/owncloud/core/pull/40512

T0mWz commented 1 year ago

Hmm, thought at first to just completely disable the app, but then nothing can be set any policy for public links either. So that's a bit of a bummer. So skipping the password policy for token based auth seems to me the best way to go.

DeepDiver1975 commented 1 year ago

@T0mWz please have a look at #282 - this should fix this issue. THX