FR: Add support for CAS Apereo

[wixaw]

Hello Owncloud does not retrieve user attributes from the OIDC server, although we have this information in the Token (see log) We use CAS Apereo for OpenID Connect For information, on our gitlab instance, we get all the attributes

Config owncloud :

'openid-connect' =>
array (
  'provider-url' => 'https://sso.domain.fr/cas/oidc',
  'client-id' => 'oidc-cloudtest',
  'client-secret' => 'xxxx',
  'loginButtonName' => 'Login via Domain Connect',
  'auto-provision' =>
  array (
    'enabled' => true,
    'email-claim' => 'email',
    'update' =>
    array (
      'enabled' => true,
    ),
  ),
  'mode' => 'userid',
  'search-attribute' => 'sub',
),

Log owncloud :

{
  "reqId": "ZIblbqHnwAuBz@dXDiATQAAASg8",
  "level": 0,
  "time": "2023-06-12T11:29:18+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "--",
  "app": "OpenID",
  "method": "GET",
  "url": "\/apps\/openidconnect\/redirect?redirect_url=%252Fsettings%252Fpersonal",
  "message": "Entering LoginFlowController::login"
}
{
  "reqId": "ZIblbqHnwAuBz@dXDiATQAAASg8",
  "level": 0,
  "time": "2023-06-12T11:29:18+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "--",
  "app": "OpenID",
  "method": "GET",
  "url": "\/apps\/openidconnect\/redirect?redirect_url=%252Fsettings%252Fpersonal",
  "message": "Before openid->authenticate"
}
{
  "reqId": "ZIblbwLOUWd2nsxuuZq9dQAAFQA",
  "level": 0,
  "time": "2023-06-12T11:29:19+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "admin",
  "app": "OC\\User\\Session::validateToken",
  "method": "GET",
  "url": "\/ocs\/v2.php\/apps\/notifications\/api\/v1\/notifications?format=json",
  "message": "token xxxxxxxxxx with token id 3945134 found, validating"
}
{
  "reqId": "ZIblbwLOUWd2nsxuuZq9dQAAFQA",
  "level": 0,
  "time": "2023-06-12T11:29:19+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "admin",
  "app": "OC\\Authentication\\Token\\DefaultTokenProvider::updateTokenActivity",
  "method": "GET",
  "url": "\/ocs\/v2.php\/apps\/notifications\/api\/v1\/notifications?format=json",
  "message": "updating activity of token 3945134 to 1686562159"
}
{
  "reqId": "ZIblbwLOUWd2nsxuuZq9dQAAFQA",
  "level": 0,
  "time": "2023-06-12T11:29:19+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "admin",
  "app": "OC\\User\\Session::validateToken",
  "method": "GET",
  "url": "\/ocs\/v2.php\/apps\/notifications\/api\/v1\/notifications?format=json",
  "message": "token xxxxxxxxxx with token id 3945134 found, validating"
}
{
  "reqId": "ZIblc6HnwAuBz@dXDiATQQAASw8",
  "level": 0,
  "time": "2023-06-12T11:29:23+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "--",
  "app": "OpenID",
  "method": "GET",
  "url": "\/apps\/openidconnect\/redirect?code=OC-3-iJkRO-xxxxxxxxxx-Cu8Kd&state=xxxxxxxxxx&nonce=xxxxxxxxxx",
  "message": "Entering LoginFlowController::login"
}
{
  "reqId": "ZIblc6HnwAuBz@dXDiATQQAASw8",
  "level": 0,
  "time": "2023-06-12T11:29:23+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "--",
  "app": "OpenID",
  "method": "GET",
  "url": "\/apps\/openidconnect\/redirect?code=OC-3-iJkRO-xxxxxxxxxx-Cu8Kd&state=xxxxxxxxxx&nonce=xxxxxxxxxx",
  "message": "Before openid->authenticate"
}
{
  "reqId": "ZIblc6HnwAuBz@dXDiATQQAASw8",
  "level": 0,
  "time": "2023-06-12T11:29:23+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "--",
  "app": "PHP",
  "method": "GET",
  "url": "\/apps\/openidconnect\/redirect?code=OC-3-iJkRO-xxxxxxxxxx-Cu8Kd&state=xxxxxxxxxx&nonce=xxxxxxxxxx",
  "message": "Undefined offset: 1 at \/local\/owncloud.1060prod\/apps\/openidconnect\/vendor\/jumbojett\/openid-connect-php\/src\/OpenIDConnectClient.php#1319"
}
{
  "reqId": "ZIblc6HnwAuBz@dXDiATQQAASw8",
  "level": 0,
  "time": "2023-06-12T11:29:23+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "--",
  "app": "OpenID",
  "method": "GET",
  "url": "\/apps\/openidconnect\/redirect?code=OC-3-iJkRO-xxxxxxxxxx-Cu8Kd&state=xxxxxxxxxx&nonce=xxxxxxxxxx",
  "message": "LoginFlowController::login : Token info: {\n    \"access_token\": \"AT-3-FX-xxxxxxxxxx\",\n    \"refresh_token\": \"RT-3-xxxxxxxxxx--Glsf4aaPvyKB\",\n    \"id_token\": \"{"alg":"RS256","typ":"JWT","kid":"cas-iAMmVNys"}{
    "jti": "TGT-xxxxxxx-sso.domain.fr",
    "sid": "0e98d7d19931xxxxxae4845c4944",
    "iss": "https://sso.domain.fr/cas/oidc",
    "aud": "oidc-cloudtest",
    "exp": 1686590963,
    "iat": 1686562163,
    "nbf": 1686561863,
    "sub": "dupon",
    "amr": [
      "LdapAuthenticationHandler"
    ],
    "client_id": "oidc-cloudtest",
    "auth_time": 1686562161,
    "state": "xxxxxxxxxx",
    "nonce": "xxxxxxxx",
    "at_hash": "xxxxg",
    "email": "Joe.dupon@domain.fr",
    "family_name": "dupon",
    "given_name": "Annie",
    "name": "dupon Annie",
    "preferred_username": "dupon"
  }
xxxxx\",\n    \"access_token_payload\": null\n}"
}
{
  "reqId": "ZIblc6HnwAuBz@dXDiATQQAASw8",
  "level": 0,
  "time": "2023-06-12T11:29:23+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "--",
  "app": "OpenID",
  "method": "GET",
  "url": "\/apps\/openidconnect\/redirect?code=OC-3-iJkRO-xxxxxxxxxx-Cu8Kd&state=xxxxxxxxxx&nonce=xxxxxxxxxx",
  "message": "User info: {\"sub\":\"dupon\",\"service\":\"https:\\\/\\\/cloud.domain.fr\\\/apps\\\/openidconnect\\\/redirect\",\"auth_time\":1686562161,\"attributes\":{\"name\":\"dupon Joe\",\"given_name\":\"Joe\",\"family_name\":\"dupon\",\"email\":\"Joe.dupon@domain.fr\"},\"id\":\"dupon\",\"client_id\":\"oidc-cloudtest\"}"
}
{
  "reqId": "ZIblc6HnwAuBz@dXDiATQQAASw8",
  "level": 0,
  "time": "2023-06-12T11:29:23+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "--",
  "app": "PHP",
  "method": "GET",
  "url": "\/apps\/openidconnect\/redirect?code=OC-3-iJkRO-xxxxxxxxxx-Cu8Kd&state=xxxxxxxxxx&nonce=xxxxxxxxxx",
  "message": "Undefined property: stdClass::$email at \/local\/owncloud.1060prod\/apps\/openidconnect\/lib\/Client.php#265"
}
{
  "reqId": "ZIblc6HnwAuBz@dXDiATQQAASw8",
  "level": 0,
  "time": "2023-06-12T11:29:23+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "--",
  "app": "OC\\Authentication\\Token\\DefaultTokenProvider::generateToken",
  "method": "GET",
  "url": "\/apps\/openidconnect\/redirect?code=OC-3-iJkRO-xxxxxxxxxx-Cu8Kd&state=xxxxxxxxxx&nonce=xxxxxxxxxx",
  "message": "generating token xxxxxxxxxx, uid dupon, loginName dupon, pwd empty, name Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36, type temporary"
}
{
  "reqId": "ZIblc6HnwAuBz@dXDiATQQAASw8",
  "level": 0,
  "time": "2023-06-12T11:29:23+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "--",
  "app": "core",
  "method": "GET",
  "url": "\/apps\/openidconnect\/redirect?code=OC-3-iJkRO-xxxxxxxxxx-Cu8Kd&state=xxxxxxxxxx&nonce=xxxxxxxxxx",
  "message": "OC\\Authentication\\LoginPolicies\\GroupLoginPolicy policy registered"
}
{
  "reqId": "ZIblc6HnwAuBz@dXDiATQQAASw8",
  "level": 1,
  "time": "2023-06-12T11:29:23+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "--",
  "app": "OC\\User\\Session::loginInOwnCloud",
  "method": "GET",
  "url": "\/apps\/openidconnect\/redirect?code=OC-3-iJkRO-xxxxxxxxxx-Cu8Kd&state=xxxxxxxxxx&nonce=xxxxxxxxxx",
  "message": "login dupon using \"OCA\\OpenIdConnect\\OpenIdConnectAuthModule\" login type"
}
{
  "reqId": "ZIblc6HnwAuBz@dXDiATQgAATA8",
  "level": 0,
  "time": "2023-06-12T11:29:23+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "dupon",
  "app": "PHP",
  "method": "GET",
  "url": "\/settings\/personal",
  "message": "Undefined offset: 1 at \/local\/owncloud.1060prod\/apps\/openidconnect\/vendor\/jumbojett\/openid-connect-php\/src\/OpenIDConnectClient.php#1319"
}
{
  "reqId": "ZIblc6HnwAuBz@dXDiATQgAATA8",
  "level": 0,
  "time": "2023-06-12T11:29:23+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "dupon",
  "app": "no app in context",
  "method": "GET",
  "url": "\/settings\/personal",
  "message": "Introspection info: {\"token\":\"AT-3-FX-xxxxxxxxxx\",\"active\":true,\"sub\":\"dupon\",\"scope\":\"email openid profile\",\"iat\":1686562163,\"exp\":1686590963,\"realmName\":\"LdapAuthenticationHandler\",\"uniqueSecurityName\":\"dupon\",\"tokenType\":\"Bearer\",\"aud\":\"https:\\\/\\\/cloud.domain.fr\\\/apps\\\/openidconnect\\\/redirect\",\"iss\":\"https:\\\/\\\/sso.domain.fr\\\/cas\\\/oidc\",\"client_id\":\"oidc-cloudtest\",\"grant_type\":\"authorization_code\"}"
}

Log OIDC server :

cas      | 2023-06-12 09:16:48,868 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
cas      | =============================================================
cas      | WHO: dupon
cas      | WHAT: {grant_type=authorization_code, service=https://cloud.domain.fr/apps/openidconnect/redirect, response_type=none, scopes=[email, openid, profile], client_id=oidc-cloudtest, token=OC-2-********9o7RYaSVBPux6Mr1A9mm}
cas      | ACTION: OAUTH2_ACCESS_TOKEN_REQUEST_CREATED
cas      | APPLICATION: CAS
cas      | WHEN: Mon Jun 12 09:16:48 UTC 2023
cas      | CLIENT IP ADDRESS: ip.ip.ip..44
cas      | SERVER IP ADDRESS: 10.10.1.3
cas      | =============================================================
cas      |
cas      | >
cas      | 2023-06-12 09:16:48,878 WARN [org.apereo.cas.oidc.token.OidcIdTokenGeneratorService] - <Individual claims requested by OpenID scopes are forced to be included in the ID token. This is a violation of the OpenID Connect specification and a workaround via dedicated CAS configuration. Claims should be requested from the userinfo/profile endpoints in exchange for an access token.>
cas      | 2023-06-12 09:16:48,882 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
cas      | =============================================================
cas      | WHO: dupon
cas      | WHAT: {access_token=AT-2-********VDdTEZwfdFOyqB-HvakR, refresh_token=RT-2-********suD-P6Ic7QMcx4kMYNjv, scope=email openid profile, id_token=********..., token_type=Bearer, expires_in=28800}
cas      | ACTION: OAUTH2_ACCESS_TOKEN_RESPONSE_CREATED
cas      | APPLICATION: CAS
cas      | WHEN: Mon Jun 12 09:16:48 UTC 2023
cas      | CLIENT IP ADDRESS: ip.ip.ip..44
cas      | SERVER IP ADDRESS: 10.10.1.3
cas      | =============================================================
cas      |
cas      | >
cas      | 2023-06-12 09:16:48,954 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
cas      | =============================================================
cas      | WHO: dupon
cas      | WHAT: {service=https://cloud.domain.fr/apps/openidconnect/redirect, attributes={name=[dupon Joe], given_name=[Joe], family_name=[dupon], email=[Joe.dupon@domain.fr]}, id=dupon, scopes=[email, openid, profile], client_id=oidc-cloudtest}
cas      | ACTION: OAUTH2_USER_PROFILE_CREATED
cas      | APPLICATION: CAS
cas      | WHEN: Mon Jun 12 09:16:48 UTC 2023
cas      | CLIENT IP ADDRESS: ip.ip.ip..44
cas      | SERVER IP ADDRESS: 10.10.1.3
cas      | =============================================================
cas      |
cas      | >
cas      | 2023-06-12 09:16:49,763 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
cas      | =============================================================
cas      | WHO: audit:unknown
cas      | WHAT: {result=Service Access Granted, service=https://cloud.domain.fr/apps/openidconnect/redirect, requiredAttributes={}}
cas      | ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
cas      | APPLICATION: CAS
cas      | WHEN: Mon Jun 12 09:16:49 UTC 2023
cas      | CLIENT IP ADDRESS: ip.ip.ip..44
cas      | SERVER IP ADDRESS: 10.10.1.3
cas      | =============================================================
cas      |
cas      | >

Thanks you in advance

[DeepDiver1975]

We use CAS Apereo for OpenID Connect

This is not a supported IdP as of now - https://doc.owncloud.com/server/next/admin_manual/configuration/user/oidc/oidc.html#supported-identity-providers

[wixaw]

Ok, do you have an availability date?

[DeepDiver1975]

Ok, do you have an availability date?

No - this is exclusively customer demand driven due the effort of setting up and maintaining test environments over the whole product life cycle. Sorry