search

owncloud / openidconnect

OpenId Connect (OIDC) Integration for ownCloud
GNU General Public License v2.0
5 stars 2 forks source link

Synology as OIDC Provider issues #310

Open mostdcoa opened 3 months ago

mostdcoa commented 3 months ago

I am attempting to use our user database on our Synology

Error: Error in OpenIdConnect:The provider issuer could not be fetched. Make sure your provider has a well known configuration available.

I've tried multiple variations of the config.php openid-connect paramaters/keys:

  'openid-connect' => [
    'provider-url' => 'https://synology.domain.com/webman/sso/.well-known/openid-configuration',
    'client-id' => 'ID',
    'client-secret' => 'SECRET',
    'loginButtonName' => 'OpenId Connect',
    'provider-params' => [
      'authorization_endpoint' => 'https://synology.domain.com/webman/sso/SSOOauth.cgi',
      'token_endpoint' => 'https://synology.domain.com/webman/sso/SSOAccessToken.cgi',
      'token_endpoint_auth_methods_supported' => '[ "client_secret_basic", "client_secret_post" ]',
      'userinfo_endpoint' => 'https://synology.domain.com/webman/sso/SSOUserInfo.cgi',
      #'registration_endpoint' => '...',
      #'end_session_endpoint' => '...',
      'jwks_uri' => 'https://synology.domain.com/webman/sso/openid-jwks.json',

Here is the .well-known/openid-configuration from the synology OIDC server

{
   "authorization_endpoint" : "https://synology.domain.com/webman/sso/SSOOauth.cgi",
   "claims_supported" : [ "aud", "email", "exp", "groups", "iat", "iss", "sub", "username" ],
   "code_challenge_methods_supported" : [ "S256", "plain" ],
   "grant_types_supported" : [ "authorization_code", "implicit" ],
   "id_token_signing_alg_values_supported" : [ "RS256" ],
   "issuer" : "https://synology.domain.com/webman/sso",
   "jwks_uri" : "https://synology.domain.com/webman/sso/openid-jwks.json",
   "response_types_supported" : [ "code", "code id_token", "id_token", "id_token token" ],
   "scopes_supported" : [ "email", "groups", "openid" ],
   "subject_types_supported" : [ "public" ],
   "token_endpoint" : "https://synology.domain.com/webman/sso/SSOAccessToken.cgi",
   "token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post" ],
   "userinfo_endpoint" : "https://synology.domain.com/webman/sso/SSOUserInfo.cgi"
}

Steps I've done from https://doc.owncloud.com/server/next/admin_manual/configuration/user/oidc/oidc.html

  1. Added the openid connect app on the owncloud server
  2. added the'http.cookie.samesite' => 'None',
  3. using the occ command (with my specific config): sudo -u www-data ./occ config:app:set \ openidconnect \ openid-connect \ --value='{"provider-url":"https:\/\/idp.example.net","client-id":"fc9b5c78-ec73-47bf-befc-59d4fe780f6f","client-secret":"e3e5b04a-3c3c-4f4d-b16c-2a6e9fdd3cd1","loginButtonName":"Login via OpenId Connect"}'
  4. Using the auto-provision keys/params similar to One-Login's but unless I specify all the URLs, it usually just fails immediately with the failed to fetch error. If I have the above URL specified OIDC keys, then it will have my login to the synology, but when I authenticated it just goes back to failed to fetch.
  5. To note, our users don't have emails, just "Names" on the synology user database.