Open ksk0 opened 2 days ago
Hey @ksk0 , thank you for your input. I have noticed the very same issue on my end. Quite similar setup, Azure AD as OIDC server and auto provision, but without a keycloak server in between.
The issue with the blank email field and the recreation of exisitung users started to show when I upgraded my owncloud instance from 10.13.3 directly to 10.5.0, OpenID Connect simultaneously upgraded from 2.2.0 to 2.3.0
A possible workaround as you mentioned could be to change the mode from email to userid, but this doesn't help already provisioned users. For now I have restored a backup with owncloud version 10.13.3 but this isn't exactly a solution as that version is a year old.
Can anyone replicate that issue too?
This change is most probably causing your trouble: https://github.com/owncloud/openidconnect/pull/282/files#diff-018c95ee4f1caae96378b051d301d4bf0967c1f673322950a0d92661cd9bdc3dR166
Problem
I have setup owncloud server a year ago. Authentication is done using OpenID Connect app/module, and users are auto provisioned. As OIDC server Microsoft Azure AD is used, for technical reasons, authentication is proxy-ed through keycloak server. owncloud server is dockerised version. Initial instalation was 10.13.2.3. Everything was working fine.
I have regulary upgraded owncloud as well as OpenID Connect app. Current owncloud version is 10.15.0.2, and OpenID Connect app version is 2.3.0 At certain point of time, new users have started to be auto provisioned, with email set to NULL value, thus each new login of a user, resulted with creation of a new account. User would be issued new user_id and email would be again set to NULL, thus preventing users to use owncloud server (files created in one session, would not be accessible in new session).
Problem persists even if i authenticate directly with Microsoft Azure AD bypassing keycloak server.
I don't know after which upgrade of owncloud or OpenID Connect this happened, i was informed of the problems by users only recently.
Thank you in advance for any help/suggestions. More details follow bellow.
Details
Short extract from mariaDB oc_accounts table looks as follows:
As is visible _Bad_user_01_ was created 4 times. It is also visible, that problems started somewhere about end of june.
OpenID Connect php config is as follows:
If i modify OpenID Connect php config with:
New entries in mariaDB oc_accounts table, would look like this:
i.e. user would be assigned an email in database, thus only one login is needed, but this way, existing users, are redefined, and can't access already uploaded files.
Comunication with OIDC seems to work fine. Manually testing OIDC authentication, shows that content of received token is as follows:
Full config of docker container, done with docker compose is as follows:
keycloak proxying
If of interest, the reason I am using keycloak between owncloud and Microsoft Azure AD, stems from the fact that i had problems with owcloud clients for desktop, Android and iOS. Microsoft Azure AD would reject authentication request, and after long battling with (some sort) of debugging, i found that in request sent to Microsoft Azure AD argument prompt had to be rewritten, to be accepted (I am not in any way master of OIDC, thus my problem and solution was the best i could do).
For that reason, i added keycloak server, which is containerized, and served by nginx web server which in turn, does request rewriting. For flexibility it offers, lua is used for the purpose of rewriting the arguments of request.
But, as i have said above, problem with new account with NULL email address, persists even if i authenticate directly with Microsoft Azure AD bypassing keycloak server.
Below is lua code in nginx configuration used for rewriting: