Authentik's OIDC implementation aims to follow as closely to OIDC specifications as possible (per https://github.com/goauthentik/authentik/issues/7251), which causes some problems with the configuration options available in OCIS. There's a few different ways to solve it in the OCIS code-base, which perhaps is where it should be fixed for broader OIDC compatibility.
The current state is that while Authentik can be used for web auth to OCIS, due to how OCIS functions it can't support the desktop/iOS/Android apps
Authentik creates application clients (they call them providers) with two options:
(default) The issuer URL is unique per application, e.g. https://auth.domain/application/o/owncloud/
The issuer is the same root, e.g. https://auth.domain/
The well-known configuration is the same in both situations (http://auth.domain/application/o/owncloud/.well-known/openid-configuration).
Using the first configuration does not work, because only one of the client id's issuers can be used for token validity by OCIS. If OCIS allowed multiple issuers to be passed to it, then this problem would be fixed.
The second configuration would almost work, because at least the tokens for each client would have the same issuer, however, while the web client will use the WEB_OIDC_METADATA_URL, there is no matching OCIS_OIDC_METADATA_URL option, so when the OCIS backend attempts to verify the token by loading the well-known configuration, unlike the web client.... it creates the well-known URL based on the issuer URL. I'm not sure allowing a OCIS_OIDC_METADATA_URL would help here, because technically OCIS needs a metadata URL for each client.
Being able to declare a wildcard match separately for the issuer for validity (or stating that just matching the domain is fine) would also remedy this.
Authentik's OIDC implementation aims to follow as closely to OIDC specifications as possible (per https://github.com/goauthentik/authentik/issues/7251), which causes some problems with the configuration options available in OCIS. There's a few different ways to solve it in the OCIS code-base, which perhaps is where it should be fixed for broader OIDC compatibility.
The current state is that while Authentik can be used for web auth to OCIS, due to how OCIS functions it can't support the desktop/iOS/Android apps
Authentik creates application clients (they call them providers) with two options:
https://auth.domain/application/o/owncloud/https://auth.domain/The well-known configuration is the same in both situations (
http://auth.domain/application/o/owncloud/.well-known/openid-configuration).Using the first configuration does not work, because only one of the client id's issuers can be used for token validity by OCIS. If OCIS allowed multiple issuers to be passed to it, then this problem would be fixed.
The second configuration would almost work, because at least the tokens for each client would have the same issuer, however, while the web client will use the
WEB_OIDC_METADATA_URL, there is no matchingOCIS_OIDC_METADATA_URLoption, so when the OCIS backend attempts to verify the token by loading the well-known configuration, unlike the web client.... it creates the well-known URL based on the issuer URL. I'm not sure allowing aOCIS_OIDC_METADATA_URLwould help here, because technically OCIS needs a metadata URL for each client.Being able to declare a wildcard match separately for the issuer for validity (or stating that just matching the domain is fine) would also remedy this.