pulsejet
commented
3 years ago This sounds like a problem with your OIDC provider. What provider is this?
Closed C-Duv closed 3 years ago
pulsejet
commented
3 years ago This sounds like a problem with your OIDC provider. What provider is this?
C-Duv
commented
3 years ago I am using LemonLDAP::NG.
pulsejet
commented
3 years ago Are you sure the client is set to confidential? All token requests MUST be authenticated for confidential clients (see RFC 6749), which is the only type this plugin supports; looks like your config isn't right if the request succeeds without auth.
C-Duv
commented
3 years ago Thanks for the hint (keywords "client" and "confidential"): Setting the Relying Party to "Public client" (configuration on LemonLDAP::NG side) fixed the issue.
When trying to use this plugin on Nextcloud 20 I got a "User did not authorize openid scope." error page after authenticating on the OpenID Connect provider.
By looking at the source code I've found out
OpenIDConnectClient::requestTokens()(insrc/OpenIDConnectClient.php) was getting a "Bad request" HTTP response from the OpenID Connect provider when querying the$token_endpoint. It looks like it performs a HTTP Basic Auth by default and I can't find a documentation how to tell it not to.It seems to be configurable via
token_endpoint_auth_methods_supportedconfig key, but should I set it tofalse? empty array?Commenting lines from 768 to 773 fixed my issue: requests to provider are now made without Auth Basic and login works.