Closed C-Duv closed 3 years ago
This sounds like a problem with your OIDC provider. What provider is this?
I am using LemonLDAP::NG.
Are you sure the client is set to confidential? All token requests MUST be authenticated for confidential clients (see RFC 6749), which is the only type this plugin supports; looks like your config isn't right if the request succeeds without auth.
Thanks for the hint (keywords "client" and "confidential"): Setting the Relying Party to "Public client" (configuration on LemonLDAP::NG side) fixed the issue.
When trying to use this plugin on Nextcloud 20 I got a "User did not authorize openid scope." error page after authenticating on the OpenID Connect provider.
By looking at the source code I've found out
OpenIDConnectClient::requestTokens()
(insrc/OpenIDConnectClient.php
) was getting a "Bad request" HTTP response from the OpenID Connect provider when querying the$token_endpoint
. It looks like it performs a HTTP Basic Auth by default and I can't find a documentation how to tell it not to.It seems to be configurable via
token_endpoint_auth_methods_supported
config key, but should I set it tofalse
? empty array?Commenting lines from 768 to 773 fixed my issue: requests to provider are now made without Auth Basic and login works.