OIDC can not get identifier from provider

[inttny]

I tyied to use OAuth2.0, but it shows the same error msg. Then I checked the issues, you memtioned to use OIDC instead of OAuth, I did it. Now I found serveral questions.

1. Token url & Profile url. Once OAuth/ODIC fetched CODE from Auth url , the Auth url redirect to the redirect_url with CODE and state parameter.But after that OAuth/ODIC request Token url and Profile url without any parameter, we need to use the CODE parameter given by Auth url, if the Token&Profile url get no parameter, how can it know whose profile to get?

2. After requested to Profile url, the plugin says: can not get identifier from provider The response is here

{ "errcode": 0, "errmsg": "ok", "userid": "zhangsan", "name": "zhangsan", "department": [1, 2], "order": [1, 2], "position": "engineer", "mobile": "13800000000", "gender": "1", "email": "zhangsan@gzdev.com", "is_leader_in_dept": [1, 0], "avatar": "http://wx.qlogo.cn/mmopen/ajNVdqHZLLA3WJ6DSZUfiakYe37PKnQhBIeOQBO4czqrnZDS79FH5Wm5m4X69TBicnHFlhiafvDwklOpZeXYQQ2icg/0", "thumb_avatar": "http://wx.qlogo.cn/mmopen/ajNVdqHZLLA3WJ6DSZUfiakYe37PKnQhBIeOQBO4czqrnZDS79FH5Wm5m4X69TBicnHFlhiafvDwklOpZeXYQQ2icg/100", "telephone": "020-123456", "alias": "jackzhang", "address": "some where", "open_userid": "xxxxxx", "main_department": 1, "extattr": { "attrs": [ { "type": 0, "name": "attrtext", "text": { "value": "text" } }, { "type": 1, "name": "webname", "web": { "url": "http://www.test.com", "title": "title" } } ] }, "status": 1, "qr_code": "https://open.work.weixin.qq.com/wwopen/userQRCode?vcode=xxx", "external_position": "manager", "external_profile": { "external_corp_name": "shortname", "wechat_channels": { "nickname": "videoname", "status": 1 }, "external_attr": [{ "type": 0, "name": "textname", "text": { "value": "text" } }, { "type": 1, "name": "webname", "web": { "url": "http://www.test.com", "title": "title" } }, { "type": 2, "name": "testapp", "miniprogram": { "appid": "wx8bd80126147dFAKE", "pagepath": "/index", "title": "my miniprogram" } } ] } }

Any suggestion?

[zorn-v]

You should configure your provider in "Custom OpenID Connect" settings section not in "Custom OAuth2" when using OIDC, and there no "Profile url"

[inttny]

the settings are here

[zorn-v]

What provider you use ? Is it supports OIDC ? Did you properly configure it ? AFAIR there is need "openid" in scope.

[inttny]

I wrote a proxy website to request the api, so I just use OIDC to access the proxy I written and return the results of remote OAuth provider. Any point shall I notice?

[zorn-v]

id_token with sub field etc. Did you respect OIDC protocol in your proxy ?

[inttny]

yes and I can response to OIDC as any contents it wants, so any sugguestion?

[zorn-v]

"sub" claim is present in response ? Did you check OIDC standard response/protocol ?

[inttny]

"sub" claim is present in response ? Did you check OIDC standard response/protocol ?

yes and I added sub claim, now it works. The other question, if the getuserinfo-URL query with no parameter, how can I know which user does it query for?

[zorn-v]

The other question, if the getuserinfo-URL query with no parameter, how can I know which user does it query for?

Requests after auth has "Authorization" header with bearer token (JWT). It stored from "access_token" claim in auth request. Anyway, userinfo URL is optional and you may return all needed info in first id_token

[inttny]

I do find the "Authorization" header in userinfo URL, but still the same question, Token URL request with no parameter, so how can I get the CODE parameter returned from auth URL?

Now I just doing a test, I wrote a static value from Token URL, in fact I can't reture the right value I need from auth URL, please help me, thanks!

[inttny]

oh, the OIDC use post method in the Token URL, I found that. Now I fetched anything I want, it works really well now, but still I use UserInfo URL, I tried to response id_token=xxx&access_token=xxx&user={json} but the page says can not get identifier from provider, so I Changed to use userinfo URL to get user infomations.

Thanks anyway

[zorn-v]

I tried to response id_token=xxx&access_token=xxx&user={json}

You doing it wrong. Check this doc https://infosec.mozilla.org/guidelines/iam/openid_connect.html I mean this id_token. It is JWT (https://jwt.io/). In payload of it you can send all needed info like name, picture, email etc.

You can check https://github.com/zorn-v/nextcloud-social-login/blob/master/lib/Provider/CustomOpenIDConnect.php for more info.

[inttny]

I tried, but I failed. I used

but the page always says can not get identifier, will you please show a absoulutely clear tips?

[inttny]

another question, I found that when I use OIDC to login nextcloud, it shows welcoome page everytime I opened any new page. When I change to use username/password to login, it works well, how can I solve the problem?

[inttny]

Please Mr. guru, any sugesstion to me?

[zorn-v]

Sorry, but I have no idea what are you talking about.

[inttny]

Sorry, but I have no idea what are you talking about.

My fault Mr. president. When a new account first login the nextcloud, it shows a page below

Then we close the page, it will not appear again. But when I use ODIC instead of user/pwd to login nextcloud, the page shows all the way. I closed it and clicked another function, such as files, the page appeared again. I closed it and clicked contacts, the page appeared again...

Any sugesstion to me?

[zorn-v]

Try to disable "welcome app". I'll check it further, but there is was no problems with it. Maybe you have some custom "welcome" ?

[inttny]

yes and it works, I disabled the app named "First run wizard", thanks!

On 12/28/2021 @.***> wrote：

Try to disable "welcome app".

— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you authored the thread.Message ID: @.***>

[inttny]

I disabled the app named "First run wizard", and now it works. Thanks!