owncloud / openidconnect Goto Github PK

View Code? Open in Web Editor NEW

5.0 14.0 2.0 523 KB

OpenId Connect (OIDC) Integration for ownCloud

License: GNU General Public License v2.0

PHP 59.58% Makefile 2.48% Dockerfile 0.11% JavaScript 5.60% Shell 0.22% Starlark 32.02%

openid owncloud owncloud-app

openidconnect's Introduction

OpenId Connect for ownCloud

Configuration

General

A distributed memcache setup is required to properly operate this app - like Redis or memcached. For development purpose APCu is reasonable as well. Please follow the documentation on how to set up caching.

Setup

The OpenId integration is established by either entering the parameters below to the ownCloud configuration file or saving them to the app config database table.

provider-url, client-id and _client-secret- are to be taken from the OpenId Provider setup. loginButtonName can be chosen freely depending on the installation.

Settings in database

If you run a clustered setup, the following method is preferred because it is stateless. The OpenID Connect app checks for settings in the database first. If none is found, it falls back to the settings stored in config.php. If a malformed JSON string is found, an error is logged. You have to store your settings as a JSON formatted string in the ownCloud database table oc_appconfig with the following keys:

Key	Value
appid	'openidconnect'
configkey	'openid-connect'
configvalue	JSON-String

The key->value pairs are the same as when storing them to the config.php file. The preferred method is using the occ command:

occ config:app:set openidconnect openid-connect \
--value='{"provider-url":"https://idp.example.net","client-id":"fc9b5c78-ec73-47bf-befc-59d4fe780f6f","client-secret":"e3e5b04a-3c3c-4f4d-b16c-2a6e9fdd3cd1","loginButtonName":"Login via OpenId Connect"}'

This task can also be done by opening the database console for your ownCloud database and enter the following example command. Use the database commands UPDATE or DELETE to change or delete this keys (not recommended).

INSERT INTO oc_appconfig (
  appid,
  configkey,
  configvalue
) VALUES (
  'openidconnect',
  'openid-connect',
  '{"provider-url":"https://idp.example.net","client-id":"fc9b5c78-ec73-47bf-befc-59d4fe780f6f","client-secret":"e3e5b04a-3c3c-4f4d-b16c-2a6e9fdd3cd1","loginButtonName":"Login via OpenId Connect"}'
);

Note: The app checks for settings in the database first. If none is found it falls back to the config.php. If a malformed JSON string is found an error is thrown to the logger instance.

Settings in config.php

<?php
$CONFIG = [
  'openid-connect' => [
    'provider-url' => 'https://idp.example.net',
    'client-id' => 'fc9b5c78-ec73-47bf-befc-59d4fe780f6f',
    'client-secret' => 'e3e5b04a-3c3c-4f4d-b16c-2a6e9fdd3cd1',
    'loginButtonName' => 'OpenId Connect',
  ],
];

The above configuration assumes that the OpenId Provider is supporting service discovery. If not the endpoint configuration has to be done manually as follows:

<?php
$CONFIG = [
  'openid-connect' => [
    'provider-url' => 'https://idp.example.net',
    'client-id' => 'fc9b5c78-ec73-47bf-befc-59d4fe780f6f',
    'client-secret' => 'e3e5b04a-3c3c-4f4d-b16c-2a6e9fdd3cd1',
    'loginButtonName' => 'OpenId Connect',
    'post_logout_redirect_uri' => '...',
    'provider-params' => [
      'authorization_endpoint' => '...',
      'token_endpoint' => '...',
      'token_endpoint_auth_methods_supported' => '...',
      'userinfo_endpoint' => '...',
      'registration_endpoint' => '...',
      'end_session_endpoint' => '...',
      'jwks_uri' => '...',
    ],
  ],
];

Setup auto provisioning mode

The auto provisioning mode will create a user based on the provided user information as returned by the OpenID Connect provider. The config parameters 'mode' and 'search-attribute' will be used to create a unique user so that the lookup mechanism can find the user again.

<?php
$CONFIG = [
  'openid-connect' => [
    'auto-provision' => [
      // explicit enable the auto provisioning mode
      'enabled' => true,
      // documentation about standard claims: https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
      // only relevant in userid mode,  defines the claim which holds the email of the user
      'email-claim' => 'email',
      // defines the claim which holds the display name of the user
      'display-name-claim' => 'given_name',
      // defines the claim which holds the picture of the user - must be a URL
      'picture-claim' => 'picture',
      // defines a list of groups to which the newly created user will be added automatically
      'groups' => ['admin', 'guests', 'employees'],
    ],
  ],
];

Setup auto-update of user account info

The provisioning auto-update mode will update user account info with current information provided by the OpenID Connect provider upon each log in.

$CONFIG = [
  'openid-connect' => [
    'auto-provision' => [
      'update' => [
        // enable the user info auto-update mode
        'enabled' => true,
      ],
    ],
  ],
];

All Configuration Values explained

loginButtonName - the name as displayed on the login screen which is used to redirect to the IdP
autoRedirectOnLoginPage - if set to true the login page will redirect to the Idp right away
provider-url - the url where the IdP is living. In some cases (KeyCloak, Azure AD) this holds more than just a domain but also a path
client-id & client-secret - self-explanatory
scopes - depending on the IdP setup, needs the list of required scopes to be entered here
insecure - boolean value (true/false), no ssl verification will take place when talking to the IdP - DON'T use in production
provider-params - additional config depending on the IdP is to be entered here - usually only necessary if the IdP does not support service discovery
auth-params - additional parameters which are sent to the IdP during the auth requests
redirect-url - the full url under which the ownCloud OpenId Connect redirect url is reachable - only needed in special setups
token-introspection-endpoint-client-id & token-introspection-endpoint-client-secret - client id and secret to be used with the token introspection endpoint
post_logout_redirect_uri - a given url where the IdP should redirect to after logout
mode - the mode to search for user in ownCloud - either userid or email
search-attribute - the attribute which is taken from the access token JWT or user info endpoint to identify the user
allowed-user-backends - limit the users which are allowed to login to a specific user backend - e.g. LDAP
use-access-token-payload-for-user-info - if set to true any user information will be read from the access token. If set to false the userinfo endpoint is used (starting app version 1.1.0)
jwt-self-signed-jwk-header-supported - if set to true JWK will be taken from the JWT header instead of the IdP's jwks_uri. Should only be enabled in exceptional cases as this could lead to vulnerabilities https://portswigger.net/kb/issues/00200902_jwt-self-signed-jwk-header-supported

Setup within the OpenId Provider

When registering ownCloud as OpenId Client use https://cloud.example.net/index.php/apps/openidconnect/redirect as redirect url .

In case OpenID Connect Front-Channel Logout 1.0 is supported please enter https://cloud.example.net/index.php/apps/openidconnect/logout as logout url within the client registration of the OpenId Provider. We require frontchannel_logout_session_required to be true.

Setup service discovery

In order to allow other clients to use OpenID Connect when talking to ownCloud please setup a redirect on the web server to point .well-known/openid-configuration to /index.php/apps/openidconnect/config

This is an .htaccess example

  RewriteRule ^\.well-known/openid-configuration /index.php/apps/openidconnect/config [P]

The Apache modules proxy and proxy_http need to be enabled. (Debian/Ubuntu: a2enmod proxy proxy_http)

How to setup an IdP for development and test purpose

There are various Open Source IdPs out there. The one with the most features implemented seems to be panva/node-oidc-provider. CAUTION: node-oidc-provider does not accept the redirect URLs we need for owncloud clients. For release testing, use kopano konnectd instead.

To set it up locally do the following:

Clone panva/node-oidc-provider
yarn install
cd example

Add client config into https://github.com/panva/node-oidc-provider/blob/master/example/support/configuration.js#L14

module.exports.clients = [
  {
    client_id: 'ownCloud',
    client_secret: 'ownCloud',
    grant_types: ['refresh_token', 'authorization_code'],
    redirect_uris: ['http://localhost:8080/index.php/apps/openidconnect/redirect'],
    frontchannel_logout_uri: 'http://localhost:8080/index.php/apps/openidconnect/logout'
  }
];

// Enable introspection
module.exports.features: {
   devInteractions: { enabled: false },
   introspection: { enabled: true },
   deviceFlow: { enabled: true },
   revocation: { enabled: true },
   issAuthResp: { enabled: true },
},

Start the IdP via: node standalone.js
Open in browser: http://localhost:3000/.well-known/openid-configuration

ownCloud configuration looks as follows:

$CONFIG = [
  'openid-connect' => [
      'provider-url' => 'http://localhost:3000',
      'client-id' => 'ownCloud',
      'client-secret' => 'ownCloud',
      'loginButtonName' => 'node-oidc-provider',
      'mode' => 'userid',
      'search-attribute' => 'sub',
      // do not verify tls host or peer
      'insecure' => true
  ],
];

Clients can now use http://localhost:3000/.well-known/openid-configuration to obtain all information which is necessary to initiate the OpenId Connect flow. Use the granted access token in any request to ownCloud within a bearer authentication header.
You can login with any credentials but you need to make sure that the user with the given user id exists. In a real world deployment the users will come from LDAP.

Keep in mind that by default, oidc app will search for the email attribute - which is hardcoded to [email protected] ref
If you wish to map the login name on the oidc-provider with owncloud user ids, you can configure it as following:

    $CONFIG = [
      'openid-connect' => [
        'search-attribute' => 'sub',
        'mode' => 'userid',
      ]

openidconnect's People

Contributors

Stargazers

Watchers

Forkers

rstefko

openidconnect's Issues

[QA] autoprovisioning fails with 'picture-claim' => 'picture'

Reference: https://github.com/owncloud/openidconnect#setup-auto-provisioning-mode
The documented config setting for the auto-provision feature of openid-connect

    'auto-provision' => [
        // defines the claim which holds the picture of the user - must be a URL
        'picture-claim' => 'picture',

Leads to an error.
The comment above indicates that the value should be a URL and is inconsistent with the value picture, which is not a URL.

Expected behaviour: documentation be consistent and explain if the shown value is a placeholder and how it should be used.

Internal Server Error

The server encountered an internal error and was unable to complete your request.

Please contact the server administrator if this error reappears multiple times and include the technical details below in your report.

More details can be found in the server log.

Technical details

    Remote Address: 2.247.254.XX
    Request ID: AaPGALnEDimqryOXXX
    Type: TypeError
    Code: 0
    Message: Argument 1 passed to OCA\OpenIdConnect\Service\AutoProvisioningService::downloadPicture() must be of the type string, null given, called in /mnt/data/apps/openidconnect/lib/Service/AutoProvisioningService.php on line 116
    File: /mnt/data/apps/openidconnect/lib/Service/AutoProvisioningService.php
    Line: 144


Trace

#0 /mnt/data/apps/openidconnect/lib/Service/AutoProvisioningService.php(116): OCA\OpenIdConnect\Service\AutoProvisioningService->downloadPicture()
#1 /mnt/data/apps/openidconnect/lib/Service/UserLookupService.php(77): OCA\OpenIdConnect\Service\AutoProvisioningService->createUser()
#2 /mnt/data/apps/openidconnect/lib/Controller/LoginFlowController.php(142): OCA\OpenIdConnect\Service\UserLookupService->lookupUser()
#3 /var/www/owncloud/lib/private/AppFramework/Http/Dispatcher.php(153): OCA\OpenIdConnect\Controller\LoginFlowController->login()
#4 /var/www/owncloud/lib/private/AppFramework/Http/Dispatcher.php(85): OC\AppFramework\Http\Dispatcher->executeController()
#5 /var/www/owncloud/lib/private/AppFramework/App.php(100): OC\AppFramework\Http\Dispatcher->dispatch()
#6 /var/www/owncloud/lib/private/AppFramework/Routing/RouteActionHandler.php(47): OC\AppFramework\App::main()
#7 /var/www/owncloud/lib/private/Route/Router.php(342): OC\AppFramework\Routing\RouteActionHandler->__invoke()
#8 /var/www/owncloud/lib/base.php(917): OC\Route\Router->match()
#9 /var/www/owncloud/index.php(54): OC::handleRequest()
#10 {main}

Import non-existing user from provider on login

Knowing OpenID Connect integrations from other software products, I'm confused of the "User with $email is not known." message when a user tries to login through the provider, which does not exist in the owncloud instance so far.

Is this something that will change later?

error in using gluu as identity provider

I'm using GLUU as idp in my setup.
it's doing well with other applications i have.

OPENID CONNECT CLIENTS DETAILS in GLUU server

Name: cl1.owti.ir
Client ID: 9e59b137-6914-4777-b660-d6347e2418e9
Subject Type: pairwise
ClientSecret: XXXXXXXXXXX
Application Type: web
Persist Client Authorizations: true
Pre-Authorization: false
Authentication method for the Token Endpoint: client_secret_basic
Logout Session Required: false
Include Claims In Id Token: false
Disabled: false
Logout Uri: [https://cl1.owti.ir/apps/openidconnect/logout]
Login Redirect URIs: [https://cl1.owti.ir/apps/openidconnect/redirect]
Scopes: [profile, openid, email, user_name]
Grant types: [authorization_code, refresh_token]
Response types: [code]

i get this error after logging in:

Internal Server Error
The server encountered an internal error and was unable to complete your request.

Please contact the server administrator if this error reappears multiple times and include the technical details below in your report.

More details can be found in the server log.


Technical details
Remote Address: 5.160.86.250
Request ID: A9rRopOMuZwpxfNimKpr
Type: Jumbojett\OpenIDConnectClientException
Code: 0
Message: Error decoding JSON from token header
File: /var/www/owncloud/apps/openidconnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php
Line: 908

Trace
#0 /var/www/owncloud/apps/openidconnect/lib/SessionVerifier.php(120): Jumbojett\OpenIDConnectClient->verifyJWTsignature()
#1 /var/www/owncloud/apps/openidconnect/lib/Application.php(79): OCA\OpenIdConnect\SessionVerifier->verifySession()
#2 /var/www/owncloud/apps/openidconnect/appinfo/app.php(29): OCA\OpenIdConnect\Application->boot()
#3 /var/www/owncloud/apps/openidconnect/appinfo/app.php(30): OC_App::{closure}()
#4 /var/www/owncloud/lib/private/legacy/app.php(239): require_once('/var/www/ownclo...')
#5 /var/www/owncloud/lib/private/legacy/app.php(190): OC_App::requireAppFile()
#6 /var/www/owncloud/lib/private/legacy/app.php(124): OC_App::loadApp()
#7 /var/www/owncloud/lib/base.php(886): OC_App::loadApps()
#8 /var/www/owncloud/index.php(54): OC::handleRequest()
#9 {main}

Simple docker-compose example for testing

TODO:

evaluate if there is a ready to use docker container for panva/node-oidc-provider

Unable to determine state after update to php 7.4

After upgrading to php 7.4 some users are experiencing the following error on login. After removing the oauth query params from the url in the address-bar of the browser and pressing enter the user is successfully logged-in.

{
  "reqId": "ws0m2ysLSH7ENNkzDf5e",
  "level": 3,
  "time": "2021-05-11T05:40:50+02:00",
  "remoteAddr": "53.136.144.91",
  "user": "--",
  "app": "OpenID",
  "method": "GET",
  "url": "/apps/openidconnect/redirect?code=zi3rC6x4aBlKF-9HzPSl9fSKtyWTp2eWEMcAAADL&state=ca1fab3a9cae0a5c6d271648d241bf30",
  "message": "Exception: {"Exception":"Jumbojett\OpenIDConnectClientException","Message":"Unable to determine state","Code":0,"Trace":"
#0 /srv/www/vhosts/owncloud/apps/openidconnect/lib/Client.php(164): Jumbojett\OpenIDConnectClient->authenticate()
#1 /srv/www/vhosts/owncloud/apps/openidconnect/lib/Controller/LoginFlowController.php(124): OCA\OpenIdConnect\Client->authenticate()
#2 /srv/www/vhosts/owncloud/lib/private/AppFramework/Http/Dispatcher.php(153): OCA\OpenIdConnect\Controller\LoginFlowController->login(*** sensitive parameters replaced ***)
#3 /srv/www/vhosts/owncloud/lib/private/AppFramework/Http/Dispatcher.php(85): OC\AppFramework\Http\Dispatcher->executeController()
#4 /srv/www/vhosts/owncloud/lib/private/AppFramework/App.php(100): OC\AppFramework\Http\Dispatcher->dispatch()
#5 /srv/www/vhosts/owncloud/lib/private/AppFramework/Routing/RouteActionHandler.php(47): OC\AppFramework\App::main()
#6 /srv/www/vhosts/owncloud/lib/private/Route/Router.php(341): OC\AppFramework\Routing\RouteActionHandler->__invoke()
#7 /srv/www/vhosts/owncloud/lib/base.php(915): OC\Route\Router->match()
#8 /srv/www/vhosts/owncloud/index.php(54): OC::handleRequest()
#9 {main}","File":"/srv/www/vhosts/owncloud/apps/openidconnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php","Line":312}"
}

Configurable IP address in docker-compose test environment

The current docker-compose test environment is limited to be used on localhost out of the box. It would be useful for QA and testing on mobile devices to have an easy way to set up a docker-based test server without having to manually change configuration files.

To make the OIDC and OC instances available on the IP 10.0.1.69, I had to make the following changes to the configuration files:

diff --git a/tests/docker/node-oidc/configuration.js b/tests/docker/node-oidc/configuration.js
index bf149dc..1f44998 100644
--- a/tests/docker/node-oidc/configuration.js
+++ b/tests/docker/node-oidc/configuration.js
@@ -16,8 +16,15 @@ module.exports = Object.assign({
       client_id: 'ownCloud',
       client_secret: 'ownCloud',
       grant_types: ['refresh_token', 'authorization_code'],
-      redirect_uris: ['http://10.254.254.254:8080/apps/openidconnect/redirect'],
-      frontchannel_logout_uri: 'http://10.254.254.254:8080/apps/openidconnect/logout'
+      redirect_uris: ['http://10.0.1.69:8080/apps/openidconnect/redirect'],
+      frontchannel_logout_uri: 'http://10.0.1.69:8080/apps/openidconnect/logout'
+    },
    {
diff --git a/tests/docker/owncloud/oidc.config.php b/tests/docker/owncloud/oidc.config.php
index 002ed9d..53ef0db 100644
--- a/tests/docker/owncloud/oidc.config.php
+++ b/tests/docker/owncloud/oidc.config.php
@@ -1,7 +1,7 @@
 <?php
 $CONFIG = [
        'openid-connect' => [
-               'provider-url' => 'http://10.254.254.254:3000',
+               'provider-url' => 'http://10.0.1.69:3000',
                'client-id' => 'ownCloud',

The change to the URLs in the configuration files are necessary to achieve the goal, because they become part of server responses and are pointing to IPs unreachable by other devices by default.

If making the IP configurable proves too much hassle or effort, it'd be nice to at least have instructions included, to help testers in need of such a setup to get an instance up and running quickly.

/cc @michaelstingl @jesmrec

[FR] Auto provisioning of user based on a claim

For the Dutch Sync-And-Share service, we requires an specific OpenID Connect claim on which basis we do auto provisioning of a user. See also; https://wiki.surfnet.nl/display/surfconextdev/Attributes+in+SURFconext#AttributesinSURFconext-eduPersonEntitlementEntitlements

Example result what we could receive from an IdP.

{
\"acr\":\"urn:oasis:names:tc:SAML:2.0:ac:classes:Password\",
\"eduperson_entitlement\":[ \"blabla\" ],
\"eduperson_principal_name\":\"john.doe\", // username
\"email\":\"[email protected]\",
\"email_verified\":true,
\"family_name\":\"Doe\",
\"given_name\":\"John\",
\"name\":\"John Doe\",
\"sub\":\"14d2e30500462aa3499e165ade96d47edaded978\",
\"updated_at\":1618577357
}

This would require a check for a specific claim with corresponding value in the OpenID Connect app.

  'openid-connect' => [
    ..
    ..
    'auto-provision' => [
      ...
      'provisioning-claim' => 'eduperson_entitlement',
      'provisioning-attribute' => 'blabla',

    ]
  ],

Spec violation: .well-known/openid-configuration must not be a redirect, return JSON directly

Description

According to the OpenID Connect Discovery 1.0 spec, .well-known/openid-configuration must return a 200 OKHTTP status response and the JSON directly:

4.2. OpenID Provider Configuration Response

A successful response MUST use the 200 OK HTTP status code and return a JSON object using the application/json content type that contains a set of Claims as its members that are a subset of the Metadata values defined in Section 3.

Current

The test server returns 301 Moved Permanently, redirects to http://10.0.5.69:8080/index.php/apps/openidconnect/config and returns a text/html response.

Expected

The test server returns a 200 OK application/json response with the set of claims.

Version

Docker-compose from 1a38327 with fixes applied
PR #18

Openidconnect 1.0.0

Product approval

Verify transifex commits are in master: If a folder https://github.com/owncloud//tree/master/l10n exists, then https://drone.owncloud.com/owncloud/ should receive nightly '[tx] updated from transifex` ... - no commits in last two months but no user facing strings -> OK
Ping pmaier to check info.xml description and screenshot
Get approval on translations from pmaier

QA

Generate Changelog
Create QA Milestone and set the description to $version
Move items from development to qa
Create release branch with the format "release-$version"
Create "$version Testplan"

Documentation

Changes in the docs needed? If so create issue in owncloud/docs. owncloud/docs#2447
owncloud/docs#2830

Marketing

Ping @owncloud/marketing

Build

All actions to be done on the release branch from here:

Bump version in info.xml (no version suffix)
Check php version dependency in info.xml
Check minimum ownCloud version dependency in info.xml
Change CHANGELOG.md 'Unreleased' to '$version' (today's date)

Beta/RC

Create github tag for v${version}RC1 on release branch
Build and sign RC tarball from github tag v${version}RC1 (see
handbook for how to build)
Upload as Github release using changelog entries
Test and document in testplan => ~~Final "Go" from QA (set 'QA-ready' label)~~ => else do another RC after fixing issues in the "release-$version" branch

Create github tag for v${version}RC5 on release branch
Build and sign RC tarball from github tag v${version}RC5 (see
handbook for how to build)
Upload as Github release using changelog entries
Test and document in testplan => Final "Go" from QA (set 'QA-ready' label) => else do another RC after fixing issues in the "release-$version" branch

Final

Check that no documentation issues are pending owncloud/docs#2447
Rename last RC tarball to final
Create github tag for final v${version} on release branch
Upload as Github release using changelog entries

Publishing

Upload tarball to marketplace (see handbook for details)
Publish tarball for customers (see handbook for details) - https://customer.owncloud.com and https://portal.owncloud.com
Send mail to release-coordination with link to this ticket and to the changelog
Copy email to rocket chat #updates channel

Post-release

Rename QA milestone to $version
Add a new 'Unreleased' section in CHANGELOG.md
Create PR to merge changes back to the master branch with
description "Closes #XYZ" with the release ticket number
Close the milestone
Ensure release template is up to date
Add the app to the normal server tarball definitions

Issues found during QA

1.0.0RC4:

(1) Android bad behaviours depending on the version #66 (comment)
(2) iOS does not redirect to the callback URL after finishing auth process #66 (comment)
(3) Desktop behaviour and Mobile Clients feedback #66 (comment)
Find a solution for "authorization successful" page @IljaN https://jira.owncloud.com/browse/OCIS-723
Find a solution for "switch user" page @IljaN https://jira.owncloud.com/browse/OCIS-722

Unit test fails on PHP 7.4

https://drone.owncloud.com/owncloud/openidconnect/363/15/6

PHPUnit 8.5.4 by Sebastian Bergmann and contributors.

Runtime:       PHP 7.4.2
Configuration: /var/www/owncloud/server/apps/openidconnect/phpunit.xml
Error:         No code coverage driver is available

...........................................................E.     61 / 61 (100%)

Time: 142 ms, Memory: 20.00 MB

There was 1 error:

1) OCA\OpenIdConnect\Tests\Unit\SessionVerifierTest::testValidFreshAccessToken
Trying to access array offset on value of type null

/var/www/owncloud/server/apps/openidconnect/lib/SessionVerifier.php:99
/var/www/owncloud/server/apps/openidconnect/tests/unit/SessionVerifierTest.php:192

ERRORS!
Tests: 61, Assertions: 108, Errors: 1.

Third-Party Cookies and Front-Channel-Logout

This is basically to document relevant information for devs.

According to https://bitbucket.org/openid/connect/issues/1003/document-possible-impacts-of-disabling the front-channel-logout cannot work as soon as the browser disallows third-party-cookies.

No idea if we can detect this and work around .... at least this has to be double checked in cases where the logout is not working

[Azure] logout url requires X-Frame header

Init repo

= Initial Repository Tasks

== Repository Creation

Decide whether the repository should be public or private
Decide on LICENSE
Create repository on GitHub and select appropriate LICENSE to be created at start
Under Options, only allow merge commits (important for changelog generation)
** [ ] Allow Merge commit
** [ ] Disable Squash merging
** [ ] Disable Rebase merging
Under Collaborators & Teams:
** [ ] For public repository: core developers team with write permissions
** [ ] For private repository: internal developers team with write permissions
** [ ] ci with admin permissions
** [ ] Optionally extra developers not in the orga if this is a community app

== Labels

Orga (#c5def5)
Bug (#fc2929):
** bug-analysis (#fbca04)
** enhancement (#02e10c)
** technical debt (#FFFF00)
Priority labels:
** p1-urgent (#fc2929) - Critical issue, need to consider hotfix with just that issue
** p2-high (#fc2929) - Escalation, on top of current planning, release blocker
** p3-medium (#fc2929) - Normal priority
** p4-low (#fc2929) - Low priority
blue-ticket (#0033CC)
junior job (#f6d300)
backport-request (#006b75)
PR state labels:
** 2 - Developing (#ededed)
** 3 - To review (#ededed)
** 4 - To release (#ededed)

== Milestones

backlog
maybe some day

== Branch restrictions

For branch master
** [ ] Require pull request reviews before merging (1 review)
** [ ] Require status checks to pass before merging

== Initial files

Docs
** [ ] README.md
** [ ] .github folder (issue template, PR template) +
Scripts
** [ ] Makefile
Dependency
** [ ] composer.json
** [ ] package.json (if JS code intended)

== Translations

Copy the l10n translation targets from https://github.com/owncloud/wopi/blob/master/Makefile#L137[this example] into the Makefile. Please make sure the app name is not derived from the parent folder name - this will not work in the translation sync jobs.
Make sure the Makefile does not have prerequisite on composer/npm/etc so the l10n rules can run unimpaired
Follow the instructions in the https://doc.owncloud.org/server/developer_manual/app/advanced/l10n.html#how-to-automatically-sync-translations[public l10n documentation]. Please note that for private repositories the PR for Drone needs to go to the https://gitea.int.owncloud.com/owncloud/translation-sync/src/branch/master/.drone.yml[internal translation-sync repository] and please adapt the transifex config file and use ownCloudEnterprise instead of owncloud in the config section.

== Code validation

Setup php-cs-fixer for code style enforcement
Setup phan/stan/psaalm static code analysis

== Unit tests

Setup phpunit for PHP tests
Setup karma for JS tests

== CI

TODO: how to setup Drone

== Release preparation

Generate xref:signing_apps.adoc[signing keys]

[FR] Return HTML templates instead of (Login)Exception(s)

When a user is currently not able to login, an exception is thrown. However, with use of HTML templates it's possible to return more detailed error page. Maybe with info where the can ask for support etc.

OIDC Dynamic Client Registration expiry hinders OIDC token refresh

Summary

The ownCloud Android, Desktop and iOS clients are running into an issue with Kopano's OIDC implementation if:

the refresh_token was retrieved using a dynamically registered client ID
the dynamically registered client ID has expired before the refresh_token was used

Tested cases

When sending the refresh_token together with the client_id/ client_secret with which is was retrieved, before the client_id has expired: all is fine.

When sending the refresh_token together with the client_id/ client_secret with which is was retrieved, but after the client_id has expired:

{
  "error": "access_denied",
  "error_description": "unknown client_id: dyn.eyJhbGciOiJQ…"
}

When sending the refresh_token together with a freshly issued client_id/ client_secret at the time of sending the refresh request to the token endpoint:

{
  "error": "invalid_grant",
  "error_description": "client_id mismatch"
}

Can you help @longsleep?

[FR] Auto provisioning of LDAP user based on a claim

The current instance uses LDAP accounts. When enabling openidconnect we can configure auto-provision in the config.php, but that will always create Database accounts.

The shibboleth app tries to find a user in other user backends with the configured claims. The openidconnect app should be able to do the same to get rid of the additional occ user sync step, which has to be triggered in the right sequence of events, which is error prone.

Bearer authentication for CardDAV API with external auth server

Hello,

I would like to use bearer authentication in the CardDAV API of owncloud. I have a keycloak authorization server that owncloud is connected to via this app. Login to the web interface of owncloud works fine. The DAV server advertises bearer authentication, but rejects the token for most requests.

I have an example log from a CardDAV addressbook discovery:

First everything works as expected:

387 / 883: Unauthenticated PROPFIND on /owncloud/remote.php/dav is rejected, server advertises Basic and Bearer authentication in the WWW-Authenticate header
885 / 1642: Same PROPFIND request, now with Authorization: Bearer header. Now the request is replied to, and the principal URI owncloud/remote.php/dav/principals/cloaky is returned.
Between 885/1642, we can see that owncloud checks with the keycloak server introspection and userinfo endpoints.

Now things don't work anymore:

1650/2225: Client tries a PROPFIND on the principal URI discovered above. Unauthenticated request is rejected as expected.
2227/2982: The authenticated request (same token / header as in 885) is rejected, interestingly with a 404. (Note: Basic auth to the same URI works just fine)

I would appreciate any insight on what goes wrong here. Is CardDAV access via bearer auth with external auth server supported at all?

Use random bytes to generate userId and password in auto-provisioning

uniqid could be predictable. https://www.php.net/manual/de/function.uniqid.php

How to install this onto my owncloud instance?

I couldn't find information on how to install this app onto my instance of owncloud.

[QA] Errors while enabling openidconnect-2.0.0RC1

Within a docker-compose 10.6.0 server,

docker-compose exec owncloud bash

occ maintenance:mode --on
occ app:list openidconnect

    ownCloud is in maintenance mode - no app have been loaded
    Enabled:
      - openidconnect: 1.0.0

occ app:disable openidconnect
cd custom
wget https://github.com/owncloud/openidconnect/releases/download/v2.0.0RC1/openidconnect-2.0.0RC1.tar.gz
tar xf openidconnect-2.0.0RC1.tar.gz
rm openidconnect-2.0.0RC1.tar.gz
chown -R www-data openidconnect
occ maintenance:mode --off

From the admin settings web ui find the disabled openidconnect app,
verify that its version now shows 2.0.0, click 'enable'
An error message appears (note: it complains about 'cannot disable' although I asked for enable):

Try the same with occ app:enable openidconnect

ownCloud or one of the apps require upgrade - only a limited number of commands are available
You may use your browser or the occ upgrade command to do the upgrade
openidconnect enabled

Expected behaviour: Do not show an error, show the upgrade admin screen, when an upgrade is needed.

Workaround: run occ upgrade -- now the web ui and cli can enable/disable the app without errors.

Error decoding JSON from token header

Referred Thread: #17

But was not able to resolve my issue.

While implementing node-oidc provider, the auth workflow is implemented but at the last step, it displays error:

Remote Address: 103.252.24.12
Request ID: QFb9UzXDpFx91gS9fBLn
Type: Jumbojett\OpenIDConnectClientException
Code: 0
Message: Error decoding JSON from token header
File: /var/www/owncloud/apps/openidconnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php
Line: 952

Trace

Trace
#0 /var/www/owncloud/apps/openidconnect/lib/SessionVerifier.php(120): Jumbojett\OpenIDConnectClient->verifyJWTsignature()
#1 /var/www/owncloud/apps/openidconnect/lib/Application.php(79): OCA\OpenIdConnect\SessionVerifier->verifySession()
#2 /var/www/owncloud/apps/openidconnect/appinfo/app.php(28): OCA\OpenIdConnect\Application->boot()
#3 /var/www/owncloud/apps/openidconnect/appinfo/app.php(29): OC_App::{closure}()
#4 /var/www/owncloud/lib/private/legacy/app.php(253): require_once('/var/www/ownclo...')
#5 /var/www/owncloud/lib/private/legacy/app.php(192): OC_App::requireAppFile()
#6 /var/www/owncloud/lib/private/legacy/app.php(125): OC_App::loadApp()
#7 /var/www/owncloud/lib/base.php(885): OC_App::loadApps()
#8 /var/www/owncloud/index.php(54): OC::handleRequest()
#9 {main}

Node-oidc Provider Conf:

https://github.com/panva/node-oidc-provider/blob/main/example/support/configuration.js

Is this a bug ?

Owncloud-web only works in the same network where it runs

When I try to login to our owncloud from outside the host-network with the OIDC provider, than its not possible. When I press the button to login, the side loads and than stays at the same page. When I connect via VPN to the host network / go to office and use wlan it work fine. Also with the desktop, IOS and Android App it work fine. As redirect URL I use https://owncloud.example.de/apps/openidconnect/redirect . When I try for example https://owncloud.example.de/index.php/apps/openidconnect/redirect than I get an "invalid_request: given url is not allowed by the application configuration". My config.php is:

<?php
$CONFIG = array (
  'instanceid' => '516293f783096',
  'passwordsalt' => 'XXX',
  'secret' => 'aafa2f7a5574880745abb2f1285a4668248b5c3effe2dc3c52063801b82452e4bdcf293f8c50489a3b2aac1XXX',
  'trusted_domains' => 
  array (
    0 => 'owncloud.example.de'
  ),
  'datadirectory' => '/var/www/owncloud/data',
  #'overwrite.cli.url' => 'http://localhost',
  'htaccess.RewriteBase' => '/',
  'dbtype' => 'mysql',
  'version' => '10.5.0.10',
  'dbname' => 'owncloud',
  'dbhost' => 'localhost',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'owncloud',
  'dbpassword' => 'XXX',
  'logtimezone' => 'UTC',
  'token_auth_enforced' => false,
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/owncloud/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/owncloud/apps-external',
      'url' => '/apps-external',
      'writable' => true,
    ),
  ),
  'installed' => true,
  'maintenance' => false,
  'filelocking.enabled' => true,
  'openid-connect' => 
  array (
    'provider-url' => 'https://widas.cidaas.de',
    'client-id' => 'XXX',
    'client-secret' => 'XXX',
    'loginButtonName' => 'cidaas',
    'autoRedirectOnLoginPage' => false,
    'mode' => 'userid',
    'search-attribute' => 'email',
    'scopes' => 
    array (
      0 => 'openid',
      1 => 'email',
      2 => 'profile',
      3 => 'identities',
      4 => 'groups',
      5 => 'roles',
      6 => 'offline_access',
      7 => 'phone',
      8 => 'adress',
    ),
  ),
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'trashbin_retention_obligation' => 'auto',
  'redis' => 
  array (
    'host' => 'localhost',
    'port' => 6379,
  ),
  'loglevel' => 2,
  'theme' => '',
  'singleuser' => false,
);

Does anyone have any idea what I need to change to get redirected even when I am not in the host network?

Thanks for help :)

All clients supported?

I have been setting up the app by following the steps on the README.

This is probably a set up issue, and not a problem in the code, but i have to share with you because it affects to clients.

Everything is fine when setting up and using this OIDC infra with web browser. With mobile apps, it was not posible. My assumption was that clients were not signed up in the idP. I mean, in the configuration.js file, initially:

module.exports.clients = [
  {
    client_id: 'ownCloud',
    client_secret: 'ownCloud',
    grant_types: ['refresh_token', 'authorization_code'],
    redirect_uris: ['http://localhost:8080/index.php/apps/openidconnect/redirect'],
    frontchannel_logout_uri: 'http://localhost:8080/index.php/apps/openidconnect/logout'
  }
];

i added a couple of additional clients to that collection, so that mobile apps were also covered as valid clients:

clients: [
    {
      client_id: 'ownCloud',
      client_secret: 'ownCloud',
      grant_types: ['refresh_token', 'authorization_code'],
      redirect_uris: ['http://192.168.1.126:25000/apps/openidconnect/redirect'],
      frontchannel_logout_uri: 'http://192.168.1.126:25000/apps/openidconnect/logout'
    },
    {
      client_id: 'e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD',
      client_secret: 'dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD',
      grant_types: ['refresh_token', 'authorization_code'],
      redirect_uris: ['oc://android.owncloud.com'],
      frontchannel_logout_uri: 'http://192.168.1.126:25000/apps/openidconnect/logout'
    },
    {
      client_id: 'mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1',
      client_secret: 'KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx',
      grant_types: ['refresh_token', 'authorization_code'],
      redirect_uris: ['oc://ios.owncloud.com','oc.ios://ios.owncloud.com'],
      frontchannel_logout_uri: 'http://192.168.1.126:25000/apps/openidconnect/logout'
    }
  ],

At this point, the result was not successful. These ones are my findings:

No matter how many client_ids i add to the array, it will try the first one (client_id: 'ownCloud',). So, the internal authorization will fail and the redirection_url will never be invoked, breaking the app flow (list of files shown in the browser)

If i comment or remove the client_id: 'ownCloud' , letting android or ios as first item in the array, client is not accepted.

Do i miss something? any further idea? is this a problem of the idP? of the app? of both together?

Thanks in advance

[QA] no session timeout, when migrating from basic auth to OIDC

Tested openidconnect-2.0.0RC1 in oc-10.6.0 with both firefox web ui and desktop client 2.7.5RC2

Make sure basic auth is used:
occ maintenance:mode --on; occ app:disable openidconnect; occ maintenance:mode --off
connect desktop client with username and password
login a web browser with username and password
migrate to OIDC:
occ maintenance:mode --on; occ app:enable openidconnect; occ maintenance:mode --off
verify OIDC login with a different browser session.
Wait 60 minutes.
modify a local file, the desktop client syncs into the server.
upload a file through the web UI.

Expected behaviour: according to https://github.com/owncloud/QA/blob/master/Mobile/GenericTPs/OIDC.md#Migration, the session should expire.

Workaorund: After a manual client account->logout, the next login runs through OIDC.

@jesmrec is this a correct test case? Do we expect too much? Verbose client logging does not show any token expire or revalidate activity.

[QA] [OIDC] Token refresh fails

Tested with server 10.5 + openidconnect 1.0.0RC4 for #66 + desktop client testpilotcloud version 2.7.0daily20201004 (build 2209)

connect via oidc
wait a few minutes
add a local folder, upload starts
wait for an explosion:

Despite the above error, the upload went fine:

Expected behaviour: The client does a refresh automatically, when the token expires.
Workaround: Client -> Account -> log out / log in fixes the situation. But requires a confirmation on the IDP page.

Client log:
20201008_0929_owncloud.log.0.zip

server log:
jw-openidconnect-1-0-0rc4-test-vbw0q.log.zip

@TheOneRing Please transfer to owncloud/openidconnect, if you think this is more a server bug.

How to authorize client app

How do i authroize client apps i.e. windows desktop client and android client app while this app is setup and functional?

I can sign in using the web browser. When I enter the url of my owncloud instance in the desktop client, it opens the browser for me to login. Once login, it goes to the the file app and the client app is never authorized. If I click "re-open browser" I'm taken to an already logged in session. Nothing happens.

[QA] autoprovisioning does not import the fullname

Tested with openidconnect-2.0.0RC1 on oc-10.6.0 with php-7.4.3 connected against Azure AD

My Test user at Azure AD is named "Juergen Weigert"
With autoprovisioning on, the user gets created in ownCloud as oidc-user-60100f71354ec

Expected behaviour: The user would also show up as Full name 'Juergen Weigert' in owncloud.

How can I add OpenID for Android and IOS

Hi guys,

I have set up OIDC for Owncloud for the company where I work. It works fine for Owncloud in the browser.
From the other tickets and docs, unfortunately I don't understand how to add OIDC for Android and IOS.
Do I need to add it in the config.php file of owncloud?
I'm using as OIDC provider "cidaas" and here I have to decide between IOS & Android & Webpage.

About help where I can do the configuration for android and ios I would be very thankful 😄

OIDC callback requests rely on SameSite: strict cookies which fails with cross domain IdP

This follows up #123 (comment) as a new ticket.

ownCloud uses SameSite: strict on all cookies (https://github.com/owncloud/core/blob/736e54aa571658b9f1a31f9a27a3ff877b2a3006/lib/private/Session/CryptoWrapper.php#L102) which leads to no cookies being sent, when the OIDC callback comes back from the IdP (as a redirect to ownCloud) and that IdP is on another origin (not same site).

The callbacks for OIDC must when the initiating request is on another origin and thus having the callback rely on SameSite cookies does not work.

Please release the app with signature

see https://github.com/owncloud/enterprise/issues/3933#issuecomment-615208648

[QA] autoprivosioning only adds user to one group

Tested with openidconnect-2.0.0RC1 on oc-10.6.0 with php-7.4.3 connected against Azure AD

My test user at Azure AD is identified by [email protected]
With autoprovisioning on, the user gets created in ownCloud. the groups setting is:

   'auto-provision' => [
        // defines a list of groups to which the newly created user will be added automatically
        'groups' => ['admin', 'guests', 'employees'],

The imported user is added only to the 'admin' group.
(One other user at the server is at least in group 'employees', so we know the group exists, if that is a precondition.)

Expected behaviour: the user gts added to all groups listed in the config.

redirect_url from login is not preserved across authentication

If I am not logged in to ownCloud and I open a link that has been shared with me I do not get redirected to the originally requested page.

ie. this link https://share.example.org/login?redirect_url=%252Fsettings%252Fpersonal should take me to the settings page post-login.

The app currently does not preserve the redirect_url from the request at any point.

git folder is in the bundled release

in jumbojett/openid-connect-php/

[QA] IDP certificate error causes a stack trace

Tested with openidconnect-2.0.0RC1 on oc-10.6.0 with kopano konnect as IDP
Setup done via https://github.com/owncloud-docker/compose-playground/blob/master/examples/hetzner-deploy/make_openidconnect_test.sh

In this setup, caddy is used for ssh termination. It pulls two certificates from letsencrypt. Sometimes this fails due to ratelimits or similar.
When we have a certificate for owncloud server, but no certificate for kopano, internal errors occur, when ee.g. testing the .well-known/openid-configuration:

Expected behaviour: Proper error message without stack trace

Exception: OpenID Connect token expired leads to 500

Set up owncloud and follow the ocis bridge (install graphapi and openidconnect apps, run ocis-glauth & ocis-konnectd) to get oc10 authenticated against konnectd with the accounts existing in owncloud

initial login works, but as soon as the token expires the android apps do not refresh the token.

I used openidconnect master as well as oauth2 master and see this log line:

{
    "reqId":"07547f8c-1fa9-4164-b798-e4f39c35e188",
    "level":4,
    "time":"2020-06-21T21:45:22+00:00",
    "remoteAddr":"172.19.0.2",
    "user":"jfd",
    "app":"webdav",
    "method":"PROPFIND",
    "url":"\/remote.php\/dav\/files\/jfd\/...\/",
    "message":"Exception: OpenID Connect token expired: {
        \"Exception\":\"OC\User\LoginException\",
        \"Message\":\"OpenID Connect token expired\",
        \"Code\":0,
        \"Trace\": \"
            #0 /apps/openidconnect/lib/Sabre/OpenIdSabreAuthBackend.php(115): OCA\OpenIdConnect\OpenIdConnectAuthModule->authToken('eyJhbGciOiJQUzI...')
            #1 /lib/composer/sabre/dav/lib/DAV/Auth/Backend/AbstractBearer.php(96): OCA\OpenIdConnect\Sabre\OpenIdSabreAuthBackend->validateBearerToken('eyJhbGciOiJQUzI...')
            #2 /lib/composer/sabre/dav/lib/DAV/Auth/Plugin.php(182): Sabre\DAV\Auth\Backend\AbstractBearer->check(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
            #3 /lib/composer/sabre/dav/lib/DAV/Auth/Plugin.php(137): Sabre\DAV\Auth\Plugin->check(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
            #4 /lib/composer/sabre/event/lib/WildcardEmitterTrait.php(89): Sabre\DAV\Auth\Plugin->beforeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
            #5 /lib/composer/sabre/dav/lib/DAV/Server.php(454): Sabre\DAV\Server->emit('beforeMethod:PR...', Array)
            #6 /lib/composer/sabre/dav/lib/DAV/Server.php(251): Sabre\DAV\Server->invokeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
            #7 /apps/dav/lib/Server.php(329): Sabre\DAV\Server->start()
            #8 /apps/dav/appinfo/v2/remote.php(31): OCA\DAV\Server->exec()
            #9 /remote.php(165): require_once('/var/www/ownclo...')
        #10 {main}\",
        \"File\":\"/apps/openidconnect/lib/OpenIdConnectAuthModule.php\",
        \"Line\":107
    }
"}

this leads to a 500 in apache

owncloud-apache    | 172.19.0.2 - - [21/Jun/2020:21:56:51 +0000] "PROPFIND /remote.php/dav/files/jfd/.../ HTTP/1.1" 500 214

android log:

D/(CheckPathExistenceRemoteOperation.kt:84) .run(): Existence check for https://.../remote.php/dav/files/jfd/.../ finished with HTTP status 500(FAIL)
E/(UploadFileOperation.java:378) .run(): Upload of /storage/emulated/0/owncloud/tmp/jfd@.../DSC_0064.JPG to .../DSC_0064.JPG: The ownCloud server is not configured!
D/(UploadsStorageManager.java:472) .updateDatabaseUploadResult(): updateDataseUploadResult uploadResult: com.owncloud.android.lib.common.operations.RemoteOperationResult@213bdc2 upload: com.owncloud.android.operations.ChunkedUploadFileOperation@c4517d3
V/(UploadsStorageManager.java:173) .updateUploadInternal(): Updating /storage/emulated/0/owncloud/tmp/jfd@.../DSC_0064.JPG with status:UPLOAD_FAILED and result:UNKNOWN (old:/storage/emulated/0/owncloud/tmp/jfd@.../DSC_0064.JPG status:UPLOAD_IN_PROGRESS result:-1)

Refreshing the authentication in the android app by going to the accounts and clicking on the key icon does not seem to update the token that is used for the uploads ... retrying uploads still fails ... could it be that the token does not change? hm the new upload requests at least start withk the same token eyJhbGciOiJQUzI.. in the log...

well and a 500 does not tell the client to reauthenticate ...

[QA] App is not compliant

Tested with server 10.5 + openidconnect 1.0.0RC4 for #66

$ docker exec compose_owncloud_1 occ app:check-code openidconnect
Analysing /var/www/owncloud/custom/openidconnect/lib/LoginPageBehaviour.php
 2 errors
    line   24: OC_App - private class must not be imported with a use statement
    line   89: OC_App - Static method of private class must not be called
Analysing /var/www/owncloud/custom/openidconnect/lib/Controller/LoginFlowController.php
 1 errors
    line  217: OC_Util - Static method of private class must not be called
Analysing /var/www/owncloud/custom/openidconnect/lib/Sabre/OpenIdSabreAuthBackend.php
 1 errors
    line  152: OC_Util - Static method of private class must not be called
App is not compliant

No idea how relevant this code check is. Just mentioning....

[QA] identifiere-registration.yml setting trusted:true has no effect

Tested with server 10.5 + openidconnect 1.0.0RC4 for #66 + desktop client testpilotcloud version 2.7.0daily20201004 (build 2209)

My kopano/konnect/konnectd-identifier-registration.yaml contains

---
# OpenID Connect client registry.
clients:
  - id: ownCloud
    secret: ownCloud
    application_type: web
    insecure: true

  - id: xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69
    secret: UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh
    name: ownCloud desktop client
    application_type: native
    insecure: true
    trusted: true

...

The name: element is effective (I change the exact spelling of the name to verifiy that I am editing the correct identifier-registration.yaml file.)
The trusted: element is not.

Expected behaviour: Because of trusted: true, the above shown dialog should be skipped. The client should recieve permission without extra user interaction.

Dependabot couldn't fetch the branch/reference for jumbojett/openid-connect-php

Your dependency file specified a branch or reference for jumbojett/openid-connect-php, but Dependabot couldn't find it at the project's source. Has it been removed?

You can mention @dependabot in the comments below to contact the Dependabot team.

Failing to login with corporate proxy between Owncloud and the IdP

Hello,

Thanks a lot for all the efforts you are doing with this app for Owncloud, is really useful.

I am having a problem to login using the OpenID app with Azure OpenID cloud. So far, the problem I have is with the proxy configuration. In my case the access to the IDP is outside our network and behind a firewall, therefore, in order to access to the IDP (login.microsoftonline.com) I have to pass through our corporate proxy, this is my configuration file:

<?php
$CONFIG = array (
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/var/www/owncloud/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/www/owncloud/custom',
      'url' => '/custom',
      'writable' => true,
    ),
  ),
  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => 'owncloud-owncloud-dev.example.com',
    2 => 'login.microsoftonline.com',
    3 => 'graph.microsoft.com',
  ),
  'datadirectory' => '/var/lib/owncloud/files',
  'dbtype' => 'mysql',
  'dbhost' => 'mariadb:3306',
  'dbname' => 'owncloud',
  'dbuser' => 'owncloud',
  'dbpassword' => '***********',
  'dbtableprefix' => 'oc_',
  'log_type' => 'owncloud',
  'supportedDatabases' =>
  array (
    0 => 'sqlite',
    1 => 'mysql',
    2 => 'pgsql',
  ),
  'upgrade.disable-web' => true,
  'default_language' => 'en',
  'overwrite.cli.url' => 'https://owncloud-owncloud-dev.example.com',
  'htaccess.RewriteBase' => '/',
  'logfile' => '/dev/stdout',
  'loglevel' => 2,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'filelocking.enabled' => true,
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => 'redis',
    'port' => '6379',
  ),
  'passwordsalt' => '*********************',
  'secret' => 'a***************************',
  'version' => '10.6.0.5',
  'mysql.utf8mb4' => true,
  'logtimezone' => 'UTC',
  'installed' => true,
  'instanceid' => 'xxxxxxxx',
  'mail_domain' => 'example.com',
  'mail_from_address' => 'owncloud-dev',
  'mail_smtpmode' => 'smtp',
  'proxy' => 'http://proxy.example.com:8080/',
  'mail_smtphost' => 'gvamail.example.com',
  'mail_smtpport' => '25',
  'maintenance' => false,
  'openid-connect' =>
  array (
    'provider-url' => 'https://login.microsoftonline.com//',
    'client-id' => '***************************',
    'client-secret' => '**************************',
    'redirect-url' => 'https://owncloud-owncloud-dev.example.com/index.php/apps/openidconnect/redirect',
    'loginButtonName' => 'Santander Private Bankin SSO Login',
    'autoRedirectOnLoginPage' => false,
    'mode' => 'userid', // change this to 'email' if necessary (see Identity Provider configuration)
    'search-attribute' => 'preferred_username', // change this to suit your environment (see Identity Provider configuration)
    'post_logout_redirect_uri' => 'https://owncloud-owncloud-dev.example.com/',
    'provider-params' =>
    array (
      'authorization_endpoint' => 'https://login.microsoftonline.com/a******/oauth2/v2.0/authorize',
      'token_endpoint' => 'https://login.microsoftonline.com/******/oauth2/v2.0/token',
      //'token_endpoint_auth_methods_supported' => ['client_secret_post','private_key_jwt','client_secret_basic'],
      'userinfo_endpoint' => 'https://graph.microsoft.com/oidc/userinfo',
      'end_session_endpoint' => 'https://login.microsoftonline.com/************/oauth2/v2.0/logout',
      'jwks_uri' => 'https://login.microsoftonline.com/********/discovery/v2.0/keys',
    ),
  ),
);

When I click on the OpenID button to login, all goes well, and I am able to login but when it tries to redirect to Owncloud again, it does not works, I have the following error in the logs:

[Mon Mar 08 18:35:42.071322 2021] [php7:notice] [pid 67627] [client XXX.XXX.XXX.XXX:0] {"reqId":"8IKwkagBWkiFobgfwWw4","level":3,"time":"2021-03-08T18:35:42+00:00","remoteAddr":"XX.XX.XX.XX","user":"--","app":"index","method":"GET","url":"\\/index.php\\/apps\\/openidconnect\\/config","message":"Exception: {\\"Exception\\":\\"Jumbojett\\\\\\\\OpenIDConnectClientException\\",\\"Message\\":\\"Curl error: (28) Failed to connect to login.microsoftonline.com port 443: Connection timed out\\",\\"Code\\":0,\\"Trace\\":\\"#0 \\\\\\/var\\\\\\/lib\\\\\\/owncloud\\\\\\/apps\\\\\\/openidconnect\\\\\\/lib\\\\\\/Client.php(149): Jumbojett\\\\\\\\OpenIDConnectClient->fetchURL()\\\\n#1 \\\\\\/var\\\\\\/lib\\\\\\/owncloud\\\\\\/apps\\\\\\/openidconnect\\\\\\/lib\\\\\\/Client.php(97): OCA\\\\\\\\OpenIdConnect\\\\\\\\Client->fetchURL()\\\\n#2 \\\\\\/var\\\\\\/lib\\\\\\/owncloud\\\\\\/apps\\\\\\/openidconnect\\\\\\/lib\\\\\\/Controller\\\\\\/LoginFlowController.php(102): OCA\\\\\\\\OpenIdConnect\\\\\\\\Client->getWellKnownConfig()\\\\n#3 \\\\\\/var\\\\\\/www\\\\\\/owncloud\\\\\\/lib\\\\\\/private\\\\\\/AppFramework\\\\\\/Http\\\\\\/Dispatcher.php(153): OCA\\\\\\\\OpenIdConnect\\\\\\\\Controller\\\\\\\\LoginFlowController->config()\\\\n#4 \\\\\\/var\\\\\\/www\\\\\\/owncloud\\\\\\/lib\\\\\\/private\\\\\\/AppFramework\\\\\\/Http\\\\\\/Dispatcher.php(85): OC\\\\\\\\AppFramework\\\\\\\\Http\\\\\\\\Dispatcher->executeController()\\\\n#5 \\\\\\/var\\\\\\/www\\\\\\/owncloud\\\\\\/lib\\\\\\/private\\\\\\/AppFramework\\\\\\/App.php(100): OC\\\\\\\\AppFramework\\\\\\\\Http\\\\\\\\Dispatcher->dispatch()\\\\n#6 \\\\\\/var\\\\\\/www\\\\\\/owncloud\\\\\\/lib\\\\\\/private\\\\\\/AppFramework\\\\\\/Routing\\\\\\/RouteActionHandler.php(47): OC\\\\\\\\AppFramework\\\\\\\\App::main()\\\\n#7 \\\\\\/var\\\\\\/www\\\\\\/owncloud\\\\\\/lib\\\\\\/private\\\\\\/Route\\\\\\/Router.php(342): OC\\\\\\\\AppFramework\\\\\\\\Routing\\\\\\\\RouteActionHandler->__invoke()\\\\n#8 \\\\\\/var\\\\\\/www\\\\\\/owncloud\\\\\\/lib\\\\\\/base.php(917): OC\\\\\\\\Route\\\\\
--
  | \\\Router->match()\\\\n#9 \\\\\\/var\\\\\\/www\\\\\\/owncloud\\\\\\/index.php(54): OC::handleRequest()\\\\n#10 {main}\\",\\"File\\":\\"\\\\\\/var\\\\\\/lib\\\\\\/owncloud\\\\\\/apps\\\\\\/openidconnect\\\\\\/vendor\\\\\\/jumbojett\\\\\\/openid-connect-php\\\\\\/src\\\\\\/OpenIDConnectClient.php\\",\\"Line\\":1207}"}

From my firewall logs, I can see that the traffic between the Owncloud and the IDP (login.microsoftonline.com) is blocked, but the proxy in Owncloud is configured and I can access to the update services and market place as well. If I try to access the IDP using the proxy with curl I can do it without problems.

/var/www/owncloud # curl -kv https://login.microsoftonline.com
*   Trying 20.190.160.5:443...
* TCP_NODELAY set

/var/www/owncloud # curl -kv --proxy http://proxy.example.com:8080  https://login.microsoftonline.com
*   Trying proxy.example.com:8080...
* TCP_NODELAY set
* Connected to proxy.example.com port 8080 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to login.microsoftonline.com:443
* Proxy auth using Basic with user 'proxy'
> CONNECT login.microsoftonline.com:443 HTTP/1.1
> Host: login.microsoftonline.com:443
> Proxy-Authorization: Basic *********
> User-Agent: curl/7.68.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
< Date: Mon, 08 Mar 2021 18:52:17 GMT
< Proxy-Connection: Keep-Alive
< Via: 1.1 proxy.example.com
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CONNECT phase completed!
* CONNECT phase completed!
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=Washington; L=Redmond; O=Microsoft Corporation; CN=stamp2.login.microsoftonline.com
*  start date: Mar  5 00:00:00 2021 GMT
*  expire date: Mar  5 23:59:59 2022 GMT
*  issuer: C=CH; ST=GE; L=Geneva; 
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
> GET / HTTP/1.1
> Host: login.microsoftonline.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Cache-Control: no-store, no-cache
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
< Expires: -1
< Location: https://www.office.com/login#
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
< x-ms-request-id: 5543ab87-f9af-4fef-b07b-7a814bd3ac00
< x-ms-ests-server: 2.1.11530.15 - NEULR2 ProdSlices
< Set-Cookie: fpc=ApN_sfEUbm5Pqb73571r-tk; expires=Wed, 07-Apr-2021 18:52:18 GMT; path=/; secure; HttpOnly; SameSite=None
< Set-Cookie: esctx=AQABAAAAAAD--DLA3VO7QrddgJg7Wevriq2Y4st546ZdgizifuRv5Hi_tjP5wJhE6npoNHjWeUK9E8eeBBq0XBVBxi3fLigt-iE9iS-5BfThl_wcgAA; domain=.login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None
< Set-Cookie: x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly
< Set-Cookie: stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
< Date: Mon, 08 Mar 2021 18:52:17 GMT
< Content-Length: 146
< Age: 2
< Via: HTTPS/1.1 proxy.example.com
<
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="https://www.office.com/login#">here</a>.</h2>
</body></html>
* Connection #0 to host proxy.example.com left intact

I tried adding the environment variables HTTP_PROXY, HTTPS_PROXY and NO_PROXY without success.

So my question is:

Is there a way to configure the Owncloud OpenID app to use the global proxy configuration? Or there is something else I am missing?

Thanks a lot in advance,
Best regards,
Daniel

OpenID Connect 2.0.0

Reason

#103 Azure AD: Use access token payload instead of user info endpoint
#112 Message: Object of class OCA\OpenIdConnect\Application could not be converted to string
#85 Import user from openid provider: Auto provisioning mode

Product approval

Verify transifex commits are in master: If a folder https://github.com/owncloud//tree/master/l10n exists, then https://drone.owncloud.com/owncloud/ should receive nightly '[tx] updated from transifex` ...
Ping pmaier to check info.xml description and screenshot
Get approval on translations from pmaier - send the date of the last tx commit from drone to Patrick

QA

Generate Changelog
Create QA Milestone and set the description to $version
Move items from development to qa
Create release branch with the format "release-$version"
Create "$version Testplan" #132

Documentation

❌ Changes in the docs needed? If so create issue in owncloud/docs. ❌ -> owncloud/docs#2447

Marketing

Ping @owncloud/marketing

Build

All actions to be done on the release branch from here:

Bump version in info.xml (no version suffix)
Check php version dependency in info.xml
Check minimum ownCloud version dependency in info.xml
Change CHANGELOG.md 'Unreleased' to '$version' (today's date)

Beta/RC

Create github tag for v${version}RC1 on release branch
Build and sign RC tarball from github tag v${version}RC1 (see
handbook for how to build)
Upload as Github release using changelog entries
Test and document in testplan => Final "Go" from QA (set 'QA-ready' label) => else do another RC after fixing issues in the "release-$version" branch

Final

Check that no documentation issues are pending
Rename last RC tarball to final
Create github tag for final v${version} on release branch
Upload as Github release using changelog entries

Publishing

Upload tarball to marketplace (see handbook in confluence for details)
Publish tarball for customers (see handbook in confluence for details) - https://customer.owncloud.com and https://portal.owncloud.com
Send mail to release-coordination with link to this ticket and to the changelog
Copy email to rocket chat #updates channel

Post-release

Rename QA milestone to $version
Add a new 'Unreleased' section in CHANGELOG.md (and also update links at the bottom!)
Create PR to merge changes back to the master branch with
description "Closes #XYZ" with the release ticket number
Close the milestone
Ensure release template is up to date --> https://github.com/owncloud/administration-internal/pull/223

phpstan 0.12.25 CI failing

https://drone.owncloud.com/owncloud/openidconnect/376/2/5

Package operations: 1 install, 0 updates, 0 removals
  - Installing phpstan/phpstan (0.12.25): Downloading (100%)
Writing lock file
Generating autoload files
php -d zend.enable_gc=0 vendor-bin/phpstan/vendor/bin/phpstan analyse --memory-limit=4G --configuration=./phpstan.neon --no-progress --level=5 appinfo lib
 ------ ----------------------------------------------------------------------- 
  Line   lib/Logger.php                                                         
 ------ ----------------------------------------------------------------------- 
  51     Method OCA\OpenIdConnect\Logger::emergency() should return null but    
         return statement is missing.                                           
  63     Method OCA\OpenIdConnect\Logger::alert() should return null but        
         return statement is missing.                                           
  75     Method OCA\OpenIdConnect\Logger::critical() should return null but     
         return statement is missing.                                           
  88     Method OCA\OpenIdConnect\Logger::error() should return null but        
         return statement is missing.                                           
  100    Method OCA\OpenIdConnect\Logger::warning() should return null but      
         return statement is missing.                                           
  112    Method OCA\OpenIdConnect\Logger::notice() should return null but       
         return statement is missing.                                           
  124    Method OCA\OpenIdConnect\Logger::info() should return null but return  
         statement is missing.                                                  
  136    Method OCA\OpenIdConnect\Logger::debug() should return null but        
         return statement is missing.                                           
 ------ ----------------------------------------------------------------------- 

 [ERROR] Found 8 errors

[FR] Support multiple languages for notifications

For the Dutch Sync-And-Share service, we requires a specific OpenID Connect claim on which basis we do auto provisioning of a user. When a new user try to login which does not have the required attribute, this user will now get an error message like; Required provisioning claim is not defined. (see: https://github.com/owncloud/openidconnect/blob/master/lib/Service/AutoProvisioningService.php#L97)

Would be nice when also the l10n language support is integrated.

Get error 503 Service unavailable when using OIDC

Hello,
I am working on moving our current ownCloud from LDAP to OIDC. For this I have created a new ownCloud instance. When I tried to log in via the OIDC provider cidaas after activating OpenID Connect, I got the error 503 "Service Unavailable" and saw the message " Error in OpenIdConnect:Unable to determine state" on the screen. I tried it already with different configuration parameters, but every time the same result. It is the first time I work with OIDC and I have no more ideas.
Can someone please help me and have an idea what the problem might be?
Here is my config.php:

<?php
$CONFIG = array (
  'passwordsalt' => 'xx',
  'secret' => 'xx',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => '172.16.1.49',
    2 => 'widas.cidaas.de',
  ),
  'datadirectory' => '/var/www/owncloud/data',
  'overwrite.cli.url' => 'http://localhost',
  'dbtype' => 'mysql',
  'version' => '10.5.0.10',
  'dbname' => 'owncloud',
  'dbhost' => 'localhost',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'owncloud',
  'dbpassword' => 'password',
  'logtimezone' => 'UTC',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/owncloud/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/owncloud/apps-external',
      'url' => '/apps-external',
      'writable' => true,
    ),
  ),
  'installed' => true,
  'instanceid' => 'ocwil8zau83h',
  'maintenance' => false,
  'openid-connect' => 
  array (
    'provider-url' => 'https://widas.cidaas.de',
    'client-id' => 'd349752d-9801-427c-9634-ac130577xxxx',
    'client-secret' => 'XXXX',
    'loginButtonName' => 'cidaas',
    'autoRedirectOnLoginPage' => false,
    'mode' => 'userid',
    'search-attribute' => 'sub',
    'scopes' => ['openid','email','profile','identities','groups','roles','offline_access','phone','adress'],
    'provider-params' => [
      'authorization_endpoint' => 'https://widas.cidaas.de/authz-srv/authz',
      'token_endpoint' => 'https://widas.cidaas.de/token-srv/token',
      'token_endpoint_auth_methods_supported' => 'client_secret_basic,client_secret_post,client_secret_jwt,private_key_jwt',
      'userinfo_endpoint' => 'https://widas.cidaas.de/users-srv/userinfo',
      'end_session_endpoint' => 'https://widas.cidaas.de/session/end_session',
      'jwks_uri' => 'https://widas.cidaas.de/.well-known/jwks.json',
      'grant_type_supported' => 'implicit,authorization_code,refresh_token,password,client_credentials'
    ]

  ),
  'memcache.local' => '\OC\Memcache\APCu',
  'memcache.locking' => '\OC\Memcache\Redis',
  'redis' => [
      'host' => 'localhost',
      'port' => 6379,
  ],
);

Please let me know if some configurations/information that you need to find the problem are missing.
Thank you.

openid signsout after signing in

I suppose this might be caused by the design of the idP Server I'm using.

Issues

According to the owncloud.log file,
1 - The array of data provided to this app is incorrectly structured.
2 - Undefined Index of "use-token-introspection-endpoint". (probably because the data array is incorrect)
3 - The token cannot be verified.
4 - The provider revocation_endpoint could not be fetched. (I'm sure my well known uri is correct)

My Experience

When I click the Open ID Connect button, I am taken to my idP login page to login. After signing in, I am redirected to the global logout uri that is set in the idP. It doesn't redirect to the owncloud domain/sub-domain at all. This in turn signs me out of the idP without me every triggering the logout at all. Please find more information below.

owncloud.log output

{"reqId":"4hqes3jbriI4qIRg7eV7","level":3,"time":"2020-04-26T04:59:36+00:00","remoteAddr":"192.168.1.40","user":"--","app":"PHP","method":"GET","url":"\/index.php\/apps\/openidconnect\/redirect?code=_777DybYgKGNbMNQLlMAYqp5-FsdTi-AGFMFoA30KT8&state=25fa60802810a61494f6b40c697779d1&userState=Authenticated","message":"in_array() expects parameter 2 to be array, string given at \/var\/www\/owncloud\/apps-external\/openidconnect\/vendor\/jumbojett\/openid-connect-php\/src\/OpenIDConnectClient.php#715"}
{"reqId":"dzJsx28996sQ2JhePrRq","level":3,"time":"2020-04-26T04:59:36+00:00","remoteAddr":"192.168.1.40","user":"johndoe","app":"PHP","method":"GET","url":"\/index.php\/apps\/files\/","message":"Undefined index: use-token-introspection-endpoint at \/var\/www\/owncloud\/apps-external\/openidconnect\/lib\/SessionVerifier.php#99"}
{"reqId":"dzJsx28996sQ2JhePrRq","level":3,"time":"2020-04-26T04:59:36+00:00","remoteAddr":"192.168.1.40","user":"johndoe","app":"OpenID","method":"GET","url":"\/index.php\/apps\/files\/","message":"Token cannot be verified: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFjY2IwZWI0NDkifQ.eyJhdWQiOiJmNGI2ZTZlZi1mYzg5LTQxZTItODQzOC01MTVhOGUxYjBmYzgiLCJleHAiOjE1ODc4ODA3NzYsImlhdCI6MTU4Nzg3NzE3NiwiaXNzIjoiYWNtZS5jb20iLCJzdWIiOiI5NTM1ZDI3Mi0wNmE4LTQzNjQtYTQ1Zi1jOGYzN2JiZTMxYzAiLCJhdXRoZW50aWNhdGlvblR5cGUiOiJQQVNTV09SRCIsImVtYWlsIjoic3VoYXlsaGFsbGltQGhhbGxpbXNvZnQuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByZWZlcnJlZF91c2VybmFtZSI6InN1aGF5bGhhbGxpbSIsImFwcGxpY2F0aW9uSWQiOiJmNGI2ZTZlZi1mYzg5LTQxZTItODQzOC01MTVhOGUxYjBmYzgiLCJyb2xlcyI6WyJhZG1pbiJdfQ.7iJ6vUUEmvadBPAi4byy6l3o1Zl8_9QLt5KFW_ZYqeM"}
{"reqId":"dzJsx28996sQ2JhePrRq","level":3,"time":"2020-04-26T04:59:36+00:00","remoteAddr":"192.168.1.40","user":"johndoe","app":"OpenID","method":"GET","url":"\/index.php\/apps\/files\/","message":"Calling Application:logout"}
{"reqId":"dzJsx28996sQ2JhePrRq","level":3,"time":"2020-04-26T04:59:36+00:00","remoteAddr":"192.168.1.40","user":"--","app":"OpenID","method":"GET","url":"\/index.php\/apps\/files\/","message":"Exception: {\"Exception\":\"Jumbojett\\\\OpenIDConnectClientException\",\"Message\":\"The provider revocation_endpoint could not be fetched. Make sure your provider has a well known configuration available.\",\"Code\":0,\"Trace\":\"#0 \\\/var\\\/www\\\/owncloud\\\/apps-external\\\/openidconnect\\\/vendor\\\/jumbojett\\\/openid-connect-php\\\/src\\\/OpenIDConnectClient.php(482): Jumbojett\\\\OpenIDConnectClient->getWellKnownConfigValue('revocation_endp...', NULL)\\n#1 \\\/var\\\/www\\\/owncloud\\\/apps-external\\\/openidconnect\\\/vendor\\\/jumbojett\\\/openid-connect-php\\\/src\\\/OpenIDConnectClient.php(1383): Jumbojett\\\\OpenIDConnectClient->getProviderConfigValue('revocation_endp...')\\n#2 \\\/var\\\/www\\\/owncloud\\\/apps-external\\\/openidconnect\\\/lib\\\/SessionVerifier.php(137): Jumbojett\\\\OpenIDConnectClient->revokeToken('eyJhbGciOiJIUzI...')\\n#3 \\\/var\\\/www\\\/owncloud\\\/apps-external\\\/openidconnect\\\/lib\\\/SessionVerifier.php(88): OCA\\\\OpenIdConnect\\\\SessionVerifier->afterLogout('eyJhbGciOiJIUzI...', 'eyJhbGciOiJIUzI...')\\n#4 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/symfony\\\/event-dispatcher\\\/EventDispatcher.php(212): OCA\\\\OpenIdConnect\\\\SessionVerifier->OCA\\\\OpenIdConnect\\\\{closure}(Object(Symfony\\\\Component\\\\EventDispatcher\\\\GenericEvent), 'user.afterlogou...', Object(Symfony\\\\Component\\\\EventDispatcher\\\\EventDispatcher))\\n#5 \\\/var\\\/www\\\/owncloud\\\/lib\\\/composer\\\/symfony\\\/event-dispatcher\\\/EventDispatcher.php(44): Symfony\\\\Component\\\\EventDispatcher\\\\EventDispatcher->doDispatch(Array, 'user.afterlogou...', Object(Symfony\\\\Component\\\\EventDispatcher\\\\GenericEvent))\\n#6 \\\/var\\\/www\\\/owncloud\\\/lib\\\/public\\\/Events\\\/EventEmitterTrait.php(53): Symfony\\\\Component\\\\EventDispatcher\\\\EventDispatcher->dispatch('user.afterlogou...', Object(Symfony\\\\Component\\\\EventDispatcher\\\\GenericEvent))\\n#7 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/User\\\/Session.php(1088): OC\\\\User\\\\Session->emittingCall(Object(Closure), Array, 'user', 'logout')\\n#8 \\\/var\\\/www\\\/owncloud\\\/apps-external\\\/openidconnect\\\/lib\\\/SessionVerifier.php(190): OC\\\\User\\\\Session->logout()\\n#9 \\\/var\\\/www\\\/owncloud\\\/apps-external\\\/openidconnect\\\/lib\\\/SessionVerifier.php(121): OCA\\\\OpenIdConnect\\\\SessionVerifier->logout()\\n#10 \\\/var\\\/www\\\/owncloud\\\/apps-external\\\/openidconnect\\\/lib\\\/Application.php(79): OCA\\\\OpenIdConnect\\\\SessionVerifier->verifySession()\\n#11 \\\/var\\\/www\\\/owncloud\\\/apps-external\\\/openidconnect\\\/appinfo\\\/app.php(25): OCA\\\\OpenIdConnect\\\\Application->boot()\\n#12 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/legacy\\\/app.php(239): require_once('\\\/var\\\/www\\\/ownclo...')\\n#13 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/legacy\\\/app.php(190): OC_App::requireAppFile(Object(OCA\\\\OpenIdConnect\\\\Application))\\n#14 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/legacy\\\/app.php(124): OC_App::loadApp('openidconnect')\\n#15 \\\/var\\\/www\\\/owncloud\\\/lib\\\/base.php(881): OC_App::loadApps(Array)\\n#16 \\\/var\\\/www\\\/owncloud\\\/index.php(54): OC::handleRequest()\\n#17 {main}\",\"File\":\"\\\/var\\\/www\\\/owncloud\\\/apps-external\\\/openidconnect\\\/vendor\\\/jumbojett\\\/openid-connect-php\\\/src\\\/OpenIDConnectClient.php\",\"Line\":520}"}

idP Config (FusionAuth -> LINK)

Owncloud Config

'openid-connect' => [
        'provider-url' => 'https://domain-masked.com',
        'client-id' => 'VALUE MASKED',
        'client-secret' => 'VALUE MASKED',
        'loginButtonName' => 'Open ID Connect',
        'provider-params' => [
                'authorization_endpoint' => 'https://domain-masked.com/oauth2/authorize',
                'token_endpoint' => 'https://domain-masked.com/oauth2/token',
                'token_endpoint_auth_methods_supported' => 'client_secret_post',
                'userinfo_endpoint' => 'https://domain-masked.com/oauth2/userinfo',
//                      'registration_endpoint' => '...',
                'end_session_endpoint' => 'https://domain-masked.com/oauth2/logout',
                'jwks_uri' => 'https://domain-masked.com/.well-known/openid-configuration'
        ],
  ],

NOTE: I comment out the registration_endpoint because my idP doesn't seem to have one.

My Question

Is there anything I can do to solve this issue or is that a compatibility issue between the app and my idP of choice?

[QA] 2.0.0 Testplan

Setup

Setup details (click to view)

Automated setup script: https://github.com/owncloud-docker/compose-playground/blob/master/examples/hetzner-deploy/make_openidconnect_test.sh

References:

Testplan

openidconnect-1.0.0 Web UI + desktop client 2.7.5RC2

Test Case	Description	Expected	Result	Comments
Installation
Fresh install	`occ app:enable openidconnect`	app gets enabled	✔️
Fresh install	disable/enable via admin web gui	app gets disabled/enabled	✔️
Update from 1.0.0	disable, unpack new tar, enable via admin web gui	app gets enabled	✔️	`occ upgrade` is needed. #135
User flow
Correct OIDC URL	Set a correct OIDC URL	Connection set to the URL	✔️	as per INIT.bashrc
Enter correct iDP credentials	1. Set a correct OIDC URL 2. Enter correct credentials	Authorization is requested	✔️
Authorization	Authorize permissions and session	iDP finishes web browser and redirects to the client	✔️
Cancel login process	1. Set a correct OIDC URL 2. In iDP, cancel login process	Back to client	✔️	Error in OpenIdConnect:Error: access_denied Description: consent denied
Logout	1. Complete login process in a OIDC server 2. Logout in the idP	Session logged out. Needed credentials again to enter the account	✔️	Stranded at kopano-url, oc-url would be better
Request flow
Check `openid-configuration` request	Enter an URL of OIDC server	The .well-known /openid-configuration endpoint must be checked to assure availability of OIDC. Response received	✔️
`register` endpoint available	In case the server supports Dynamic Client Registration, `register` endpoint is requested	Client id and secret id (not mandatory) is retrieved	✔️
idP flow	Enter credentials in iDP	The `logon` endpoint is requested after entering credentials The `authorize` endpoint is requested after authorizing	✔️	/signin/v1/chooseaccount /signin/v1/identifier /signin/v1/consent http://localhost:44155/
idP flow with dynamic client registration	Enter credentials in iDP	The `logon` endpoint is requested after entering credentials The `authorize` endpoint is requested after authorizing using client id and secret id granted by register endpoint
Redirection	Authorize session in idP	Web browser redirects correctly to the client and with session opened	✔️
Token Renewal	Wait till session time is exceed	`token` endoint is requested with refresh token to get a new token. This must be transparent for the client	✔️	01-22 09:10:46:385 [ info sync.httplogger ]: ... "expires_in": 600\n}\n]" 01-22 09:21:03:624 [ info sync.credentials.http ]: Refreshing token 01-22 09:21:03:759 [ info sync.httplogger ]: ... Request: POST ... /konnect/v1/token
ClientId/SecretiD renewal	Wait till clientId/SecretId granted by register endpoint, expire	New ClientId/SecretId must be granted to request new tokens	✔️	renewal seen after 10 minutes. See log example below #132 (comment)
Migration
Basic -> OIDC	1. Login in basic auth server 2. Enable maintenance mode and upgrade to OIDC 3. Disable maintenance mode	Session expires and user must re-authenticate against new OIDC	❌	no session timeout #136
Basic -> OIDC	1. Login in basic auth server 2. Enable maintenance mode and upgrade to OIDC 3. add `'token_auth_enforced' => true` to config.php 4. Disable maintenance mode	Client shows and error and user must re-authenticate against new OIDC	✔️	`Server replied "599"` after 30 sec.
OAuth2 -> OIDC	1. Login in OAuth2 server 2. Enable maintenance mode and upgrade to OIDC 3. Disable maintenance mode	Token not valid anymore, and user must re-authenticate against new OIDC	🚧	Unclear expectations: #66 (comment)
OAuth2 -> OIDC + OAuth2	1. Login in OAuth2 server 2. Enable maintenance mode and upgrade to OIDC, keeping Oauth2 enabled 3. Disable maintenance mode	Token is valid anymore. Must re-authenticate to start using OIDC	🚧

Android

After releasing 2.16, authentication library will be replaced for a custom implementation. Tests here will be done with such implementation as well

Actually, Android does not support Dynamic Client Registration yet.

Openidconnect: 2.0.0RC1
Device: Google Pixel 2
Android version: 11

Test Case	Description	Expected	Result	Comments
User flow
Correct OIDC URL	Set a correct OIDC URL	Connection set to the URL	2.16: ✅ New: ✅
Enter correct iDP credentials	1. Set a correct OIDC URL 2. Enter correct credentials	Authorization is requested	2.16: ✅ New: ✅
Authorization	Authorize permissions and session	iDP finishes web browser and redirects to the client	2.16: ✅ New: ✅
Cancel login process	1. Set a correct OIDC URL 2. In iDP, cancel login process	Back to client	2.16: ✅ New: ✅
Logout	1. Complete login process in a OIDC server 2. Logout in the idP	Session logged out. Needed credentials again to enter the account	NA
Request flow
Check `openid-configuration` request	Enter an URL of OIDC server	The .well-known /openid-configuration endpoint must be checked to assure availability of OIDC. Response received	2.16: ✅ New: ✅
`register` endpoint available	In case the server supports Dynamic Client Registration, `register` endpoint is requested	Client id and secret id (not mandatory) is retrieved	NA	Android does not support yet
idP flow	Enter credentials in iDP	The `logon` endpoint is requested after entering credentials The `authorize` endpoint is requested after authorizing	2.16: ✅ New: ✅
idP flow with dynamic client registration	Enter credentials in iDP	The `logon` endpoint is requested after entering credentials The `authorize` endpoint is requested after authorizing using client id and secret id granted by register endpoint	NA	Android does not support yet
Redirection	Authorize session in idP	Web browser redirects correctly to the client and with session opened	2.16: ✅ New: ✅
Renewal	Wait till session time is exceed	`token` endoint is requested with refresh token to get a new token. This must be transparent for the client	2.16: ✅ New: ✅
ClientId/SecretId renewal	Wait till clientId/SecretId granted by register endpoint, expire	New ClientId/SecretId must be granted to request new tokens	NA	Android does not support yet
Migration
Basic -> OIDC	1. Login in basic auth server 2. Enable maintenance mode and upgrade to OIDC 3. Disable maintenance mode 4. Force re-login	User must re-authenticate against new OIDC	2.16 ✅ New: ✅
OAuth2 -> OIDC	1. Login in OAuth2 server 2. Enable maintenance mode and upgrade to OIDC 3. Disable maintenance mode	Token not valid anymore, and user must re-authenticate against new OIDC	2.16 ❌ New ✅	Crash fixed!!
OAuth2 -> OIDC + OAuth2	1. Login in OAuth2 server 2. Enable maintenance mode and upgrade to OIDC, keeping Oauth2 enabled 3. Disable maintenance mode	Token is not valid anymore. Must re-authenticate to start using OIDC	2.16 ✅ New: ✅

Smoke test: 2.16 ✅ New ✅

iOS

Openidconnect: 2.0.0RC1
Device: iPhoneXR
iOS version: 14.2

Tested with the current stable 11.4.5 and the new one 11.5, including Dynamic Client Registration

Test Case	Description	Expected	Result	Comments
User flow
Correct OIDC URL	Set a correct OIDC URL	Connection set to the URL	11.4: ✅ 11.5 ✅
Enter correct iDP credentials	1. Set a correct OIDC URL 2. Enter correct credentials	Authorization is requested	11.4: ✅ 11.5 ✅
Authorization	Authorize permissions and session	iDP finishes web browser and redirects to the client	11.4: ✅ 11.5 ✅
Cancel login process	1. Set a correct OIDC URL 2. In iDP, cancel login process	Back to client	11.4: ✅ 11.5 ✅
Logout	1. Complete login process in a OIDC server 2. Logout in the idP	Session logged out. Needed credentials again to enter the account	NA
Request flow
Check `openid-configuration` request	Enter an URL of OIDC server	The .well-known /openid-configuration endpoint must be checked to assure availability of OIDC. Response received	11.4: ✅ 11.5 ✅
`register` endpoint available	In case the server supports Dynamic Client Registration, `register` endpoint is requested	Client id and secret id (not mandatory) is retrieved	11.4: NA 11.5 ✅
idP flow	Enter credentials in iDP	The `logon` endpoint is requested after entering credentials The `authorize` endpoint is requested after authorizing	11.4: ✅ 11.5 ✅
idP flow with dynamic client registration	Enter credentials in iDP	The `logon` endpoint is requested after entering credentials The `authorize` endpoint is requested after authorizing using client id and secret id granted by register endpoint	11.4: NA 11.5 ✅
Redirection	Authorize session in idP	Web browser redirects correctly to the client and with session opened	11.4: ✅ 11.5 ✅
Renewal	Wait till session time is exceed	`token` endpoint is requested with refresh token to get a new token. This must be transparent for the client	11.4: 11.5 ✅
ClientId/SecretId renewal	Wait till clientId/SecretId granted by register endpoint, expire	New ClientId/SecretId must be granted to request new tokens	11.4: NA 11.5 ❌	Link
Migration
Basic -> OIDC	1. Login in basic auth server 2. Enable maintenance mode and upgrade to OIDC 3. Disable maintenance mode 4. Force re-login	User must re-authenticate against new OIDC	NA	Not supported. Link
OAuth2 -> OIDC	1. Login in OAuth2 server 2. Enable maintenance mode and upgrade to OIDC 3. Disable maintenance mode	Token not valid anymore, and user must re-authenticate against new OIDC	11.4 ✅ 11.5 ✅
OAuth2 -> OIDC + OAuth2	1. Login in OAuth2 server 2. Enable maintenance mode and upgrade to OIDC, keeping Oauth2 enabled 3. Disable maintenance mode	Token is valid anymore. Must re-authenticate to start using OIDC	11.4: ❌ 11.5 ❌	Open file list in browser

Smoke test: 11.4 ✅ 11.5 ✅

Desktop and mobile application login with openid

Hi,
my openid provider server is GLUU. everything is set and doing well, but i have problem in loging in into Desktop application and also mobile application. here in #66 the webpage does show Authorize button to user, but in my case after opening and loging in into webpage the application just stuck and shows re-open webpage button and doing nothing.

my .well-known url

and my openidconnect configuration is like this:

'openid-connect' => 
  array (
    'loginButtonName' => 'Dana Holding',
    'provider-url' => 'https://idp.danaholding.com',
    'client-id' => '4640315a-XXX-c2c821500dcf',
    'client-secret' => 'XXXXXXXX',
    'post_logout_redirect_uri' => 'https://idp.danaholding.com/oxauth/restv1/end_session?post_logout_redirect_uri=https://cloud.danaholding.com
    'allowed-user-backends' => 
    array (
      0 => 'LDAP',
    ),
  ),

Also I have problem in creating new users, i have added these

'auto-provision' => [
      'enable' => true, 
      'email-claim' => 'email', 
      'display-name-claim' => 'name', 
      'picture-claim' => 'picture', 
    ]

to my config file, but owncloud shows this error after login for new users: User with <new_user_email_address> is not known.

OAuth 2.0 Token Introspection

https://tools.ietf.org/html/rfc7662

we need to implement OAuth 2.0 Token Introspection in case the access token is not a JWT token

Message: Object of class OCA\OpenIdConnect\Application could not be converted to string

my owncloud status:
version | 10.5.0.10
versionstring | 10.5.0
edition | Community

i installed and configured openidconnect 1.0.0 and i got this error after login:

Internal Server Error
The server encountered an internal error and was unable to complete your request.

Please contact the server administrator if this error reappears multiple times and include the technical details below in your report.

More details can be found in the server log.

Technical details
Remote Address: #########
Request ID: #########
Type: Error
Code: 0
Message: Object of class OCA\OpenIdConnect\Application could not be converted to string
File: /var/www/owncloud/lib/private/legacy/app.php
Line: 245

Trace
#0 /var/www/owncloud/lib/private/legacy/app.php(190): OC_App::requireAppFile()
#1 /var/www/owncloud/lib/private/legacy/app.php(124): OC_App::loadApp()
#2 /var/www/owncloud/lib/base.php(886): OC_App::loadApps()
#3 /var/www/owncloud/index.php(54): OC::handleRequest()
#4 {main}

Import user from openid provider

In some cases, it is useful to create the user when it does not correspond to any owncloud user, as it has been authenticated by a trusted provider.

I had this need and made a change to the code available in the https://github.com/lainosantos/openidconnect repository.

For my use it is enough, if you want to integrate here, you may need some more reliable adjustments and tests.

No information disclosure about the reason a user cannot login

As of today the explicit reason why a user cannot be logged in via openid connect is dsplayed in the browser.

From a information disclosure perspective this is not perfect and needs adjustment.

owncloud / openidconnect Goto Github PK

openidconnect's Introduction

OpenId Connect for ownCloud

Configuration

General

Setup

Settings in database

Settings in config.php

Setup auto provisioning mode

Setup auto-update of user account info

All Configuration Values explained

Setup within the OpenId Provider

Setup service discovery

How to setup an IdP for development and test purpose

openidconnect's People

Contributors

Stargazers

Watchers

Forkers

openidconnect's Issues

OPENID CONNECT CLIENTS DETAILS in GLUU server

Description

Current

Expected

Version

Product approval

QA

Documentation

Marketing

Build

Beta/RC

Final

Publishing

Post-release

Issues found during QA

Summary

Tested cases

Referred Thread: #17

While implementing node-oidc provider, the auth workflow is implemented but at the last step, it displays error:

Trace

Node-oidc Provider Conf:

Is this a bug ?

Tested openidconnect-2.0.0RC1 in oc-10.6.0 with both firefox web ui and desktop client 2.7.5RC2

Reason

Product approval

QA

Documentation

Marketing

Build

Beta/RC

Final

Publishing

Post-release

Issues

My Experience

owncloud.log output

idP Config (FusionAuth -> LINK)

Owncloud Config

My Question

Setup

Testplan

openidconnect-1.0.0 Web UI + desktop client 2.7.5RC2

Android

Smoke test: 2.16 ✅ New ✅

iOS

Recommend Projects

Recommend Topics

Recommend Org