A new Client is being created for each login with keycloak

Steps to reproduce

  1. Open desktop/iOS app
  2. Sign in

Expected behaviour

The already created Clients for Desktop and iOS in Keycloak should be used instead of creating a new one.

Actual behaviour

Clients are setup with correct ID and secret. I’ve even tested importing the examples from ocis github page but with each new login a new Client is being with name eg “ownCloud 5.3.1.14018” for Dekstop and the new clients doesn’t even have the correct Client ID or secret. Next login it creats another “ownCloud 5.3.1.14018” and so forth… I’m assuming it has to do with “PROXY_OIDC_REWRITE_WELLKNOWN=true” (?) but set to false I get “Page not found”.

Server configuration

Operating system: Ubuntu server 22

Web server: 8.0.5

Database:

PHP version:

ownCloud version: 5.0.7 (also tested with 6.4.0)

Updated from an older ownCloud or fresh install: fresh install

Where did you install ownCloud from: official

The content of config/config.php:
Environment:

OCIS_OIDC_ISSUER=https://admin-domain/realms/oCIS
OCIS_OIDC_CLIENT_ID=web
PROXY_OIDC_REWRITE_WELLKNOWN=true
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none
PROXY_AUTOPROVISION_ACCOUNTS=true

We are hitting this as well. Any idea how to solve or work around? We’re getting OCHTTPStatusErrorDomain error 500 when trying to connect to oCIS with mobile and desktop apps in addition to the plethora of new Client entities being created in KeyCloak.

No I haven’t found a proper solution unfortunately, I believe the problem lies with the ownCloud applications (iOS, desktop, android) since web works just fine. I guess we should open a github issue at this point. I don’t recall having this issue before or I didn’t notice, do you know if this issue started with an update?

We noticed the additional Clients starting with 6.2.0 a couple of months ago but the OCHTTPStatusErrorDomain error only recently appeared.

We dug into this more today and found that it is indeed the automatic Client creation that’s blocking access for all ownCloud Desktop and ownCloud Mobile clients. We have a custom token mapper on our clients that’s required for proper assignment of roles in oCIS. Works great in ocis-web and we have this on the clients for ownCloud Desktop and ownCloud iOS/Android… but when someone goes through auth for these clients they always get a new Client spawned in KeyCloak that has none of our configurations. It’s already super messy having thousands of extra Clients being automatically generated, but not having them inherit our setup from the base Clients means they’re unusable.

We found a rather painful workaround where if you know the ID of the automatically spawned Client you can quickly jump in as a KeyCloak admin, manually add the right configs and then quickly go through auth again. Not viable in production, of course, but it proves the issue is with these autogen’d Clients.

Pretty sure this has nothing to do with oCIS itself… this is almost certainly specific to ownCloud Desktop/iOS/Android.

@michaelstingl can you comment at all on what’s going on here?