I have a public website where users can register with creds or auth providers, I save their details on my servers in a PostgreSQL database. I want to manage SSO between my website and ocis, both on the same domain. Since I already manage the user session on my website using a session cookie token, I’d like the Infinite Scale IDP service to just redirect to a url or call an api on my server to get the token and log in the users. What settings or configs do I need to make this work? Is this just a matter of editing the IDP envs variables?
Managed to get the OIDC flow goin between my website and oCIS. Serving oCIS from https://storage.com after users log in to https://mydomain.com.
Hosting my openid-configuration at https://mydomain.com/.well-known/openid-configuration
{
"issuer": "https://mydomain.com",
"authorization_endpoint": "https://mydomain.com/redirect/ocis-login",
"token_endpoint": "https://mydomain.com/api/v1/auth/ocis-signin",
"userinfo_endpoint": "https://mydomain.com/api/v1/oidc/userinfo",
"response_types_supported": [
"code"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"PS256"
],
"jwks_uri": "https://mydomain.com/.well-known/jwks.json",
"scopes_supported": [
"openid",
"email",
"profile"
],
"code_challenge_methods_supported": [
"S256"
],
"token_endpoint_auth_methods_supported": [
"none"
],
"claims_supported": [
"iss",
"sub",
"aud",
"exp",
"iat",
"name",
"family_name",
"given_name",
"email",
"email_verified",
"roles"
]
}
If users go to https://storage.com, they are redirected to https://mydomain.com/redirect/ocis-login, which I then set the code and state then redirect to https://storage.com/oidc-callback.html?&state=${state}&code=${code}. Afterwards, oCIS call my token endpoint with the code and I find the logged in user and return the token with claims:
const createJWT = async (user) => {
const jwtPayload = {
sub: user.id,
iss: baseUrl,
aud: "web",
};
const createAccessJWT = async (user) => {
const jwtPayload = {
iss: baseUrl,
sub: user.id,
aud: "web",
scp: "profile email openid",
name: user.name,
email: user.email,
preferred_username: user.profileId,
};
...
return res.json({
token_type: "Bearer",
expires_in: 3600,
id_token: token,
access_token: accessToken
});
These are my oCIS yaml and web configs:
services:
ocis:
image: owncloud/ocis
container_name: ocis_runtime
ports:
- "9200:9200"
volumes:
- "/efs-mount:/var/lib/ocis"
- "./ocis/ocis-config:/etc/ocis"
- "./web-config/:/config"
environment:
OCIS_INSECURE: "false"
PROXY_ENABLE_BASIC_AUTH: "false"
PROXY_HTTP_ADDR: "0.0.0.0:9200"
WEB_UI_THEME_SERVER: "https://mydomain.com"
WEB_UI_THEME_PATH: "/ocis/theme/theme.json"
WEB_UI_CONFIG_FILE: "/config/config.json"
OCIS_URL: "https://storage.com"
PROXY_AUTOPROVISION_ACCOUNTS: "true"
PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
OCIS_OIDC_ISSUER: "https://mydomain.com"
PROXY_OIDC_REWRITE_WELLKNOWN: "true"
PROXY_USER_OIDC_CLAIM: "preferred_username"
PROXY_OIDC_SKIP_USER_INFO: "true"
OCIS_ADMIN_USER_ID: ""
OCIS_EXCLUDE_RUN_SERVICES: "idp"
GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
GRAPH_USERNAME_MATCH: "none"
{
"server": "https://storage.com",
"theme": "https://storage.com/themes/owncloud/theme.json",
"openIdConnect": {
"metadata_url": "https://mydomain.com/.well-known/openid-configuration",
"authority": "https://mydomain.com",
"client_id": "web",
"response_type": "code",
"scope": "openid profile email"
},
...
Using oCIS 4.0.0 with web 8.0.0-alpha.4.
Managed to stop the redirect by adding a userinfo_endpoint and returning an access_token.
Now I get this message on the oCIS website:
Not logged in. This could be because of a routine safety log out, or because your account is either inactive or not yet authorized for use. Please try logging in after a while or seek help from your Administrator.
I see logs saying:
Browser:
[UserManager] signinRedirectCallback: success, signed in subject {user.id}
POST https://storage.com/api/v0/settings/values-list 500 (Internal Server Error)
GET https://storage.com/ocs/v1.php/cloud/user 500 (Internal Server Error)
Server:
ocis_runtime | {"level":"error","service":"idm","bind_dn":"uid=reva,ou=sysusers,o=libregraph-idm","op":"bind","remote_addr":"127.0.0.1:44146","time":"2023-10-30T18:00:55.388217385Z","message":"invalid credentials"}
ocis_runtime | {"level":"error","service":"ocis","error":"error: not found: create container: error: not found: f1bdd61a-da7c-49fc-8203-0558109d1b4f!f1bdd61a-da7c-49fc-8203-0558109d1b4f/settings","time":"2023-10-30T18:00:55.398045148Z","message":"error initializing metadata client"}
ocis_runtime | {"level":"error","service":"ocis","error":"error: not found: create container: error: not found: f1bdd61a-da7c-49fc-8203-0558109d1b4f!f1bdd61a-da7c-49fc-8203-0558109d1b4f/settings","time":"2023-10-30T18:00:55.504548876Z","message":"error initializing metadata client"}
ocis_runtime | {"level":"error","service":"graph","middleware":"requireAdmin","error":"{\"id\":\"go.micro.server\",\"code\":500,\"detail\":\"panic recovered: runtime error: invalid memory address or nil pointer dereference\",\"status\":\"Internal Server Error\"}","userid":"52f799eb-f38b-479d-abd0-15a9ba60ee36","time":"2023-10-30T18:00:55.505188828Z","message":"Failed to get roles for user"}
ocis_runtime | {"level":"error","service":"proxy","error":"401 Unauthorized","time":"2023-10-30T18:00:55.505635713Z","message":"Error creating user"}
ocis_runtime | {"level":"error","service":"proxy","error":"401 Unauthorized","time":"2023-10-30T18:00:55.505652418Z","message":"Autoprovisioning user failed"}
Where do I set the authorization for these calls? I have not touched the IDM creds:
idm:
service_user_passwords:
admin_password: BKc3=!M#Bm%9-3@.$fta!HSSqs.asmLK
idm_password: TeO4VxrTH%fwI3BaW#XTn3LlCEuX4#fE
reva_password: ve.8%0N%wg%o%hhpRsqbg81J+-1u&OCu
idp_password: RpX@TiYHe%fB5Wr*-sw!z&pXFPyZxvE^
Finally got it to work by deleteing the ocis.yaml and everything in OCIS_BASE_DATA_PATH
, then re running the image.
So you basically implemented your own OIDC IDP? I am not entirely sure if what you did also works with the other owncloud clients (android, IOS, desktop). But if you don’t need them I am happy that you got things working.
I am still not sure I understood completely what you’re trying to achieve, but I think as your not using the OCIS builtin IDP at all, you can you simply disable it by setting OCIS_EXCLUDE_RUN_SERVICES=idp
.