Configure OpenID Connect with Google as IdP

Hello, Community.

I need to set Google as the IdP for a ownCloud fresh installation. I had follow the instructions on this documentation OpenID Connect (OIDC) :: ownCloud Documentation but it has an example for Kopano Konnect and I can’t find any other example that uses Google as IdP

Expected behaviour

The user can sign in to ownCloud with their Google credentials

Actual behaviour

The user is getting the following error:

Error in OpenIdConnect:The provider authorization_endpoint could not be fetched. Make sure your provider has a well known configuration available.

OpenID configuration inside config.php

As you can see, I have the same parameters that Kopano Konnect tutorial said.
I have use this Google project configuration for another SSO and it works just fine, so I’m guessing that the error comes with my OpenID configuration on config.php

There’s a guide to how propperly set openid with Google as IdP for ownCloud?

Hi there! I am attempting exactly the same thing and I was having the same error as you. The provider-url has to be just https://accounts.google.com. That is because OpenID will then append /.well-known/openid-configuration to it to find extra configuration parameters.

This is how my config.php looks:

'http.cookie.samesite' => 'None',
  'openid-connect' =>
    array (
      'auto-provision' =>
        array (
          'enabled' => false,
        ),
      'provider-url' => 'https://accounts.google.com',
      'client-id' => 'secret-id',
      'client-secret' => 'secret',
      'loginButtonName' => 'Google Auth',
      'mode' => 'email',
    ),

With that I am successfully redirected to the google auth page, where I can click on my email. However, it throws an error! At some point owncloud implementation of OpenID will try to verify the access token, as if it were a JWT, but it is not. I could get it to work by changing line 122 in SessionVerifier.php to use IdToken instead of AccessToken:

if (!$client->verifyJWTsignature($idToken)) {
  $this->logger->error('Token cannot be verified: ' . $accessToken);
  $this->logout();
  throw new OpenIDConnectClientException('Token cannot be verified.');
}

I don’t want to do that “hack” so I’m trying to find out if there is anything else I can configure. According to Owncloud:

  • use-token-introspection-endpoint - if set to true the token introspection endpoint is used to verify a given access token - only needed if the access token is not a JWT

  • token-introspection-endpoint-client-id & token-introspection-endpoint-client-secret - client id and secret to be used with the token introspection endpoint

and that’s where I am at the moment, trying to find out what google’s intronspection endpoint is, if it exists…

1 Like

For anyone else coming here looking for information, I got confirmation that Google is not a supported IdP at the time of writing this. I opened an issue in their repo, here.

1 Like

Bless you @PaulaMariaFdez

Thanks to you i was able to move forward with this problem!
I am also trying to connect to Google as IdP.

This is my configuration:

And i got back error message:

I may be able to find out what is wrong. Or maybe any of you? Google has OAuth 2.0 playground for testing. You may be able to see the sample requests and responses. Here is a documentation what Google requires for successfull authentication.

I am planning to intercept the communication between my ownCloud instance and Google. To do packet sniffing to see how the request and response looks like in terms of attributes - their names and values and compare that to the samples provided in the documentation. We may be able to discover what is wrong. If its truly the plugin implementation or we missed something. Because as i remember OpenID connect plugin allows you to specify custom parameters and i find it hard to belie that google does not return valid JWT.