Debugging OCIS CORS configuration

Hello, OwnCloudOwners,

I am trying to integrate a new installation of OwnCloud Infinite Scale (Community Edition) with the Janssen Authorization Server, an open-source OIDC provider. The authentication workflow almost succeeds:

  1. OwnCloud redirects to the SSO sign-in page
  2. Authentication Credentials are accepted and the requested OIDC scopes for OwnCloud (profile, mail, etc.) are presented to the user for acceptance
  3. Browser redirects to the OIDC callback page on OwnCloud (https://oc.[my domain].io/oidc-callback)

However, when the landing page on OwnCloud attempts to fetch the authorization token via Javascript (a request to https://[my domain]/jans-auth/restv1/token) , a CORS violation occurs and the browser blocks the request.

https://sso.[my domain].io/jans-auth/restv1/token
Request Method:
Status Code:
401 Unauthorized
Referrer Policy:

It seems that https://sso.[my domain].io/ needs to be added to the CORS configuration for the OwnCloud frontend. I believe I have done this correctly, but it’s still not working.

I’m deploying OCIS using the Helm charts, and the CORS-related configuration values do seem to be making it into the containers…

❯ kubectl get pod frontend-5d7bfd6fdf-mkc5m -o yaml |\

      value: '*,https://sso.[my domain].io,https://oc.[my domain].io,https://[my domain].io'
    image: owncloud/ocis:4.0.1


❯ kubectl exec frontend-5d7bfd6fdf-mkc5m -- sh -c 'echo $OCIS_CORS_ALLOW_ORIGINS'

*,https://sso.[my domain].io,https://oc.[my domain].io,https://[my domain].io

So the config values have made it at least as far as ENV vars inside the containers. But it seems not all the way to the browser? Seems like I’m missing something obvious.

Any help or tips debugging this will be greatly appreciated.

Thanks in advance,

The OIDC server is hosted at: https://sso.[my domain].io
OCIS is hosted at: https://oc.[my domain].io

Steps to reproduce

  1. Establish OIDC provider at https://sso.[my domain].io/
  2. Deploy OCIS from the Helm charts to https://oc.[my domain].io, using the following overrides:
externalDomain: oc.[my domain].io

# HTTP settings for oCIS services.
  #-- CORS settings for oCIS services.
    #-- allow_origins is a list of origins a cross-domain request can be executed from.
    # If the special "*" value is present in the list, all origins will be allowed.
    allow_origins: ["*", "https://sso.[my domain].io", "https://oc.[my domain].io", "https://[my domain].io"]
  basicAuthentication: false
    enabled: true
  1. Attempt to login

Expected behaviour

Browser Javascript requests to https://sso.[my domain].io should be allowed from OwnCloud

Actual behaviour

Browser Javascript requests to https://sso.[my domain].io are blocked by CORS configuration. :frowning:

Server configuration

Operating system: Ubuntu 22.04 LTS

Web server: Whatever is packaged into OCIS Community edition 04.0.1 containers

Database: Whatever is packaged into OCIS Community edition 04.0.1 containers

PHP version: I think it’s none? Isn’t OCIS composed of golang microservices?

ownCloud version: 4.0.1

Updated from an older ownCloud or fresh install: fresh install

Where did you install ownCloud from: [Helm charts][1]

The content of config/config.php: Hopefully all CORS-related config is posted above…

List of activated apps: default set for OCIS 4.0.1

Are you using external storage: No

Are you using encryption: no

Are you using an external user-backend: [Janssen Authorization Server][2]

LDAP configuration (delete this part if not used)

      writeable: true
      uri: ldaps://ldap.h.[my domain]:1636
      certTrusted: true
      insecure: false
      bindDN: cn=Directory Manager
      refintEnabled: false
      passwordModifyExOpEnabled: false
      useServerUUID: true
          id: inum
          idIsOctetString: false
          mail: mail
          displayName: displayName
          userName: uid
          userType: ownCloudUserType
        baseDN: ou=people,o=jans
        scope: sub
        substringFilterType: any
        objectClass: jansPerson
          id: inum
          idIsOctetString: false
          mail: mail
          displayName: displayName
          groupName: inum
          member: member
        baseDN: ou=groups,o=jans        
        createBaseDN: ""
        scope: sub
        objectClass: jansGrp
      using an ldap attribute.
        disableMechanism: attribute
        userEnabledAttribute: ownCloudUserEnabled
        disabledUsersGroupDN: "cn=DisabledUsersGroup,ou=groups,o=libregraph-idm"

Client configuration

Browser: Chrome, Firefox, Safari (all tested - same results)

Operating system: Windows, Mac, Linux (all tested - same results)


Browser log

I’m experiencing exactly the same issue with CORS errors and I also have configured it correctly I believe.

Please share if you find a solution to this.