Desktop Client 403 Forbidden - Web and mobile are working

phantomate · October 25, 2023, 3:41pm

Steps to reproduce

Start desktop client
Add new account
Insert selfhosted address
Click on open browser to login

Expected behaviour

Login with the provided desktop client link and connect desktop client with my selfhosted instance

Actual behaviour

When I open the link provided by the desktop client I get 403 - Forbidden error

Server configuration

Operating system:
Unraid/Docker

ownCloud infinity scale version:
4.0.2

Updated from an older ownCloud or fresh install:
Fresh install

Where did you install ownCloud from:
From the official docker image ( owncloud/ocis)

Are you using external storage, if yes which one: local/smb/sftp/…
No

Are you using encryption: yes/no
No

Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/…
No

Client configuration

Browser:
Firefox

Operating system:
Linux/Windows

Server configuration

As mentioned above I use the official docker image. In addition I also use Nginx Proxy Manager as a reverse proxy. Here are my env variables for the docker image:

OCIS_INSECURE = false
PROXY_HTTP_ADDR = 0.0.0.0:9200
OCIS_URL = https://“mydomain”.com
OCIS_LOG_FILE = /etc/ocis/ocis.log
PROXY_TLS = false

The issue as mentioned above is, that I can’t login from the link provided by the desktop client. It doesn’t work with the linux client nor the windows client. The strange thing is, that this is working perfectly with the mobile app. And I also can access my instance over the web.

Do I miss a setting or an env variable? And is this a server issue or more a issue of the desktop client, because mobile app and web are working perfectly?

I hope you guys can help me

tom42 · October 27, 2023, 3:34pm

Hey,

i’m not sure but maybe it could help others if you are also providing the desktop client versions which are showing these problems?

phantomate · October 28, 2023, 7:13am

@tom42 you are right.

I’m using the latest (5.0.0.12278) desktop clients for windows and linux.

michaelstingl · October 28, 2023, 3:15pm

How do you generate the link in the 5.0.0 desktop client? File? Folder? Space?

phantomate · October 29, 2023, 10:47am

Hi @michaelstingl,

I’m not generating a link, I try to login and connect my account to the desktop client. On the client, I click on “add account”, type in my selfhosted server address and after that there is a button “open browser”. And if I click the button or copy the link to login, I get a 403 - Forbidden on that link address.

michaelstingl · October 30, 2023, 8:57am

Desktop clients query /.well-known/webfinger. There they learn about the IdP.

curl -s "https://ocis.ocis-traefik.latest.owncloud.works/.well-known/webfinger?resource=https%3A%2F%2Focis.ocis-traefik.latest.owncloud.works" | jq
{
  "subject": "https://ocis.ocis-traefik.latest.owncloud.works",
  "links": [
    {
      "rel": "http://openid.net/specs/connect/1.0/issuer",
      "href": "https://ocis.ocis-traefik.latest.owncloud.works"
    }
  ]
}

On the IdP, desktop clients respect the information from /.well-known/openid-configuration.

curl -s "https://ocis.ocis-traefik.latest.owncloud.works/.well-known/openid-configuration" | jq
{
  "issuer": "https://ocis.ocis-traefik.latest.owncloud.works",
  "authorization_endpoint": "https://ocis.ocis-traefik.latest.owncloud.works/signin/v1/identifier/_/authorize",
  "token_endpoint": "https://ocis.ocis-traefik.latest.owncloud.works/konnect/v1/token",
  "userinfo_endpoint": "https://ocis.ocis-traefik.latest.owncloud.works/konnect/v1/userinfo",
  "end_session_endpoint": "https://ocis.ocis-traefik.latest.owncloud.works/signin/v1/identifier/_/endsession",
  "check_session_iframe": "https://ocis.ocis-traefik.latest.owncloud.works/konnect/v1/session/check-session.html",
  "jwks_uri": "https://ocis.ocis-traefik.latest.owncloud.works/konnect/v1/jwks.json",
  "scopes_supported": […

Here you can find more information:

Webfinger | ownCloud

phantomate · October 30, 2023, 11:00am

@michaelstingl thank you for your answer but could you pleas elaborate more on that?
Do I need to add a openid config? And if yes where do I store it and what do I need to configure in it?

yfzhao2021 · November 2, 2023, 6:51am

I have a very similar problem. I’m using the binary setup with systemd and the internal idp service because it is a small system. Everything used to work well with direct access to the IP address. But this problem happens after I switch to the domain name. The existing clients work if I do not log out, but authorizing new clients gives me 403 forbidden message.

Here is my .well-known/openid-configuration :

{
  "issuer": "https://<mydomain>",
  "authorization_endpoint": "https://<mydomain>/signin/v1/identifier/_/authorize",
  "token_endpoint": "https://<mydomain>/konnect/v1/token",
  "userinfo_endpoint": "https://<mydomain>/konnect/v1/userinfo",
  "end_session_endpoint": "https://<mydomain>/signin/v1/identifier/_/endsession",
  "check_session_iframe": "https://<mydomain>/konnect/v1/session/check-session.html",
  "jwks_uri": "https://<mydomain>/konnect/v1/jwks.json",
  "scopes_supported": [
    "openid",
    "offline_access",
    "email",
    "LibgreGraph.UUID",
    "LibreGraph.RawSub",
    "profile"
  ],
  "response_types_supported": [
    "id_token token",
    "id_token",
    "code id_token",
    "code id_token token"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "PS512",
    "RS256",
    "RS384",
    "RS512",
    "PS256",
    "PS384"
  ],
  "userinfo_signing_alg_values_supported": [
    "PS512",
    "RS256",
    "RS384",
    "RS512",
    "PS256",
    "PS384"
  ],
  "request_object_signing_alg_values_supported": [
    "ES256",
    "ES384",
    "ES512",
    "RS256",
    "RS384",
    "RS512",
    "PS256",
    "PS384",
    "PS512",
    "none",
    "EdDSA"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "none"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
    "PS512",
    "RS256",
    "RS384",
    "RS512",
    "PS256",
    "PS384"
  ],
  "claims_parameter_supported": true,
  "claims_supported": [
    "iss",
    "sub",
    "aud",
    "exp",
    "iat",
    "name",
    "family_name",
    "given_name",
    "email",
    "email_verified"
  ],
  "request_parameter_supported": true,
  "request_uri_parameter_supported": false
}

With ocis.env:

OCIS_URL=https://<mydomain>
PROXY_HTTP_ADDR=0.0.0.0:9200
PROXY_TRANSPORT_TLS_KEY=<mydatapath>/proxy/<mydomain>.key
PROXY_TRANSPORT_TLS_CERT=<mydatapath>/proxy/<mydomain>.crt

OCIS_INSECURE=false

OCIS_LOG_LEVEL=warn
OCIS_EVENTS_ENABLE_TLS=false

OCIS_CONFIG_DIR=/etc/ocis
OCIS_BASE_DATA_PATH=<mydatapath>

OCIS_ASYNC_UPLOADS=true
STORAGE_USERS_OCIS_ASYNC_UPLOADS=true

I’m also not sure if an external openid provider is needed…

raphaelben55 · November 9, 2023, 7:24am

Same error, everything was working well but now I’ve been logged out and can’t log in again with the desktop client.
It was working before by changing the beginning of the authentication link with the local address, but now it’s broken.
How can I fix it ?

(Running on Unraid also)

raphaelben55 · November 10, 2023, 9:56am

Had to add proxy_set_header Host $host; in nginx manager. Working now.

phantomate · November 10, 2023, 4:54pm

Hi @raphaelben55,
that’s nice to hear. Where do you exactly put proxy_set_header Host $host; into the nginx proxy manager?
In Advanced -> Custom Nginx Configuration or somewhere else?

raphaelben55 · November 10, 2023, 5:08pm

Yes, that’s exactly that.

phantomate · November 13, 2023, 11:45am

It worked, thank you!

system · February 11, 2024, 11:46am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.