This isn’t a bug report, more a general question, so I’m not filling in all the information.
When I visit the ownCloud instance in a web browser on my computer I very often find myself signed out, and I have to sign in again. It is only a few extra clicks, but everybody knows that extra clicks are annoying
I’ve set up the webserver to use Open ID Connect.
The desktop app and mobile app does not have to log in again, and I guess that has to do with their native OAuth2 connection and not the cookie based approach in a browser.
Does anyone have any input as to why I must login again quite often in a web browser? What can I change in either ownCloud (cookie lifetimes?) or the OIDC provider (token lifetimes?) to mitigate this (without compromising security)?
While the token lifetime is too short (5 minutes by default), the web should either refresh the token or get a new one automatically. You shouldn’t need to login manually over and over.
As usual, I’d recommend trying to reproduce the issue using the deployment example (the “ocis_full” seems more up-to-date), and then figure out the differences with your own personal deployment.
It might be a browser-related problem. As said, firefox works for me, but I haven’t tested any other browser. @kobergj do you know if there is a list with the “officially supported” web browsers? I’m not finding it in the documentation.
It’s the same in all browsers for me.
I don’t need to log onto the web very often, so I haven’t logged on since I posted this (3 days ago), so I visited the web now and had to log on again. The mobile app did not have to log on again.
That seems both normal and desirable to need to log in to a browser-based session when visiting on different days. I would be annoyed if I opened my browser and had access without authenticating.
I log out of most of the services on your list. Different strokes, I guess. As long as there is an option to not stay logged in, it doesn’t bother me, not that my preferences carry any significant consideration. I hope you can find a way to use it the way you like.
I’d recommend you to check the deployment examples to see if it’s reproducible.
I’m not sure what you’re referring about with this. If you’re using the default setup or the “ocis_full” deployment, you don’t really need to configure anything specific for Open ID Connect in the server. It should work out-of-the-box.
There is also a deployment example with Keycloak if you want to use an external Open ID Connect.
Other than Keycloak, I don’t think there is an “officially supported” Open ID Connect. Authelia is one that popped up sometime in this forum, so you might find some info around.
For the configuration, you can try to adjust the values for IDP_ACCESS_TOKEN_EXPIRATION and IDP_ID_TOKEN_EXPIRATION, both with a default value of 300 (seconds). The tokens should be short-lived; 30 minutes of expiration is common, and it shouldn’t go over 1 hour.
Note that if you’re using an external IDP such as Keycloak, I don’t think those parameters will work. You should be able to configure the token expiration from the IDP.
However, I don’t think this will fix your problem. Somehow you aren’t refreshing the token (which should be automatic), so once the token expires you’ll be kicked out again.
@jvillafanez By “set up the webserver to use Open ID Connect” I mean that I have enabled the “OpenID Connect” app in the admin interface, and I’ve followed the “Prerequisites” in the documentation (provider-url, client-id, client-secret, and loginButtonName). I can’t insert link to the documentation, but it’s the “Admin documentation” linked in the app description.
The OIDC provider is set up with short id_token and access_token lifetimes (5 minutes and 1 hour, respectively), and the refresh_token has a lifetime of 30 days (15 days sliding).
So I guess that the “OpenID Connect” app doesn’t use refresh token?
I thought you were talking about oCIS, not ownCloud 10…
I’m not entirely sure if the web UI is supported as client of the OpenIDConnect app. I just see server-side code, but I don’t see anything related to the clients.
You could try to use Marketplace but I’m not sure how well it integrates with ownCloud 10. Support for ownCloud 10 was discontinued though.
OIDC should be properly supported in the app because it’s used for oCIS, and oCIS uses OIDC by default, so there shouldn’t be problems if the setup is correct. However, the setup might be painful to do, and you still need the “regular” web UI for admin stuff (the app is just file access for the most part).
@jvillafanez So you’re saying that the OIDC app that comes preinstalled (also found in the marketplace) in the Docker image (owncloud/server), that puts a “login with OIDC” button on the webUI login, is not supported for login to the webUI?
Apparently links works for me now. This is the documentation I’ve followed:
It takes care of the login against the IDP you’ve configured, but I’d still consider it as part of the server-side code.
However, I don’t see any client code in the app in order to refresh the token before it expires. In practice, you can stay in ownCloud until the token expires (because the web won’t refresh the token).
Most of the times, you don’t have control on the token expiration, and from a user’s perspective you shouldn’t care because no matter when the token expires, it’s expected to be refreshed automatically. This happens in desktop and mobile clients, and it’s expected to happen in any OIDC client, that’s why I think the situation with the web UI is weird.
Basically, you can login with OIDC using the web, but there is no proper client to take care of all the nuisances.
I don’t think there is a nice workaround other than increasing the expiration time in your IDP
