OCIS + Authelia

miberecz · June 23, 2023, 8:50pm

Did anyone managed to use Authelia as an SSO (OIDC provider) for Owncloud Infinity Scale?

So far I have made, that my OCIS instance redirects to Authelia, gets authenticated, redirects back to OCIS , but not log me in actually.

On OCIS side I have the following env vars set up:


 WEB_OIDC_METADATA_URL: "https://authelia.mydomain.com/.well-known/openid-configuration"  
 WEB_OIDC_AUTHORITY: "https://authelia.mydomain.com"   
 OCIS_OIDC_ISSUER: "https://authelia.mydomain.com"  
 WEB_OIDC_CLIENT_ID: "ocis"  
 OCIS_OIDC_CLIENT_ID: "ocis"   
 PROXY_OIDC_REWRITE_WELLKNOWN: "true"

In authelia I have this in the config at the

identity_providers:
...
      - id: ocis
        description: ownCloud web client
        public: true
        authorization_policy: one_factor
        scopes:
          - openid
          - email
          - profile
        redirect_uris:
          - https://ocis.mydomain.com/
          - https://ocis.mydomain.com/oidc-callback.html
          - https://ocis.mydomain.com/oidc-silent-redirect.html
        response_types:
          - code

In the logs of Authelia, I can see the request for authentication, and I believe its sucessful:

authelia_server.1.6kmn4jfxt0e6@wyse1    | time="2023-06-23T16:33:58+02:00" level=debug msg="Authorization Request with id '2024b675-5f82-467d-a6f0-1153a048a392' on client with id 'ocis' is being processed" method=GET path=/api/oidc/authorization remote_ip=192.168.0.1
authelia_server.1.6kmn4jfxt0e6@wyse1    | time="2023-06-23T16:33:58+02:00" level=debug msg="Authorization Request with id '2024b675-5f82-467d-a6f0-1153a048a392' on client with id 'ocis' was successfully processed, proceeding to build Authorization Response" method=GET path=/api/oidc/authorization remote_ip=192.168.0.1
authelia_server.1.6kmn4jfxt0e6@wyse1    | time="2023-06-23T16:33:58+02:00" level=trace msg="Authorization Request with id '2024b675-5f82-467d-a6f0-1153a048a392' on client with id 'ocis' creating session for Authorization Response for subject '7fb390be-962c-4c9e-9763-929b6cf1be7e' with username 'myuser' with claims: &{JTI: Issuer:https://authelia.mydomain.com Subject:7fb390be-962c-4c9e-9763-929b6cf1be7e Audience:[ocis] Nonce: ExpiresAt:0001-01-01 00:00:00 +0000 UTC IssuedAt:2023-06-23 16:33:58.194999747 +0200 CEST m=+65.511327822 RequestedAt:2023-06-23 14:33:56.207546906 +0000 UTC AuthTime:2023-06-23 16:33:55 +0200 CEST AccessTokenHash: AuthenticationContextClassReference: AuthenticationMethodsReferences:[pwd] CodeHash: Extra:map[azp:ocis client_id:ocis email:myemail@gmail.com email_verified:true name:My Name preferred_username:myuser]}" method=GET path=/api/oidc/authorization remote_ip=192.168.0.1
authelia_server.1.6kmn4jfxt0e6@wyse1    | time="2023-06-23T16:33:58+02:00" level=trace msg="Replied (status=303)" method=GET path=/api/oidc/authorization remote_ip=192.168.0.1
authelia_server.1.6kmn4jfxt0e6@wyse1    | time="2023-06-23T16:33:59+02:00" level=trace msg="Request hit" method=GET path=/.well-known/openid-configuration remote_ip=192.168.0.1
authelia_server.1.6kmn4jfxt0e6@wyse1    | time="2023-06-23T16:33:59+02:00" level=trace msg="Replied (status=200)" method=GET path=/.well-known/openid-configuration remote_ip=192.168.0.1
authelia_server.1.6kmn4jfxt0e6@wyse1    | time="2023-06-23T16:33:59+02:00" level=trace msg="Request hit" method=POST path=/api/oidc/token remote_ip=192.168.0.1
authelia_server.1.6kmn4jfxt0e6@wyse1    | time="2023-06-23T16:33:59+02:00" level=debug msg="Access Request with id '2024b675-5f82-467d-a6f0-1153a048a392' on client with id 'ocis' is being processed" method=POST path=/api/oidc/token remote_ip=192.168.0.1
authelia_server.1.6kmn4jfxt0e6@wyse1    | time="2023-06-23T16:33:59+02:00" level=trace msg="Access Request with id '2024b675-5f82-467d-a6f0-1153a048a392' on client with id 'ocis' response is being generated for session with type '*model.OpenIDSession'" method=POST path=/api/oidc/token remote_ip=192.168.0.1
authelia_server.1.6kmn4jfxt0e6@wyse1    | time="2023-06-23T16:33:59+02:00" level=debug msg="Access Request with id '2024b675-5f82-467d-a6f0-1153a048a392' on client with id 'ocis' has successfully been processed" method=POST path=/api/oidc/token remote_ip=192.168.0.1
authelia_server.1.6kmn4jfxt0e6@wyse1    | time="2023-06-23T16:33:59+02:00" level=trace msg="Access Request with id '2024b675-5f82-467d-a6f0-1153a048a392' on client with id 'ocis' produced the following claims: map[access_token:authelia_at_9luwIltVkaKqA7F5nlKTQZcN_cAUmdEFayV7BRGffJY.4TWGwpGmwje4SBpLRQLkf3zw7d6799B1Bcx1vPmgtIc expires_in:3600 id_token:eyJhbGciOiJSUzI1NiIsImtpZCI6ImM4NTgzMyIsInR5cCI6IkpXVCJ9.eyJhbXIiOlsicHdkIl0sImF0X2hhc2giOiJnR0VaNHJuSWx2ZW85N0x6Ulo3dVFRIiwiYXVkIjpbIm9jaXMiXSwiYXV0aF90aW1lIjoxNjg3NTMwODM1LCJhenAiOiJvY2lzIiwiY2xpZW50X2lkIjoib2NpcyIsImVtYWlsIjoiYmVyZWN6a2ltOEBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiZXhwIjoxNjg3NTM0NDM5LCJpYXQiOjE2ODc1MzA4MzksImlzcyI6Imh0dHBzOi8vcG9ydGFzLjNkb3JhLmV1IiwianRpIjoiNmZmN2ZjNWUtYTBmZS00YWNjLWE0NGMtZDcyOWY1ODljZDczIiwibmFtZSI6IkJlcmVjemtpIE1paMOhbHkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJtcW1xMCIsInJhdCI6MTY4NzUzMDgzNiwic3ViIjoiN2ZiMzkwYmUtOTYyYy00YzllLTk3NjMtOTI5YjZjZjFiZTdlIn0.GTPcCLAonjEczTut9EA5OOWmgZTj7kmGlHZJaXZhJfLo4nTiPUZWazSz7DzpBVx0O0ZZRHiJCR7ikP9cF6jRWyY7RnSCPvTdv7umor-qdpqn3T1urvBoVy6snKLB-wVieksrsj_nPQkcG_V8QDyudFvjaBmH8--l4ZvV7vWaBcMvuPjTjurXg4i9nmABH2c9xD4F5y0ab3fSRWeGkfG5j0OOVehdVdcuyBw0X-mqyYJ3EyvLUoODHhTG5DUaDiaYkfN2lVTsR7vkLC8rpFJOnpTrBGWejrkJb1etlJ1Rt821LOJBRi_fixGlVOJ0TZTdoFseU6MxcKY4Mu0BtZVc4g scope:openid profile email token_type:bearer]" method=POST path=/api/oidc/token remote_ip=192.168.0.1

On OCIS side, nothing is logged about the event.

jvillafanez · June 26, 2023, 7:37am

I think OCIS has an example with keycloak (oCIS with Keycloak | ownCloud), but not with Authelia.
You can check ownCloud Infinite Scale With OpenID Connect Authentication for Home Networks • Helge Klein

monkeyfella · September 28, 2023, 3:37pm

Did you ever solve this?