OCIS + Authelia

mxmeeple · January 10, 2024, 3:11am

So this works for the WEB authentication, however it seems that the desktop client (and therefor I assume the mobile apps too) do not request groups, or any other scope. They are hardcoded for openid offline_access email profile only (lacking groups or any other scope to use for a role provider).
I found a git issue for this: owncloud/ocis/issues/6814
The provided example for Keycloak includes providing scopes that Authelia does not support (Authelia only supports openid, groups, profile, email).
With my limited understanding I am unsure how oCIS gets the roles from Keycloak since it is not requested by the clients, and AFAICT I have setup Authelia to provide the roles (via groups).
I do not understand how roles is assigned or provided, and to be quite frank, I don’t understand the entire example.
But my take away from it seems to be that it leaves me with the following options of:

build your own clients (not viable, I’m not in a position to build apps)
not use mobile/desktop clients (not ideal)
just cant use PROXY_ROLE_ASSIGNMENT_DRIVER: oidc (also not ideal)

Am I just doing something wrong or is it not feasible at the moment?

flashily7804 · March 21, 2024, 12:24pm

I’ve tried everything to make this work, unfortunately it doesn’t.
The only solution to create an admin and have all 3 clients working (web, desktop, android) was to install ocis without authelia, create the admin user and password same as your authelia user, then add authelia.

After you login with the admin, one can add PROXY_AUTOPROVISION_ACCOUNTS: "true" and future clients can be added in authelia and will be provisioned in ocis (as normal users naturally).

micbar · May 16, 2024, 2:12pm

@flashily7804
There was a bug in ocis with the admin user id provisioning. We fixed that in ocis 5.0.3. Can you confirm that?

inportb · July 13, 2024, 7:35pm

After pulling the latest oCIS (owncloud/ocis@sha256:bb78d72b006dcbceee216decf3a09eed52f451e1591b5866c0ff614469a69f2b), I found that it could no longer communicate with Authelia. The debugging console disclosed the culprit:

Refused to connect to 'https://authelia-host/.well-known/openid-configuration' because it violates the following Content Security Policy directive: "connect-src 'self'".

This was easy enough to fix at the reverse proxy by removing or rewriting the offending CSP header. Using Caddy v2, one of the following lines would do the job (last option is most precise):

header -Content-Security-Policy # nuke the entire CSP header
header >Content-Security-Policy "connect-src 'self'" "connect-src *" # allow XHR anywhere; preserve other directives
header >Content-Security-Policy "connect-src 'self'" "connect-src 'self' authelia-host" # allow XHR to self and IdP; preserve other directives

… but it bears asking: how would one configure oCIS to customize the CSP header? I see there’s a PROXY_CSP_CONFIG_FILE_LOCATION variable that supposedly specifies a “CSP configuration file,” but what would one write into this CSP configuration file? And, would it be possible to configure this using environment variables alone, without additional files?

kobergj · July 16, 2024, 1:10pm

You basically just add the needed directive. Check the default on github: ocis/services/proxy/pkg/config/csp.yaml at master · owncloud/ocis · GitHub

Unfortunately this is not possible at the moment. It would require a lot of new envvars which makes it unmaintainable. That is why we did go for having an external file configuring csp in a clear and concise way.

miberecz · January 4, 2025, 6:58pm

I revisited this topic after more then a year to see if anything improved on OCIS or Authelia side.
I made some progress, but still not there yet.
Help me out a bit please.

I run OCIS in docker in a stack with a Nats instance as follows:

version: "3.9"

services:
  nodes:
    image: owncloud/ocis:7.0
    hostname: ocis-{{.Task.Slot}}
    ports:
      - 9200:9200
    networks:
      - bana_global
    entrypoint:
      - /bin/sh
    command: ["-c", "if [ \"$OCIS_REPLICA\" = \"1\" ]; then ocis init || true; fi; ocis server"]
    environment:
      TZ: "Europe/Budapest"
      PUID: "1000"
      PGID: "1000"
      DEMO_USERS: "false"
      OCIS_INSECURE: "true"
      PROXY_TLS: "false"
      PROXY_HTTP_ADDR: 0.0.0.0:9200
      OCIS_URL: "https://ocis.my.domain/"
      OCIS_LOG_LEVEL: debug
      OCIS_LOG_COLOR: "true"
      OCIS_LOG_PRETTY: "true"
      STORAGE_USERS_OCIS_ROOT: /ocisdata
      STORAGE_USERS_ID_CACHE_STORE: "nats-js-kv"
      STORAGE_USERS_ID_CACHE_STORE_NODES: "nats:9233"
      OCIS_REPLICA: "{{.Task.Slot}}"
      OCIS_OIDC_ISSUER: "https://authelia.my.domain"
      WEB_OIDC_CLIENT_ID: ownCloud-web
      PROXY_OIDC_REWRITE_WELLKNOWN: "true"
      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: none

    volumes:
      - user-data:/ocisdata
      - ocis-data:/var/lib/ocis
    configs:
      - source: ocis-config
        target: /etc/ocis/ocis.yaml
    deploy:
      mode: replicated
      replicas: 1
      placement:
        max_replicas_per_node: 1

  nats:
    image: nats
    hostname: nats-1
    command: [
      "--jetstream",
      "--store_dir", "/data",
      "--port", "9233",
      "--cluster_name", "NATS",
      "--http_port", "8222",
      "--server_name", "nats-1"
    ]
    volumes:
      - nats_data-1:/data
    networks:
      - bana_global
    deploy:
      mode: replicated
      replicas: 1
      placement:
        max_replicas_per_node: 1

configs:
  ocis-config:
    file: ./ocis.yaml

networks:
  bana_global:
    external: true

volumes:
  user-data:
    driver_opts:
      type: "nfs"
      o: "addr=LOCALIP,rw,hard,nfsvers=4.2"
      device: ":/share/ocisdata"
  ocis-data:
    driver: local
    driver_opts:
      type: ''
      o: bind
      device: /data3/ocis
  nats_data-1:
    driver: local
    driver_opts:
      type: ''
      o: bind
      device: /data3/nats_data-1

User data on NFS 4.2 (not PosixFS yet… I tried really hard tho) Ocis data and Nats on CephFS

My nginx server block is:

server {
    listen 80;
    listen [::]:80;

    server_name ocis.my.domain;
    resolver 127.0.0.11 valid=10s;
    resolver_timeout 5s;

    location / {
        return 301 http://$server_name$request_uri;
    }
}

server {
    listen 443 ssl proxy_protocol;
    listen [::]:443 ssl proxy_protocol;
    http2 on;
    server_name ocis.my.domain;
    resolver 127.0.0.11 valid=30s;
    resolver_timeout 30s;

    ssl_certificate /etc/letsencrypt/live/my.domain/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/my.domain/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
        resolver 127.0.0.11 valid=30s;
        resolver_timeout 30s;
        set $upstream_ocis http://ocis_nodes:9200;
        proxy_pass $upstream_ocis;
        proxy_set_header Host $http_host;
        proxy_hide_header Content-Security-Policy;
    }
}

Notable here that I had to nuke the CSP headers.

I set up Authelia based on

https://helgeklein.com/blog/authelia-lldap-authentication-sso-user-management-password-reset-for-home-networks/
https://helgeklein.com/blog/owncloud-infinite-scale-with-openid-connect-authentication-for-home-networks/#let%e2%80%99s-encrypt-certificate-via-caddy
https://www.authelia.com/integration/openid-connect/ocis/

Big mistake on the last one. Its suggests that you should generate your own client_id and secret and not use the example one. Took me quite a while to figure out that I specifically have to use those values.

So my current authelia config as follows:

identity_providers:
  oidc:
    lifespans:
      access_token: 30d
      refresh_token: 30d
    jwks:
      - key: {{ secret "/config/secrets/IDENTITY_PROVIDERS_OIDC_JWKS" | mindent 10 "|" | msquote }}
    cors:
      endpoints:
        - authorization
        - token
        - revocation
        - introspection
        - userinfo
    clients:
      - client_id: ownCloud-web
        client_name: 'ownCloud Infinite Scale'
        public: true
        redirect_uris:
          - 'https://ocis.my.domain/'
          - 'https://ocis.my.domain/oidc-callback.html'
          - 'https://ocis.my.domain/oidc-silent-redirect.html'
      - client_id: xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69
        client_name: ownCloud desktop client
        # Well-known secret as plaintext
        client_secret: 'UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh'
        # Well-known secret hashed
        # client_secret: '$pbkdf2-sha512$310000$.z/6sV7qQSx1.5zPetVVCQ$JIEPOTFTSokJjDNVhlMLq7tYnHd/E17wSHW.GYXQA0QjfTPqTosyRr7qSHxSiPmXympfTbGF6FmnnX9on.uQng'
        scopes:
          - openid
          - groups
          - profile
          - email
          - offline_access
        redirect_uris:
          - http://127.0.0.1
          - http://localhost
        allow_multiple_auth_methods: true
        grant_types:
          - refresh_token
          - authorization_code
        response_types:
          - code
      - client_id: e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD
        client_name: ownCloud Android app
        # Well-known secret as plaintext
        client_secret: 'dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD'
        # Well-known secret hashed
        # client_secret: '$pbkdf2-sha512$310000$Grnc1pW0blLl.2B1aEfEvg$JWW3s83SXkgSvoykJ5yD4i11gfrxBOEEGrKXjbyAh.PmVc14FDwSAzxVn7JFXjvO0B0V2RxFsrUT4RZoBK93ug'
        scopes:
          - openid
          - groups
          - profile
          - email
          - offline_access
        redirect_uris:
          - oc://android.owncloud.com
        allow_multiple_auth_methods: true
        grant_types:
          - refresh_token
          - authorization_code
        response_types:
          - code
      - client_id: mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1
        client_name: ownCloud iOS app
        # Well-known secret as plaintext
        client_secret: 'KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx'
        # Well-known secret hashed
        # client_secret: '$pbkdf2-sha512$310000$O1agtCxk9EGgvVLZBJumVQ$4UmQmefvIe5jQx1iJDN5pFIuu6CG.v.59wK7xCk3KU6pGbtxGrO0OYtQ/m/TPzE1xZnxgO12.ujXN20sCr/LkQ'
        scopes:
          - openid
          - groups
          - profile
          - email
          - offline_access
        redirect_uris:
          - oc://ios.owncloud.com
          - oc.ios://ios.owncloud.com
        allow_multiple_auth_methods: true
        grant_types:
          - refresh_token
          - authorization_code
        response_types:
          - code

Tried both hashed and non hashed secrets.

With this the web-client works and strangely enough the iOS client.

On windows 11 I got the following client with winget:

Package ID:  ownCloud.ownCloudDesktop
Manifest:  https://github.com/microsoft/winget-pkgs/tree/master/manifests/o/ownCloud/ownCloudDesktop
Version 5.3.1.14018

Its redirects me to Authelia in a browser, auth flow goes through then I get this error:

On Android with version 4.4.1 from the PlayStore I get an ‘unknown error’
Connect the phone with adb and running adb logcat --uid=$(adb shell pm list package --user 0 -U com.owncloud.android | sed 's/.*uid://')

I get

01-04 18:56:51.526 20475 26842 D (GetInstancesViaWebFingerOperation.kt:76): D: Successful WebFinger request: WebFingerResponse(subject=acct:myuser@ocis.my.domain/, links=[LinkItem(rel=http://webfinger.owncloud/rel/server-instance, href=https://ocis.my.domain/)])
01-04 18:56:51.528 20475 26842 D (AuthenticationViewModel.kt:159): D: Instances retrieved from authenticated webfinger: Success(data=[https://ocis.my.domain/])
01-04 18:56:51.530 20475 26842 D (ClientManager.kt:80): D: Creating new client for path: https://ocis.mydomain/. Old client path: https://ocis.my.domain, requiresNewClient: false
01-04 18:56:51.531 20475 26842 D (OwnCloudClient.java:91): D: #59Creating OwnCloudClient
01-04 18:56:51.534 20475 26842 D (OwnCloudClient.java:129): D: Executing in request with id 6998ffc7-d50a-402b-a4fd-bb5e44a14039
01-04 18:56:51.564 20475 26842 D TrafficStats: tagSocket(120) with statsTag=0xffffffff, statsUid=-1
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64): E: Could not get actuall (or redirected) base URL from base url (/).
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64): at.bitfire.dav4jvm.exception.DavException: Expected 207 Multi-Status, got 200 OK
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at at.bitfire.dav4jvm.DavResource.assertMultiStatus(DavResource.kt:481)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at at.bitfire.dav4jvm.DavResource.processMultiStatus(DavResource.kt:510)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at at.bitfire.dav4jvm.DavOCResource.propfind(DavOCResource.kt:326)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at com.owncloud.android.lib.common.http.methods.webdav.PropfindMethod.onDavExecute(PropfindMethod.kt:52)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at com.owncloud.android.lib.common.http.methods.webdav.DavMethod.onExecute(DavMethod.kt:62)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at com.owncloud.android.lib.common.http.methods.HttpBaseMethod.execute(HttpBaseMethod.kt:75)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at com.owncloud.android.lib.common.OwnCloudClient.saveExecuteHttpMethod(OwnCloudClient.java:138)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at com.owncloud.android.lib.common.OwnCloudClient.executeHttpMethod(OwnCloudClient.java:107)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at com.owncloud.android.lib.resources.files.GetBaseUrlRemoteOperation.run(GetBaseUrlRemoteOperation.kt:52)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at com.owncloud.android.lib.common.operations.RemoteOperation.runOperation(RemoteOperation.java:264)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at com.owncloud.android.lib.common.operations.RemoteOperation.execute(RemoteOperation.java:229)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at com.owncloud.android.data.authentication.datasources.implementation.OCRemoteAuthenticationDataSource$login$rawBaseUrl$1.invoke(OCRemoteAuthenticationDataSource.kt:51)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at com.owncloud.android.data.authentication.datasources.implementation.OCRemoteAuthenticationDataSource$login$rawBaseUrl$1.invoke(OCRemoteAuthenticationDataSource.kt:51)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at com.owncloud.android.data.RemoteOperationHandlerKt.executeRemoteOperation(RemoteOperationHandler.kt:80)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at com.owncloud.android.data.authentication.datasources.implementation.OCRemoteAuthenticationDataSource.login(OCRemoteAuthenticationDataSource.kt:51)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at com.owncloud.android.data.authentication.datasources.implementation.OCRemoteAuthenticationDataSource.loginOAuth(OCRemoteAuthenticationDataSource.kt:40)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at com.owncloud.android.data.authentication.repository.OCAuthenticationRepository.loginOAuth(OCAuthenticationRepository.kt:67)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at com.owncloud.android.domain.authentication.usecases.LoginOAuthAsyncUseCase.run(LoginOAuthAsyncUseCase.kt:37)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at com.owncloud.android.domain.authentication.usecases.LoginOAuthAsyncUseCase.run(LoginOAuthAsyncUseCase.kt:27)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at com.owncloud.android.domain.BaseUseCaseWithResult.invoke(BaseUseCaseWithResult.kt:30)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at com.owncloud.android.presentation.authentication.AuthenticationViewModel$loginOAuth$1.invokeSuspend(AuthenticationViewModel.kt:169)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at kotlinx.coroutines.internal.LimitedDispatcher.run(LimitedDispatcher.kt:42)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:95)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:570)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:750)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:677)
01-04 18:56:51.648 20475 26842 D (GetBaseUrlRemoteOperation.kt:64):     at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:664)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120): E: ---------------------------------
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120): Create RemoteOperationResult from exception.
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):  Message: DavException: Expected 207 Multi-Status, got 200 OK
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):  Stacktrace: at.bitfire.dav4jvm.exception.DavException: Expected 207 Multi-Status, got 200 OK
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at at.bitfire.dav4jvm.DavResource.assertMultiStatus(DavResource.kt:481)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at at.bitfire.dav4jvm.DavResource.processMultiStatus(DavResource.kt:510)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at at.bitfire.dav4jvm.DavOCResource.propfind(DavOCResource.kt:326)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at com.owncloud.android.lib.common.http.methods.webdav.PropfindMethod.onDavExecute(PropfindMethod.kt:52)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at com.owncloud.android.lib.common.http.methods.webdav.DavMethod.onExecute(DavMethod.kt:62)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at com.owncloud.android.lib.common.http.methods.HttpBaseMethod.execute(HttpBaseMethod.kt:75)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at com.owncloud.android.lib.common.OwnCloudClient.saveExecuteHttpMethod(OwnCloudClient.java:138)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at com.owncloud.android.lib.common.OwnCloudClient.executeHttpMethod(OwnCloudClient.java:107)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at com.owncloud.android.lib.resources.files.GetBaseUrlRemoteOperation.run(GetBaseUrlRemoteOperation.kt:52)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at com.owncloud.android.lib.common.operations.RemoteOperation.runOperation(RemoteOperation.java:264)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at com.owncloud.android.lib.common.operations.RemoteOperation.execute(RemoteOperation.java:229)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at com.owncloud.android.data.authentication.datasources.implementation.OCRemoteAuthenticationDataSource$login$rawBaseUrl$1.invoke(OCRemoteAuthenticationDataSource.kt:51)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at com.owncloud.android.data.authentication.datasources.implementation.OCRemoteAuthenticationDataSource$login$rawBaseUrl$1.invoke(OCRemoteAuthenticationDataSource.kt:51)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at com.owncloud.android.data.RemoteOperationHandlerKt.executeRemoteOperation(RemoteOperationHandler.kt:80)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at com.owncloud.android.data.authentication.datasources.implementation.OCRemoteAuthenticationDataSource.login(OCRemoteAuthenticationDataSource.kt:51)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at com.owncloud.android.data.authentication.datasources.implementation.OCRemoteAuthenticationDataSource.loginOAuth(OCRemoteAuthenticationDataSource.kt:40)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at com.owncloud.android.data.authentication.repository.OCAuthenticationRepository.loginOAuth(OCAuthenticationRepository.kt:67)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at com.owncloud.android.domain.authentication.usecases.LoginOAuthAsyncUseCase.run(LoginOAuthAsyncUseCase.kt:37)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at com.owncloud.android.domain.authentication.usecases.LoginOAuthAsyncUseCase.run(LoginOAuthAsyncUseCase.kt:27)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at com.owncloud.android.domain.BaseUseCaseWithResult.invoke(BaseUseCaseWithResult.kt:30)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at com.owncloud.android.presentation.authentication.AuthenticationViewModel$loginOAuth$1.invokeSuspend(AuthenticationViewModel.kt:169)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(ContinuationImpl.kt:33)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at kotlinx.coroutines.internal.LimitedDispatcher.run(LimitedDispatcher.kt:42)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at kotlinx.coroutines.scheduling.TaskImpl.run(Tasks.kt:95)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at kotlinx.coroutines.scheduling.CoroutineScheduler.runSafely(CoroutineScheduler.kt:570)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.executeTask(CoroutineScheduler.kt:750)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.runWorker(CoroutineScheduler.kt:677)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):      at kotlinx.coroutines.scheduling.CoroutineScheduler$Worker.run(CoroutineScheduler.kt:664)
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120):
01-04 18:56:51.650 20475 26842 D (RemoteOperationResult.java:120): ---------------------------------

What do I still miss? How come, that some of the clients works, some not.

I mean I like complicated things, but holy shit, getting this far took me weeks.

flashily7804 · February 19, 2025, 11:11am

I have a working setup with OCIS + Authelia for all 3 clients (web, desktop, android), but using still version 5.0.9

With the version 7, the web client does not redirect to authelia login screen somehow. The android and desktop work though.

I’m using caddy.

miberecz · February 19, 2025, 6:03pm

Would you mind sharing your solution? Maybe I can learn something that I missed

kobergj · February 21, 2025, 9:54am

@flashily7804 Could you help me understand why it is working with 5.0.9 but not with 7.0? Do you have an error message or something that tells us why it isn’t working?

flashily7804 · February 21, 2025, 1:39pm

I have been using ocis+authelia+caddy for 2 years, all 3 apps working (web, desktop, android), by following the well known guide here:

There is nothing different in my configs, all I did was follow the instructions there.

I don’t know what changed in v7, when I have time, maybe I will re-test again and capture all logs. As my server is in production, I cannot test these days. Will keep you posted.

flashily7804 · February 21, 2025, 1:46pm

  owncloud:
    container_name: owncloud
    hostname: owncloud
    image: owncloud/ocis:5.0.9
    profiles:
      - private
    networks:
      - ownmedia
    entrypoint:
      - /bin/sh
    command: ["-c", "ocis init || true; ocis server"]
    environment:
      OCIS_URL: ${OCIS_URL}
      OCIS_EXCLUDE_RUN_SERVICES: "idp"
      OCIS_ADD_RUN_SERVICES: "notifications"
      OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: "banned-password-list.txt"
      OCIS_LOG_LEVEL: warn
      OCIS_LOG_COLOR: true
      OCIS_LOG_PRETTY: true
      OCIS_INSECURE: "false"
      DEMO_USERS: "false"
      PROXY_TLS: "false"
      OCIS_LOG_TIMEZONE: ${TZ}
      OCIS_SERVICE_ACCOUNT_ID: ${OCIS_SERVICE_ACCOUNT_ID}
      OCIS_SERVICE_ACCOUNT_SECRET: ${OCIS_SERVICE_ACCOUNT_SECRET}
      OCIS_OIDC_ISSUER: ${OCIS_OIDC_ISSUER}
      WEB_OIDC_CLIENT_ID: ${OCIS_WEB_OIDC_CLIENT_ID}

      PROXY_OIDC_REWRITE_WELLKNOWN: true
      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: none
      PROXY_AUTOPROVISION_ACCOUNTS: true
      PROXY_HTTP_ADDR: ${OCIS_PROXY_HTTP_ADDR}
      PROXY_ENABLE_BASIC_AUTH: "false"
      PROXY_USER_OIDC_CLAIM: "preferred_username"
      PROXY_USER_CS3_CLAIM: "username"
      # email server 
      NOTIFICATIONS_SMTP_HOST: ${NOTIFICATIONS_SMTP_HOST}
      NOTIFICATIONS_SMTP_PORT: ${NOTIFICATIONS_SMTP_PORT} 
      NOTIFICATIONS_SMTP_SENDER: ${NOTIFICATIONS_SMTP_SENDER} 
      NOTIFICATIONS_SMTP_USERNAME: ${NOTIFICATIONS_SMTP_USERNAME}
      NOTIFICATIONS_SMTP_PASSWORD: ${NOTIFICATIONS_SMTP_PASSWORD}
      NOTIFICATIONS_SMTP_INSECURE: "false"
      NOTIFICATIONS_SMTP_AUTHENTICATION: login
      NOTIFICATIONS_SMTP_ENCRYPTION: starttls
      NOTIFICATIONS_EMAIL_TEMPLATE_PATH: ${NOTIFICATIONS_EMAIL_TEMPLATE_PATH}
    expose:
      - 9200
    volumes:
      - ${CONFIGDIR}/ownCloud/config:/etc/ocis
      - ${CLOUDDIR}/owncloud:/var/lib/ocis
    restart: unless-stopped

(headers_auth) {
        header {
                Strict-Transport-Security max-age=31536000;
                -Server
        }
}

(cloudflare-tls) {
        tls {$EMAIL} {
                dns cloudflare {$CLOUDFLARE_API_TOKEN}
        }
}

(main) {
        crowdsec

        respond /robots.txt 200 {
                body "User-agent: *
    Disallow: /
    
    User-agent: AdsBot-Google
    Disallow: /

    User-agent: AdsBot-Google-Mobile
    Disallow: /"

                close
        }

        encode zstd gzip

        log {
                output file {$LOG_FILE} {
                        roll_size 24b
                        roll_keep 10
                        roll_keep_for 720h
                }
                format json {
                        time_format wall
                        time_local
                }
                level INFO
        }
}

(restricted-access) {
        forward_auth authelia:9091 {
                uri /api/authz/forward-auth
                copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
        }
}

auth.{$DOMAIN} {
        # This is necessary until Authelia learns prompt handling. It's planned for beta 7 (https://www.authelia.com/roadmap/active/openid-connect/#beta-7)
        uri /api/oidc/authorization replace &prompt=select_account%20consent ""
        reverse_proxy authelia:9091
        import headers_auth
        import cloudflare-tls
        import main
}

identity_providers:
  oidc:
    jwks:
      - key: {{ secret "/config/jwks/rsa.2048.pem" | mindent 10 "|" | msquote }}
    lifespans:
      access_token: 1h
      authorize_code: 1m
      id_token: 1h
      refresh_token: 90m
      custom:
        owncloud:
          access_token: 2d
          authorize_code: 1m
          id_token: 1h
          refresh_token: 3d
          grants:
            authorize_code:
              access_token: 2d
              authorize_code: 1m
              id_token: 1h
              refresh_token: 3d
            implicit:
              access_token: 2d
              authorize_code: 1m
              id_token: 1h
              refresh_token: 3d
            client_credentials:
              access_token: 2d
              authorize_code: 1m
              id_token: 1h
              refresh_token: 3d
            refresh_token:
              access_token: 2d
              authorize_code: 1m
              id_token: 1h
              refresh_token: 3d
            jwt_bearer:
              access_token: 2d
              authorize_code: 1m
              id_token: 1h
              refresh_token: 3d
    enable_client_debug_messages: false
    enforce_pkce: public_clients_only
    cors:
      endpoints:
        - authorization
        #- pushed-authorization-request
        - token
        - revocation
        - introspection
        - userinfo
      allowed_origins: "*"
      allowed_origins_from_client_redirect_uris: false
    clients:
      - client_id: ownCloud-web
        client_name: ownCloud web client
        public: true
        authorization_policy: two_factor
        redirect_uris:
          - https://cloud.mydomain.net/
          - https://cloud.mydomain.net/oidc-callback.html
          - https://cloud.mydomain.net/oidc-silent-redirect.html
        lifespan: owncloud
        consent_mode: implicit
      - client_id: xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69
        client_name: owncloud desktop client
        public: false
        client_secret: '$pbkdf2-sha512$_mysecret'
        authorization_policy: two_factor
        redirect_uris:
          - http://127.0.0.1
          - http://localhost
        scopes:
          - openid
          - groups
          - email
          - profile
          - offline_access
        grant_types:
          - refresh_token
          - authorization_code
        response_types:
          - code
        response_modes:
          - form_post
          - query
          - fragment
        token_endpoint_auth_method: client_secret_basic
        allow_multiple_auth_methods: true
        lifespan: owncloud
        consent_mode: implicit
      - client_id: e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD
        client_name: owncloud android app
        public: false
        client_secret: '$pbkdf2-sha512$_mysecret'
        authorization_policy: two_factor
        scopes:
          - openid
          - groups
          - email
          - profile
          - offline_access
        grant_types:
          - refresh_token
          - authorization_code
        response_types:
          - code
        response_modes:
          - form_post
          - query
          - fragment
        redirect_uris:
          - oc://android.owncloud.com
        token_endpoint_auth_method: client_secret_basic
        allow_multiple_auth_methods: true
        lifespan: owncloud
        consent_mode: implicit