oCIS web OIDC secret?

D1eter · December 15, 2022, 8:00pm

I’d like to test oCIS with our OIDC IDP but it seems I can’t set the OIDC secret. I can set WEB_OIDC_CLIENT_ID as required by our IDP but a setting like WEB_OIDC_CLIENT_SECRET does not seem to exist. Our IDP does not allow clients with empty or no client secret. Am I out of luck here? Will an optional client secret be supported for OIDC (as is done for OAUTH I believe)?

Alternatively, can I do without external OIDC altogether and just use our LDAP server, after the current problems (see topic “Infinite Scale 2.0.0 problems with external LDAP” can’t post links) are fixed? In other words, is there any real benefit to using external OIDC IDP in addition to external LDAP server?

botsarenthuman · August 11, 2023, 7:50pm

Did you ever figure this out? In the same boat.

scharnkn · August 19, 2023, 10:30am

Same here, is it not possible to use a oidc client secret for the web client?

rhaferkamp · August 23, 2023, 10:32am

Yes, currently we only support public clients for web. Those don’t require a secret. Does your IDP not support the creation of public clients? Which one are you using?

HWiese1980 · November 6, 2023, 8:36pm

I am using a local Keycloak installation in my bare metal K8s cluster that requires a secret. Is that not supported?

thommie · December 2, 2023, 12:17pm

… reopening this 4 months later: I am also configuring OCIS for an external keycloak instance, following the example at

github.com

owncloud/ocis/blob/v4.0.3/deployments/examples/ocis_keycloak/docker-compose.yml

---
version: "3.7"

services:
  traefik:
    image: traefik:v2.9.1
    networks:
      ocis-net:
        aliases:
          - ${OCIS_DOMAIN:-ocis.owncloud.test}
          - ${KEYCLOAK_DOMAIN:-keycloak.owncloud.test}
    command:
      - "--log.level=${TRAEFIK_LOG_LEVEL:-ERROR}"
      # letsencrypt configuration
      - "--certificatesResolvers.http.acme.email=${TRAEFIK_ACME_MAIL:-example@example.org}"
      - "--certificatesResolvers.http.acme.storage=/certs/acme.json"
      - "--certificatesResolvers.http.acme.httpChallenge.entryPoint=http"
      # enable dashboard
      - "--api.dashboard=true"
      # define entrypoints

This file has been truncated. show original

There is also a (closed) issue about the client secret at OIDC Client Secret · Issue #2445 · owncloud/ocis · GitHub

Whats the situation with OCIS 4.x? Do we have a config to set the secret for OCIS?

rhaferkamp · January 22, 2024, 2:10pm

That situation hasn’t changed. But the above ticket gives a good reason why we’re using a public client for the web frontend is probably not a good idea (or at least doesn’t have any security benefit).

Would you mind sharing why you need to use a confidential client? AFAIK the web app itself has some support for using a client secret. Currently we are not exposing that setting in ocis, because it doesn’t provide any addtional security. So before adding support for that we’d like to understand the reasons.

thommie · January 22, 2024, 8:12pm

As far as I understand, the reason to omit the “client secret” is the fact, that it is not really “secret” as long as the softwares code for client and server are open source. Is that assumption correct?

On the other hand, configuring an application with a client ID and a client secret is the standard process for both OC classic and for any other application I know, if you want to use an external OIDC IDP. As long as there are no hard functional reasons, it should help migration from OC 10 to OCIS if users/admins can follow a similar approach when they configure the new application for OIDC.

rhaferkamp · January 24, 2024, 10:00am

Actually AFAIK it’s recommended to use public clients for applications that have not secure way to keep the secret secret, which is the case for SIngle Page Web applications like the ocis Web UI.
For application which require a secret to be set you should for sure be using a different client configuration and even it were possible not share the same client with the WebUI.

That being said, as there seems to be public demand, we might reconsider and expose a setting for the client secret. Would you mind opening a feature request for that on github?