OpenID and Desktop Client - post-auth going to owncloud instead of idp server

I’m unable to get the ownCloud desktop client to authenticate against OpenID - been banging my head against this issue for a couple of days, now. I’ve tried all of the .htaccess and vhost edits for RewriteEngine and AllowOverride All and have the desktop Client ID set up with the proper secret key in the IdP. I put the ownCloud server URL into the desktop client, it opens a web browser, I put in OpenID credentials, the browser goes on to the ownCloud web interface, the desktop client just sits saying “Please switch to your browser to proceed.”

Looking at the desktop client log files, it’s trying to get https://owncloud.xxxx.com/.well-known/openid-configuration instead of going to https://idp.xxxx.com/realms/master/.well-known/openid-configuration. The https://owncloud.xxxx.com/.well-known/openid-configuration URL results in a “page not found” message and a spew of PHP back to the desktop client, so that’s a dead-end for authentication.

I confirmed that localhost is getting passed for authorization:
0-26 13:30:26:052 [ debug sync.credentials.oauth ] [ isUrlValid ]: Checking URL for validity: QUrl(“https://owncloud.xxxx.com/index.php/apps/oauth2/authorize?response_type=code&client_id=xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69&redirect_uri=http://localhost:58876&code_challenge=UyqdGmKTXE97kJfPxHysLt1e4dbyHUzjIaeBBcGkJ8I&code_challenge_method=S256&scope=openid offline_access email profile&prompt=select_account consent&state=Xt2tnQ6hvkUvdp-Yu2MDX5jNvdSqU-7IPm4UHs8IsQ8%3D”)

Is there a configuration setting somewhere that’s incorrect on ownCloud or is this an IdP issue?

ownCloud 10 OIDC app need to mirror the the IdP’s /.well-known/openid-configuration. Please check the docs:
OpenID Connect (OIDC) :: ownCloud Documentation

In your case, the desktop client doesn’t find the /.well-known/openid-configuration, so it falls back to the built-in OAuth 2.0 (/index.php/apps/oauth2/authorize)

Thanks - we missed that bit of the setup. The desktop client client no longer receives a 404 not found for https://owncloud.xxxx.com/.well-known/openid-configuration, but we’re still stuck in the same place. Found the following in the desktop client logs… might be evidence of some other config issue?

10-26 15:23:36:268 [ debug sync.credentials.oauth ] [ OCC::OAuth::fetchWellKnown::::()::::operator() ]: .well-known did not return json, the server most probably does not support oidc

Here’s a full desktop client log for an attempt to connect if it’s of use: 20221026_1546_owncloud.log.0 - Google Drive

Just make sure the /.well-known/openid-configuration can be accessed. You can just open with browser or with curl. If it works with browser or with curl, it should work for the desktop client too.

% curl https://ocis.ocis-traefik.released.owncloud.works/.well-known/openid-configuration     
{
  "issuer": "https://ocis.ocis-traefik.released.owncloud.works",
  "authorization_endpoint": "https://ocis.ocis-traefik.released.owncloud.works/signin/v1/identifier/_/authorize",
  "token_endpoint": "https://ocis.ocis-traefik.released.owncloud.works/konnect/v1/token",
  "userinfo_endpoint": "https://ocis.ocis-traefik.released.owncloud.works/konnect/v1/userinfo",
  "end_session_endpoint": "https://ocis.ocis-traefik.released.owncloud.works/signin/v1/identifier/_/endsession",
  "check_session_iframe": "https://ocis.ocis-traefik.released.owncloud.works/konnect/v1/session/check-session.html",
  "jwks_uri": "https://ocis.ocis-traefik.released.owncloud.works/konnect/v1/jwks.json",
  "scopes_supported": [
    "openid",
    "offline_access",
    "LibreGraph.RawSub",
    "profile",

After a bit more poking around, we managed to get it to work! Might have just been that apache restart wasn’t done fully before testing again.

When we try and connect to https://owncloud.xxxx.com in the desktop app, we get an untrusted certificate warning. It’s the same *.xxxx.com certificate we’re using for everything on our domain and there’s never been an issue with it for web, SSH, etc. Is there a way to make the client okay with this cert without everyone having to manually trust it?

Online SSL test should show you what’s wrong. Probably certificate chain issue.

Online SSL tests all come back fine for the cert. Only the Desktop app has issues with the CA.