Owncloud Azure AD integration working partially

Expected behaviour

Tell us what should happen
Login should work via azure AD integration

Actual behaviour

Tell us what happens instead
Authentication side is working but during authorization we get error.

Error in openidconnect: unable to verify jwt claims

Server configuration

Operating system:
Red Hat Enterprise Linux release 8.7 (Ootpa)
Web server:
Server version: Apache/2.4.37 (Red Hat Enterprise Linux)
Server built: Mar 28 2023 09:01:53

Database:
mysql
PHP version:
PHP 7.4.30 (cli) (built: Jun 7 2022 08:38:19) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
with Zend OPcache v7.4.30, Copyright (c), by Zend Technologies

ownCloud version: (see ownCloud admin page)
[ownCloud ]10.11.0 (stable)
Updated from an older ownCloud or fresh install:
fresh
Where did you install ownCloud from:
owncloud website

No errors have been found.

or

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder

ATTENTION: Do not post your config.php file in public as is. Please use one of the above
methods whenever possible. Both, the generated reports from the web-ui and from occ config:list
consistently remove sensitive data. You still may want to review the report before sending.
If done manually then it is critical for your own privacy to dilligently
remove all host names, passwords, usernames, salts and other credentials before posting.
You should assume that attackers find such information and will use them against your systems.


**List of activated apps:**

{“reqId”:“ZXmciO1F@BujIY9cQVgG3gAAAMI”,“level”:3,“time”:“2023-12-13T11:59:04+00:00”,“remoteAddr”:“164.37.18.34”,“user”:“–”,“app”:“OpenID”,“method”:“GET”,“url”:“/index.php/apps/openidconnect/redirect?code=0.AXMAeGgcFhntfEm8JXh4ckYesxUeuVMLxyhEv3iA9Hl7t_MQAQA.AgABAAIAAAAmoFfGtYxvRrNriQdPKIZ-AgDs_wUA9P8U6Lui7Y7GKUXt55OQqyWlgES9h6twKZGsmhaMSLNyC2nzen085jr_xVr1elobWQJ1e5CRGer0pBpDN_TNAopUkGIfGmFZWeFtwNhQ0QZ6CaF0g5CPMIfspUkWrJ65UYZT8RWJwyXV-2CK5y0Yzh1nG6veiT68YNPQCIiRUn28ojLsmqev1xsRN5nxhx29mRIl8Bke_A_ssrY0iGv5BhE5YwWelMsW4HTJx1G6Dxh6xolwDc58JI1-zNEPjF3OyA58btJ0NxfjyqN3fCtvLzId6L9sLFFcCAdfuDHrlJK9wCosTfoWsKPxwFprWuqKPiG7zfpFGE7pu6L8z_RjsfjeBAxYnMwDXyHNLRWJFtbPnHhXONrtsWEEsgjS407ljo6lNGwykkPdquRshznL7bTRQoAiQM8Iv2LofQk5-BXOdbLv8xzf0cNWw0S5-6Vq3WqyA52ASOob7ljCyP5gv79ILXTufV9Mzqm4auWFwLAvi8OSesBsltd1e8ABNRoqtZNdVOuMPuxow-37hkceARglq3kvBZdcV8-RiDL1oSezVNOUT3psZadGB-eOCmSL4nWUAtRPau7VA6Dg6wKt8OjP37oY61XW5fTNxA6FtY_w40J2SFGjk2eNwxmYNRkwcg3gqr8gj6jSEYw2GHl7GH-nv1M1E3MIvS0FSA7id0wxLBMxCF2nCpYp8O4cXdA2n3RMxOsKDgKjauCYQhy8pMdcAORdGnKJ5zfYXmrmRme2tBJMtN65iSyTJGZFE8YWvFHhC9kmoH4SdIlX1QT86gH8KatLxe0cJY55n217CYmf_6u93WnfEUIm_-n3ITHkyMr_zsb9RaWPn1X8HVU&state=9d49544e4670eecad7f892b3e210fe4c&session_state=af77da0d-1a26-4850-8a65-d00794fcea73”,“message”:“Exception: {"Exception":"Jumbojett\\OpenIDConnectClientException","Message":"Unable to verify JWT claims","Code":0,"Trace":"#0 \/var\/www\/owncloud\/apps-external\/openidconnect\/lib\/Client.php(399): Jumbojett\\OpenIDConnectClient->authenticate()\n#1 \/var\/www\/owncloud\/apps-external\/openidconnect\/lib\/Controller\/LoginFlowController.php(134): OCA\\OpenIdConnect\\Client->authenticate()\n#2 \/var\/www\/owncloud\/lib\/private\/AppFramework\/Http\/Dispatcher.php(170): OCA\\OpenIdConnect\\Controller\\LoginFlowController->login(*** sensitive parameters replaced ***)\n#3 \/var\/www\/owncloud\/lib\/private\/AppFramework\/Http\/Dispatcher.php(89): OC\\AppFramework\\Http\\Dispatcher->executeController()\n#4 \/var\/www\/owncloud\/lib\/private\/AppFramework\/App.php(100): OC\\AppFramework\\Http\\Dispatcher->dispatch()\n#5 \/var\/www\/owncloud\/lib\/private\/AppFramework\/Routing\/RouteActionHandler.php(47): OC\\AppFramework\\App::main()\n#6 \/var\/www\/owncloud\/lib\/private\/Route\/Router.php(344): OC\\AppFramework\\Routing\\RouteActionHandler->__invoke()\n#7 \/var\/www\/owncloud\/lib\/base.php(914): OC\\Route\\Router->match()\n#8 \/var\/www\/owncloud\/index.php(54): OC::handleRequest()\n#9 {main}","File":"\/var\/www\/owncloud\/apps-external\/openidconnect\/vendor\/jumbojett\/openid-connect-php\/src\/OpenIDConnectClient.php","Line":388}”}

Hey,

i’m not sure but i think this version here:

is quite outdated (it was released on 2022-08-23, means nearly 1 1/2 years ago) and maybe this problem has been already solved (e.g. by updating a relevant library to a more recent one) in the most recent version 10.13.3 or in some of the many releases in between?

I also have found the following about this message which is talking to not use a trailing / in some URLs, maybe this helps as well:

seems like the " / " is not present still not working

‘openid-connect’ => [
‘auto-provision’ => [‘enabled’ => false],
‘provider-url’ => ‘/v2.0’,
‘client-id’ => '
’,
‘client-secret’ => ‘****’,
‘loginButtonName’ => ‘Azure AD’,
‘autoRedirectOnLoginPage’ => false,
‘scopes’ => [
‘openid’,
‘api://*****/owncloud’,
‘profile’, ‘email’, ‘offline_access’,
],
‘mode’ => ‘email’,
‘search-attribute’ => ‘unique_name’,
‘use-access-token-payload-for-user-info’ => true,