Owncloud Azure AD integration working partially

rohanchaini · December 14, 2023, 9:05am

Expected behaviour

Tell us what should happen
Login should work via azure AD integration

Actual behaviour

Tell us what happens instead
Authentication side is working but during authorization we get error.

Error in openidconnect: unable to verify jwt claims

Server configuration

Operating system:
Red Hat Enterprise Linux release 8.7 (Ootpa)
Web server:
Server version: Apache/2.4.37 (Red Hat Enterprise Linux)
Server built: Mar 28 2023 09:01:53

Database:
mysql
PHP version:
PHP 7.4.30 (cli) (built: Jun 7 2022 08:38:19) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
with Zend OPcache v7.4.30, Copyright (c), by Zend Technologies

ownCloud version: (see ownCloud admin page)
[ownCloud ]10.11.0 (stable)
Updated from an older ownCloud or fresh install:
fresh
Where did you install ownCloud from:
owncloud website

No errors have been found.

or

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your ownCloud installation folder

ATTENTION: Do not post your config.php file in public as is. Please use one of the above
methods whenever possible. Both, the generated reports from the web-ui and from occ config:list
consistently remove sensitive data. You still may want to review the report before sending.
If done manually then it is critical for your own privacy to dilligently
remove all host names, passwords, usernames, salts and other credentials before posting.
You should assume that attackers find such information and will use them against your systems.


**List of activated apps:**

{“reqId”:“ZXmciO1F@BujIY9cQVgG3gAAAMI”,“level”:3,“time”:“2023-12-13T11:59:04+00:00”,“remoteAddr”:“164.37.18.34”,“user”:“–”,“app”:“OpenID”,“method”:“GET”,“url”:“/index.php/apps/openidconnect/redirect?code=0.AXMAeGgcFhntfEm8JXh4ckYesxUeuVMLxyhEv3iA9Hl7t_MQAQA.AgABAAIAAAAmoFfGtYxvRrNriQdPKIZ-AgDs_wUA9P8U6Lui7Y7GKUXt55OQqyWlgES9h6twKZGsmhaMSLNyC2nzen085jr_xVr1elobWQJ1e5CRGer0pBpDN_TNAopUkGIfGmFZWeFtwNhQ0QZ6CaF0g5CPMIfspUkWrJ65UYZT8RWJwyXV-2CK5y0Yzh1nG6veiT68YNPQCIiRUn28ojLsmqev1xsRN5nxhx29mRIl8Bke_A_ssrY0iGv5BhE5YwWelMsW4HTJx1G6Dxh6xolwDc58JI1-zNEPjF3OyA58btJ0NxfjyqN3fCtvLzId6L9sLFFcCAdfuDHrlJK9wCosTfoWsKPxwFprWuqKPiG7zfpFGE7pu6L8z_RjsfjeBAxYnMwDXyHNLRWJFtbPnHhXONrtsWEEsgjS407ljo6lNGwykkPdquRshznL7bTRQoAiQM8Iv2LofQk5-BXOdbLv8xzf0cNWw0S5-6Vq3WqyA52ASOob7ljCyP5gv79ILXTufV9Mzqm4auWFwLAvi8OSesBsltd1e8ABNRoqtZNdVOuMPuxow-37hkceARglq3kvBZdcV8-RiDL1oSezVNOUT3psZadGB-eOCmSL4nWUAtRPau7VA6Dg6wKt8OjP37oY61XW5fTNxA6FtY_w40J2SFGjk2eNwxmYNRkwcg3gqr8gj6jSEYw2GHl7GH-nv1M1E3MIvS0FSA7id0wxLBMxCF2nCpYp8O4cXdA2n3RMxOsKDgKjauCYQhy8pMdcAORdGnKJ5zfYXmrmRme2tBJMtN65iSyTJGZFE8YWvFHhC9kmoH4SdIlX1QT86gH8KatLxe0cJY55n217CYmf_6u93WnfEUIm_-n3ITHkyMr_zsb9RaWPn1X8HVU&state=9d49544e4670eecad7f892b3e210fe4c&session_state=af77da0d-1a26-4850-8a65-d00794fcea73”,“message”:“Exception: {"Exception":"Jumbojett\\OpenIDConnectClientException","Message":"Unable to verify JWT claims","Code":0,"Trace":"#0 \/var\/www\/owncloud\/apps-external\/openidconnect\/lib\/Client.php(399): Jumbojett\\OpenIDConnectClient->authenticate()\n#1 \/var\/www\/owncloud\/apps-external\/openidconnect\/lib\/Controller\/LoginFlowController.php(134): OCA\\OpenIdConnect\\Client->authenticate()\n#2 \/var\/www\/owncloud\/lib\/private\/AppFramework\/Http\/Dispatcher.php(170): OCA\\OpenIdConnect\\Controller\\LoginFlowController->login(*** sensitive parameters replaced ***)\n#3 \/var\/www\/owncloud\/lib\/private\/AppFramework\/Http\/Dispatcher.php(89): OC\\AppFramework\\Http\\Dispatcher->executeController()\n#4 \/var\/www\/owncloud\/lib\/private\/AppFramework\/App.php(100): OC\\AppFramework\\Http\\Dispatcher->dispatch()\n#5 \/var\/www\/owncloud\/lib\/private\/AppFramework\/Routing\/RouteActionHandler.php(47): OC\\AppFramework\\App::main()\n#6 \/var\/www\/owncloud\/lib\/private\/Route\/Router.php(344): OC\\AppFramework\\Routing\\RouteActionHandler->__invoke()\n#7 \/var\/www\/owncloud\/lib\/base.php(914): OC\\Route\\Router->match()\n#8 \/var\/www\/owncloud\/index.php(54): OC::handleRequest()\n#9 {main}","File":"\/var\/www\/owncloud\/apps-external\/openidconnect\/vendor\/jumbojett\/openid-connect-php\/src\/OpenIDConnectClient.php","Line":388}”}

tom42 · December 14, 2023, 4:26pm

Hey,

i’m not sure but i think this version here:

is quite outdated (it was released on 2022-08-23, means nearly 1 1/2 years ago) and maybe this problem has been already solved (e.g. by updating a relevant library to a more recent one) in the most recent version 10.13.3 or in some of the many releases in between?

tom42 · December 14, 2023, 4:31pm

I also have found the following about this message which is talking to not use a trailing / in some URLs, maybe this helps as well:

github.com/jumbojett/OpenID-Connect-PHP

Unable to verify JWT claims

opened 01:55AM - 09 Feb 16 UTC

cacheuk

I'm using a simple test of: ``` $oidc = new OpenIDConnectClient('https://accoun…ts.google.com/', 'XXX', 'YYY'); $oidc->addScope(array("openid", "email", "profile")); $oidc->authenticate(); ``` but keep getting: ``` PHP message: PHP Fatal error: Uncaught exception 'OpenIDConnectClientException' with message 'Unable to verify JWT claims' in OpenID-Connect-PHP/OpenIDConnectClient.php:228 Stack trace: #0 OpenID-Connect-PHP/client_example.php(33): OpenIDConnectClient->authenticate() #1 {main} thrown in OpenID-Connect-PHP/OpenIDConnectClient.php on line 228 ``` any ideas?

rohanchaini · December 15, 2023, 9:58am

seems like the " / " is not present still not working

‘openid-connect’ => [
‘auto-provision’ => [‘enabled’ => false],
‘provider-url’ => ‘/v2.0’,
‘client-id’ => '’,
‘client-secret’ => ‘****’,
‘loginButtonName’ => ‘Azure AD’,
‘autoRedirectOnLoginPage’ => false,
‘scopes’ => [
‘openid’,
‘api://*****/owncloud’,
‘profile’, ‘email’, ‘offline_access’,
],
‘mode’ => ‘email’,
‘search-attribute’ => ‘unique_name’,
‘use-access-token-payload-for-user-info’ => true,

system · March 14, 2024, 9:59am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.