Support different OIDC issuer for desktop

[xgroleau]

Problem

Both web and desktop clients share one issuer (OC_OIDC_ISSUER) but have different client id and redirect URI.
So the desktop app (which has its own client ID and redirect URI) fails authentication as it uses

Steps to Reproduce

1. In Authentik, create two apps:
   • web (ID: web, issuer https://auth.domain.com/application/o/opencloud/, redirect regex: ^https:\/\/opencloud\.domain\.com\/.*$)
   • desktop (ID: OpenCloudDesktop, issuer https://auth.domain.com/application/o/opencloud-desktop/, redirect regex: ^http:\/\/(127\.0\.0\.1|localhost).*$)
2. Set OC_OIDC_ISSUER to the web URL and OC_OIDC_CLIENT_ID=web.
3. Set OC_OIDC_ISSUER=https://auth.domain.com/application/o/opencloud/.
4. Launch the desktop app → it still uses the web issuer and client ID, and auth fails.
   • uses https://auth.domain.com/application/o/opencloud/ instead of https://auth.domain.com/application/o/opencloud-desktop/ (expected since there is no way to configure that)

Expected

Add support for per-client overrides (e.g. DESKTOP_OIDC_ISSUER and DESKTOP_OIDC_CLIENT_ID) on the serveer so each app can point to its own OIDC endpoint if possible.

Or allow to specify the issuer directly in the desktop app instead of using the default web one.

Environment

Authentik for OIDC, Caddy reverse proxy, OpenCloud (2.0.2), OpenCloud desktop 1.0.0

Workaroud

As for now, we can simply use WEB_OIDC_CLIENT_ID=OpenCloudDesktop and use only one issuer and support both web and desktop redirect URI. This allows both the web client and desktop client uses the same issuer.

This might be more relevant to the opencloud repo instead of desktop depending on the path to solve the issue

[micbar]

Maybe I am getting it wrong, but for me the issuer is auth.domain.com

From my understanding, the issuer is the server who holds the identity of a user.

In OIDC, a user should always be identifiable with subject@issuer .

Why should the issuer change from one application / client to another?

@butonic @rhafer

[rhafer]

Why should the issuer change from one application / client to another?

That seems to be some specialty of Authentik: goauthentik/authentik#7251
I don't think there is any good solution to this yes.

[mrblumi]

It‘s not only Authentik specific- same goes for Kanidm.

[K900]

In addition to this, the desktop app should really pull the client ID to use from the server as well, as according to the RFC, the client ID is issued by the authorization server and doesn't have a specified format: https://www.rfc-editor.org/rfc/rfc6749#section-2.2

Meaning a compliant server may not allow setting the client ID to a known string at all, or not allow OpenCloudDesktop as a valid ID.

[micbar]

In addition to this, the desktop app should really pull the client ID to use from the server as well, as according to the RFC, the client ID is issued by the authorization server and doesn't have a specified format: https://www.rfc-editor.org/rfc/rfc6749#section-2.2

Meaning a compliant server may not allow setting the client ID to a known string at all, or not allow OpenCloudDesktop as a valid ID.

Yes. This is called „dynamic client registration“ and works fine with our clients and providers which allow client registration. (Keycloak for example)

But most of the admins do not want client registration at all. They create specific clients with id and secret to only allow managed devices.

[maxkratz]

Workaroud

As for now, we can simply use WEB_OIDC_CLIENT_ID=OpenCloudDesktop and use only one issuer and support both web and desktop redirect URI. This allows both the web client and desktop client uses the same issuer.

This might be more relevant to the opencloud repo instead of desktop depending on the path to solve the issue

Thank you for providing this workaround, @xgroleau.

Interestingly, the iOS app works correctly with the default setup described in https://docs.opencloud.eu/docs/admin/configuration/authentication-and-user-management/external-idp/.

[PinkidG]

Workaroud

As for now, we can simply use WEB_OIDC_CLIENT_ID=OpenCloudDesktop and use only one issuer and support both web and desktop redirect URI. This allows both the web client and desktop client uses the same issuer.
This might be more relevant to the opencloud repo instead of desktop depending on the path to solve the issue

Thank you for providing this workaround, @xgroleau.

Interestingly, the iOS app works correctly with the default setup described in https://docs.opencloud.eu/docs/admin/configuration/authentication-and-user-management/external-idp/.

Interesting, for me it didn't because of a client id missmatch.

See opencloud-eu/ios#4

[kaivol]

Workaroud

As for now, we can simply use WEB_OIDC_CLIENT_ID=OpenCloudDesktop and use only one issuer and support both web and desktop redirect URI. This allows both the web client and desktop client uses the same issuer.

This might be more relevant to the opencloud repo instead of desktop depending on the path to solve the issue

This workaround sadly does not work with kanidm, as client IDs are always lowercased in kanidm.

---

Also, I was wondering why different OIDC clients are used for the web app and the native applications at all.
If I didn't miss anything, they only differ in the redirect URIs, and it is no problem to specify multiple redirect URIs for an OIDC client.

Using only a single OIDC client would help to reduce the complexity of setting up OIDC in the identity provider.

[C8opmBM]

Yes, that would be amazing to combine them as one.
I'm using Pocket ID oidc and unfortunately the clientID is automatically generated so cannot be changed.
So at the moment, I can only use one version (either web or desktop or android).

If there are any other solutions, do share.
Thanks.

LE: it seems there is a workaround to edit the client id and secret in pocketID, but somehow the other clients (desktop/android) still don't work.

[mosslocker]

I am using Zitadel as my OIDC provider, and unfortunately they don't allow you to change your client ID, so I'm stuck using only the web UI. It would be great if we could allow an optional feature, where somehow the desktop & mobile apps retrieve unique per-app client ID's from your Opencloud server configuration.

[C8opmBM]

Update, for anyone using pocketID, desktop client also works. See here

[micbar]

@tbsbdr @db-ot

[gcebollero]

I'm unable to make it work even with the workaround. My OIDC is Authentik, the same configuration that xgroleau, but OpenCloud Desktop shows "Invalid credentials" and this error appears on OpenCloud Server logs:

ERR failed to authenticate the request error="failed to verify access token: token has invalid claims: token has invalid issuer" authenticator=oidc client.address=192.168.1.1 line=github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/oidc_auth.go:198 network.peer.address= network.peer.port= path=/ocs/v2.php/cloud/user service=proxy user_agent="Mozilla/5.0 (Linux) mirall/2.0.0 (OpenCloud, arch-6.15.2-arch1-1 ClientArchitecture: x86_64 OsArchitecture: x86_64)"

[micbar]

Invalid issuer means your token does not match the issuer configured in the env variables for opencloud.