Generic OIDC application for SPA (ownCloud oCIS)

YDKK · January 5, 2025, 3:04pm

What is the name of the domain?

example.com

What is the issue you’re encountering

Generic OIDC application could not use with SPAs (without client_secret)

What are the steps to reproduce the issue?

ownCloud oCIS (the new ownCloud server written in Golang) uses an SPA (Single Page Application) for its frontend. Therefore, it uses the Authorization Code-Flow with PKCE without client_secret in its OIDC authentication protocol.
When I try to set up oCIS as a Generic OIDC application in Cloudflare Access, I encounter two issues:

Because there is no client_secret, the client fails to authenticate with the OIDC token endpoint and returns an invalid_client error.
Because the OIDC token endpoint does not specify CORS headers, the browser fails to fetch the token.

Is there any plan for Cloudflare Access’s OIDC to support these SPAs that do not use a Client Secret?

Example docker compose configuration for oCIS to reproduce:

services:
  ocis:
    ports:
      - 8080:9200
    image: owncloud/ocis:7.0.0
    entrypoint:
      - /bin/sh
    command: ["-c", "ocis init || true; ocis server"]
    environment:
      # IDP specific configuration
      PROXY_AUTOPROVISION_ACCOUNTS: "true"
      PROXY_ROLE_ASSIGNMENT_DRIVER: "default"
      PROXY_OIDC_REWRITE_WELLKNOWN: "true"
      OCIS_OIDC_ISSUER: https://example.cloudflareaccess.com/cdn-cgi/access/sso/oidc/xxxx
      WEB_OIDC_CLIENT_ID: xxxx
      # general config
      OCIS_URL: http://localhost:8080
      PROXY_TLS: "false"
      PROXY_USER_OIDC_CLAIM: "email"
      PROXY_USER_CS3_CLAIM: "mail"
      OCIS_INSECURE: "true"
      OCIS_ADMIN_USER_ID: "[email protected]"
      OCIS_EXCLUDE_RUN_SERVICES: "idp"
      GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
      GRAPH_USERNAME_MATCH: "none"
    volumes:
      - ocis-config:/etc/ocis
      - ocis-data:/var/lib/ocis

volumes:
  ocis-config:
  ocis-data:

Below are some relevant URLs for reference:

github.com/kanidm/kanidm

OIDC with SPA (Owncloud OCIS)

opened 10:16AM - 28 Jun 23 UTC

closed 08:53AM - 07 Jul 23 UTC

Phynecs

enhancement oauth2

**Is your feature request related to a problem? Please describe.** Owncloud O…CIS (a next gen Owncloud Server written in Golang) uses an SPA as a frontend. Because of that it does auth without a secret (could otherwise just be copied from the js frontend) and only uses client id and pkce **Describe the solution you'd like** - allow CORS to https://id.DOMAIN/oauth2/openid/CLIENT_ID/.well-known/openid-configuration from the configured `oauth2_rs_origin`? - support /oauth2/token endpoint with only pkce/client_id and no secret **Additional context** Here are the steps to "reproduce"/the current info I was able to gather `id.DOMAIN` is kanidm and `ocis.DOMAIN` is Owncloud OCIS - start login - access ocis - the ocis SPA start the login process by getting `openid-configuration` from kanidm as a cors request ![image](https://github.com/kanidm/kanidm/assets/29746892/f58cbf5c-d999-43ef-b7cd-4fba74b0bc27) - this fails so I added a temporary allow origin header `Access-Control-Allow-Origin: *` in nginx - now the frontend can get the openid-configuration and redirects to the login in kanidm - login works and I get redirected back to ocis - to finish the auth, the frontend tries to get the token which fails: ![image](https://github.com/kanidm/kanidm/assets/29746892/690f6dc5-e2f9-44c9-b355-994bbf91108e) - the error kanidm prints in the log is: ``` f4858b06-b5ba-4600-8016-ac99307d0901 INFO tide-request [ 164µs | 52.93% / 100.00% ] f4858b06-b5ba-4600-8016-ac99307d0901 INFO ┝━ ｉ [info]: Request received | event_tag_id: 9 | remote_addr: "[::ffff:10.0.0.101]:49606" | http.host: "id.DOMAIN" | http.method: "POST" | path: "/oauth2/token" f4858b06-b5ba-4600-8016-ac99307d0901 INFO ┝━ handle_oauth2_token_exchange [ 77.3µs | 47.07% ] f4858b06-b5ba-4600-8016-ac99307d0901 INFO │ ┕━ ｉ [info]: Invalid oauth2 authentication - no basic auth or missing auth post data | event_tag_id: 9 f4858b06-b5ba-4600-8016-ac99307d0901 WARN ┕━ 🚧 [warn]: Client error --> Response sent | event_tag_id: 5 | status: 401 - Unauthorized ``` - I don't know what I could do now configuration ocis ``` OCIS_URL="https://ocis.DOMAIN" OCIS_BASE_DATA_PATH="/opt/ocis/data" OCIS_CONFIG_DIR="/opt/ocis/config" OCIS_INSECURE="true" PROXY_TLS=false PROXY_HTTP_ADDR=0.0.0.0:9200 STORAGE_USERS_DRIVER="s3ng" STORAGE_SYSTEM_DRIVER="ocis" STORAGE_USERS_S3NG_ENDPOINT="https://file.DOMAIN" STORAGE_USERS_S3NG_REGION="default" STORAGE_USERS_S3NG_ACCESS_KEY="***REDACTED***" STORAGE_USERS_S3NG_SECRET_KEY="***REDACTED***" STORAGE_USERS_S3NG_BUCKET="ocis" PROXY_AUTOPROVISION_ACCOUNTS="true" PROXY_ROLE_ASSIGNMENT_DRIVER="oidc" OCIS_OIDC_ISSUER="https://id.DOMAIN/oauth2/openid/ocis/" PROXY_OIDC_REWRITE_WELLKNOWN="true" WEB_OIDC_CLIENT_ID="ocis" #PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none OCIS_EXCLUDE_RUN_SERVICES="idm,idp" ``` client config kanidm ``` class: oauth2_resource_server class: oauth2_resource_server_basic class: object displayname: OCIS es256_private_key_der: private_binary oauth2_rs_basic_secret: hidden oauth2_rs_name: ocis oauth2_rs_origin: https://ocis.DOMAIN/ oauth2_rs_scope_map: [email protected]: {"email", "openid", "profile"} oauth2_rs_token_key: hidden uuid: c2471b44-b7a9-4b65-9b12-8a36e41358c2 ``` **Additional Links** - [setup guid ocis with authentik](https://helgeklein.com/blog/owncloud-infinite-scale-with-openid-connect-authentication-for-home-networks/) - [docker compose ocis deployment with keycloak](https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_keycloak) - [explanation of the used flow](https://github.com/owncloud/ocis/issues/2445#issuecomment-907392492) - [ocis docs, a bit convoluted](https://doc.owncloud.com/ocis/next/deployment/services/s-list/web.html) - [conversation start matrix](https://matrix.to/#/!fzbFDgtoaOQXSSxOZc:gitter.im/$SrzW698_jEUdEJfvZ3kDrWEItFTkgH9J5xdPXtmlueg?via=gitter.im&via=matrix.org&via=infosec.exchange)

github.com/owncloud/ocis

OIDC Client Secret

opened 11:29AM - 27 Aug 21 UTC

closed 06:53PM - 27 Aug 21 UTC

georglauterbach

Interaction:Question

## Is your feature request related to a problem? Please describe. I am curren…tly overlooking something in the docs I guess, but I cannot find a possibility to set a client secret for OIDC. ## Describe the solution you'd like As I'm using Kubernetes, I would like to be able to provide this secret with a file, or alternatively with an environment variable (for non-K8s user). Additionally, a documentation update would be nice. ## Describe alternatives you've considered I'm uncertain which flow is used, but I hope it's not the OIDC implicit flow. ## Additional context OIDC has multiple authentication flows. As I'm currently not able to find a variable in which I can put such a secret, there is the possibility that the authentication flow _is not the Authentication (or Basic) Flow_. If this was the case, what were the reasons that lead to this decision?

Topic		Replies	Views
Nextcloud instance as an OIDC provider, supports only credentials in the request body and not basic auth. There is no such setting Zero Trust	0	509	January 16, 2024
"OIDC ERROR: Failed to exchange code for token. Make sure the client secret is correct. undefined" Access	13	3947	August 25, 2024
SSO integration - Generic OIDC - Scopes Access	0	1008	July 19, 2023
OpenID Connect Authentication for Cloudflare API Feature Request Submitting & Feedback	2	1821	January 2, 2025
CloudflareAccess to offer .well-known/openid-configuration endpoint Feature Request Submitting & Feedback	0	1663	June 29, 2022

Generic OIDC application for SPA (ownCloud oCIS)

What is the name of the domain?

What is the issue you’re encountering

What are the steps to reproduce the issue?

Screenshot of the error

Related topics