oidc icon indicating copy to clipboard operation
oidc copied to clipboard
verified publisher icon H2CK

/.well-known/openid-configuration not found

Open horvathcsabalaszlo opened this issue 1 year ago • 7 comments

Hi,

I luckily found the Nextcloud OIDC App, because i was searching an authentication method for my home webserver, and would be good to authenticate with my existing Nextcloud instance instead of .htaccess/htpasswd. I have a Nextcloud running on the same server, working weel, in a subdirectory. The NC version is 29.0.4.

So i installed the OIDC App, and tried to get is working with a test client, but i see that /.well-known/openid-configuration is not existing on the NC server. (Neither in the subdirectory, or in the parent.) There was an issue with the resolving of .well-known/***dav and webfinger, etc. addresses, but at least the ***dav (carddav, caldav) are resolving as needed now. (I needed to put the .htaccess file with rewrite rules to the Documentroot (i used the lines from the Nextcloud documentation for subdirectories), and now they are OK.) So i wonder why the OIDC addresses are not OK, as if it is working, it should provide the webfinger. (The index.php/apps/oidc/ , and other endpoints are throwing a "Page not found" Nextcloud UI, or 404. ) Besides this, the OIDC app is working in the Nextcloud, i could add the test client, but have no idea what i should do in order to get it working.

Any help will be appreciated :) If further information is needed, let me know what to paste here.

horvathcsabalaszlo avatar Aug 06 '24 18:08 horvathcsabalaszlo

Please fetch the response from index.php/.well-known/webfinger. It should contain{"links":[{"rel":"http://openid.net/specs/connect/1.0/issuer","href":"https://<your_domain.com>"}]}, if the app is working correctly.

Next you should try to access the wellknown/openid-configuration by using either the path index.php/.well-known/openid-configuration or index.php/apps/oidc/openid-configuration. Both endpoints should serve the same response.

Since to wellknown/openid-configuration endpoint must be served at .well-known/openid-configuration you have to modify your web server configuration to set a redirect (rewrite path) from .well-known/openid-configuration to one of the above mentioned paths. If your server uses .htaccess files you could it do this way exactlly as it is done for webfinger.

H2CK avatar Aug 07 '24 07:08 H2CK

Hi,

Thanks for the information :) (The key was to know what URL's need to redirect to :) )

I checked, and the index.php/.well-known/webfinger and .well-known/openid-configuration returns only

"Not Found

The requested URL was not found on this server."

With or without the subdirectory.

Seems that there is some problem with the redirection?

The /.well-known/webfinger (without the subdirectoy) returns an Error 500 .

And /www_nextcloud/apps/oidc/openid-configuration returns : {"message":"CORS requires basic auth"} (The www_nextcloud is the subdirectory), /www_nextcloud/index.php/.well-known/openid-configuration returns the list of endpoints (think it's OK).

.well-known/openid-configuration is also 404,

I try to modify the rewrites, as you suggested, and come back with the result :)

Update : RewriteRule ^.well-known/openid-configuration /www_nextcloud/index.php/.well-known/openid-configuration [R=301,L] does the trick for openid-configuration, but the webfinger is still not OK.

The /www_nextcloud/public.php?service=webfinger gives a HTTP 302, but returns the location : [/www_nextcloud/apps/dashboard/] :D Index.php also returns the dashboard.

The /.well-known/webfinger returns the index.php, with the Nextcloud UI, which says "Internal server error". The /www_nextcloud/index.php/.well-known/webfinger works, returns the correct OpenID link : rel | "http://openid.net/specs/connect/1.0/issuer", but the location is only containing the /www_nextcloud subdirectory, i don't know it's OK or not. The rewrite rule for this is now : RewriteRule ^.well-known/webfinger /www_nextcloud/index.php/.well-known/webfinger [QSA,L]

Finally got it working for webfinger and nodeinfo with this :

RewriteRule ^.well-known/webfinger /www_nextcloud/index.php/.well-known/webfinger [R=301,L] RewriteRule ^.well-known/nodeinfo /www_nextcloud/index.php/.well-known/nodeinfo [R=301,L]

Will check the OIDC login on the test client in the afternoon... :)

horvathcsabalaszlo avatar Aug 07 '24 08:08 horvathcsabalaszlo

As per the .well-known resolving is working, i have continued to set up the test client. Config (relevant part) can be found below. If i navigate to the test directory, it is displayed without any interactions. I don't get redirected.

I'm not sure about the parameters. Is the Client ID the long encoded string above the secret on the OIDC Connect UI? Is the preferred username needed? And the remoteuserclaim...?

OIDCCryptoPassphrase 7hc0p7Q**************ERUqUH3dhHUg . . . LoadModule auth_openidc_module modules/mod_auth_openidc.so

OIDCProviderMetadataURL https://server/.well-known/openid-configuration OIDCRedirectURI /test/.oidc-redirect OIDCClientID mbFSrCwAbML1hdTe***M8XYemZ5oZuG04uON0NappW5xGB10 #OIDCClientID test OIDCClientSecret ifCKdCYMwbX91lrnHmwMI2gJCj31whzyhtPV OIDCProviderTokenEndpointAuth client_secret_post OIDCRemoteUserClaim preferred_username OIDCScope "openid profile email roles“

Options FollowSymLinks AllowOverride all Allow from all 
Require all granted
Options +Indexes

<Location /test/.oidc-redirect> AuthType openid-connect Require valid-user </Location>

<Directory /test/> AuthType openid-connect Options +Indexes Require valid-user

Thanks for any help :) (Sorry for asking for Apache module config help, but i could not find any information about how to properly configure for Nextcloud OIDC App .)

horvathcsabalaszlo avatar Aug 07 '24 19:08 horvathcsabalaszlo

Sorry, but I am not sure if got got the problem on your side correctly and I am not the expert for the Apache mod_auth_openidc configuration. Are there any logs from the mod_auth_openidc module?

To answer your questions:

  • ClientID: Yes, this is the string you find above the secret.
  • RemoteUserClaim / preferred_username: OIDCRemoteUserClaim preferred_username should be set as it is. This tells mod_auth_oidc that the username can be found in the claim preferred_username contained in the returned JWT.

Why are you having a Location and a Directory directive in your configuration? In the past I only used it with the Location directive. But I assume it should also work with the Directory directive. So, from my point of view you should remove the Location directive.

The documentation of mod_auth_openidc states:

OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content.

It should be a path to your test folder (as you defined it), without a file or directory in the filesystem itself.

H2CK avatar Aug 08 '24 07:08 H2CK

"Are there any logs from the mod_auth_openidc module?" No... Strange as i tried to configure it, but generates nothing. Nothing in the Apache access or error logs, too.

Thanks for the ClientID and RemoteUserClaim information.

Location and Directory, so there should be a Directory where the content resides, and a Location for the vanity URI, pointing inside the Directory, for the callback endpoint. It's not existing on the filesystem, and it returns the message about that's an OpenID Connect endpoint. So this should be OK, but for some reason, seems that the Apache does not call the identity provider, and simply serves the content. If i remove the Location directive from Apache config, it throws a 404 on the .oidc-redirect URL.

Thanks for your help, i may open an issue at the mod_auth_openidc Github, as it seems that nobody published a working config for mod_auth_openidc and Nextcloud OIDC App, and the docs for other providers are not fully suitable.

horvathcsabalaszlo avatar Aug 08 '24 08:08 horvathcsabalaszlo

...managed to get some error logs : [Thu Aug 08 12:37:26.177098 2024] [auth_openidc:error] [pid 2250:tid 2250] [client 192.168.1.239:55616] oidc_util_http_call: curl_easy_perform() failed on: https://...server...:5555/.well-known/openid-configuration (SSL certificate problem: unable to get local issuer certificate), referer: http://192.168.1.182/ [Thu Aug 08 12:37:26.177312 2024] [auth_openidc:error] [pid 2250:tid 2250] [client 192.168.1.239:55616] oidc_provider_static_config: could not retrieve metadata from url: https://...server...:5555/.well-known/openid-configuration, referer: http://192.168.1.182/

Somewhat later, i managed to get redirected to http://192.168.1.182/test/.oidc-redirect?state=3yjvmrGfj6D-ivWMSs&code=xyeJmKMF8KClZOl8***HOmqPOVJ8UbiYP2JUd3kvzq8zcPaNKlJv9

The config for this, is :

<Directory />
    Options FollowSymLinks
    AllowOverride all
    Allow from all

    Require all granted
    Options +Indexes
</Directory>

<Directory /test>
        AuthType openid-connect
Options +Indexes
        Require valid-user
</Directory>

<Location /test/something>
AuthType openid-connect
Require valid-user
</Location>

But now, if the .oidc-redirect is not defined, it cannot be redirected, and if defined, it does not work...

Another thing. What i need is to protect a directory with OpenID login. So anyone accessing the directory, needs to be authenticated. If the solution is only for a Location, it may be not suitable for me, as the directory on my server is only containing other directories, and applications residing in those.

horvathcsabalaszlo avatar Aug 08 '24 10:08 horvathcsabalaszlo

Finally get it working on the test, and on the "prod" (LOL, home server) one too. Although, there are some strange things.

This is the prod config :

OIDCCryptoPassphrase 7hc0p7QUM3l****************

LoadModule auth_openidc_module modules/mod_auth_openidc.so

OIDCProviderMetadataURL https://serveraddress:5555/.well-known/openid-configuration
OIDCRedirectURI https://serveraddress:9999/apps/somethingwhatdoesnotexists

OIDCClientID	9fEk6Ta***********************
OIDCClientSecret	NxZ**********************FJNlhYj1Zq
OIDCProviderTokenEndpointAuth client_secret_post
OIDCSSLValidateServer Off

OIDCRemoteUserClaim preferred_username
OIDCScope "openid profile email roles“
ErrorLog /var/log/apache2/oidcerror.log

		DocumentRoot /data/www2/

		<Directory "/data/www2">
        AuthType openid-connect
Options +Indexes
        Require valid-user
		order deny,allow
		allow from all
		 Options Indexes FollowSymLinks
		    AllowOverride AuthConfig
		    Require all granted
		<RequireAll>
		    Require valid-user
		  </RequireAll>
		</Directory>

<Location /apps>
AuthType openid-connect
Require valid-user
</Location>

And i could not figure out what needs to be done for protecting the DocumentRoot, so i had to move the stuff to the "apps" directory, which is the redirection URL, and i got thrown to there after the authentication. The authentication itself, when works, is smooth and works well. Sometimes (mostly when i use the "apps" dir for the first time from a browser or from a computer) i get a Nextcloud "Not found" page, but when i tap "Back to Nextcloud" log in, and return the "apps" URL, it lets me in. (I only see https://serveraddress:5555/www_nextcloud/index.phpirect_url=/www_nextcloud/apps/oidc/redirect URL - so it's on the Nextcloud, and seems a "?red" is missing from the redirect URL.) In addition, when i click on the "apps" and get the bad URL, go back, click on "apps" again, i got redirected to the right URL, got the login page, authenticate, and get redirected :D

Along with this strange behaviour, thanks for your NC module, and the help to get it working :)

horvathcsabalaszlo avatar Aug 08 '24 19:08 horvathcsabalaszlo