authentik icon indicating copy to clipboard operation
authentik copied to clipboard
verified publisher icon goauthentik

Multiple Client IDs per OIDC Issuer?

Open mrdrogdrog opened this issue 2 years ago • 9 comments

Describe your question Hello :wave: ,

is it possible to use different OIDC client ids that work on the same issuer? I try to setup a software which consists of multiple different parts:

  • A server, which gets the client id for the web client and the OIDC issuer URL
  • A web client (provided by the server), which uses public client type and redirects back to the URL of the application
  • A desktop client, which uses confidential client type and redirect to 127.0.0.1
  • An app client, which uses confidential client type and redirects to an unknown url

In my first run i've setup the server (and therefore also the web client). I've created an OIDC provider and an application in authentik. Everything works fine so far. If I use the desktop client or the app then it doesn't work anymore. Both of these force specific client ids and secrets. Therefore I've created more OIDC providers and applications with the requested client id and secret because apparently there is no way to assign multiple provders to one application or multiple client ids to one issuer. I can get through the login flow with these but then the server says that the provided JWTs are invalid because the issuer is invalid.

Have I missed anything or am I right and this kind of setup is just not possible with Authentik?

Relevant infos

  • OCIS 4.0.0+3c7bae407
  • OwnCloud Desktop Client 5.0.0.12278

Version and Deployment (please complete the following information):

  • Authentik: 2023.8.3
  • Deployment: Docker

mrdrogdrog avatar Oct 21 '23 12:10 mrdrogdrog

I'll add that when you set up Google as an OIDC provider, they require you to generate a client id and secret pair per platform. We have, at the moment, an iOS and Android app, which means we need to configure at least two providers.

Not sure if this question is the same as above.

WoodyWoodsta avatar Dec 19 '23 21:12 WoodyWoodsta

I would also like to see this added. Owncloud requires this for the same reason. One client ID for the web app, and the android, iOS and desktop sync clients all have their own client id/secret baked in.

bbl232 avatar Apr 06 '24 15:04 bbl232

Same issue here, I followed this tutorial to add OIDC on my OCIS instance with Authentik : https://helgeklein.com/blog/owncloud-infinite-scale-with-openid-connect-authentication-for-home-networks/

  • Owncloud Web Client works great
  • Owncloud Desktop Client give me an Error 403
  • Owncloud iOS works on reading but not on adding or modifying content
  • And I didn't tried Owncloud Android.

Thanks for the help

NeZios avatar Apr 12 '24 14:04 NeZios

Since OwnCloud follows OIDC spec, one cannot use a .well-known provided at https://auth.example.com/application/o/owncloud/.well-known/openid-configuration which contains the issuer https://auth.example.com (when trying to use a single issuer for multiple providers). Likewise, we cannot use https://auth.example.com as an issuer, because as per OIDC spec issuers with discovery functionality MUST expose an openid-configuration at [ISSUER_URL]/.well-known/openid-configuration, which Authentik does not.

I was also unable to use a single issuer, like https://auth.example.com/application/o/owncloud for multiple providers.

I MUST be doing something wrong here, because I cannot imagine hitting a hard limit with Authentik while trying to migrate the first of many applications away from KeyCloak.

codesalatdev avatar Jun 03 '24 13:06 codesalatdev

This is not currently possible, even with policies this cannot be done as the client_id check/lookup happens before any policy is run. The fact that when setting the issuer mode to be global, the discovery endpoints are not available is also on purpose, as authentik wouldn't know which provider to associate the request with (However this might be possible soon with https://github.com/goauthentik/authentik/issues/5440)

BeryJu avatar Jun 04 '24 07:06 BeryJu

I just ran into this myself, I used the 'use same issuer' which seemed like it was almost going to work..... except that when one specifies the WEB_OIDC_METADATA_URL value for OCIS, the web front-end uses it, but OCIS does not have any way to be told where to look for the well-known configuration.

If Authentik is following spec by not allowing two providers to have the same issuer, then alternatively perhaps we should file a bug with OCIS that there needs to be a way to configure multiple valid issuer's.

bbangert avatar Jul 27 '24 01:07 bbangert

Tbh.. i'm confused now 😅 Who is following the spec correctly now? OCIS or authentik?

mrdrogdrog avatar Jul 30 '24 07:07 mrdrogdrog

afaik the spec doesnt really specify anything about this, imo neither ocis nor authentik are "wrong"

irregardless some of this should be easier to do with #10400

BeryJu avatar Jul 30 '24 11:07 BeryJu

Tbh.. i'm confused now 😅 Who is following the spec correctly now? OCIS or authentik?

Both are doing the right thing AFAICT. Setting 'PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none' for oCIS does not reduce security. See https://github.com/owncloud/ocis/issues/6479#issuecomment-2309819585 for a longer explanation.

butonic avatar Aug 26 '24 10:08 butonic