user_oidc icon indicating copy to clipboard operation
user_oidc copied to clipboard
verified publisher icon nextcloud

PKCE doesn't work after upgrade to NC28.0.2 and user_oidc > 1.3.6

Open isdnfan opened this issue 1 year ago • 3 comments

I have successfully integrated NC 28.0.1 and user_oidc 1.3.5 with zitadel IdP using PKCE (empty client secret). While I upgraded my dev environment to NC 28.0.2 and "integrated" user_oidc upgrade to 1.3.6 the integration stopped working.

reviewing release notes I found #740 which introduce a new setting making PKCE optional. so added the new parameter

use_pkce = true to my config using occ config:app:set --value=true user_oidc use_pkce but still no luck logging in. login process fails with this error: image

if I use same IdP with "client authentication" (client_id + client_secret) login is successful.

Please advice how to make PKCE work especially considering PKCE is the "preferred" variant

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-16#section-2.1.1

Clients MUST prevent injection (replay) of authorization codes into the authorization response by attackers. Public clients MUST use PKCE [RFC7636] to this end. For confidential clients, the use of PKCE [RFC7636] is RECOMMENDED.

occ config:list user_oidc
{
    "apps": {
        "user_oidc": {
            "allow_multiple_user_backends": "0",
            "enabled": "yes",
            "id4me_enabled": "0",
            "installed_version": "5.0.1",
            "provider-7-jwksCache": "",
            "provider-7-jwksCacheTimestamp": "",
            "provider-8-bearerProvisioning": "0",
            "provider-8-checkBearer": "0",
            "provider-8-extraClaims": "preferred_username",
            "provider-8-groupProvisioning": "1",
            "provider-8-jwksCache": ***SENSITIVE VALUE***,
            "provider-8-mappingAddress": "",
            "provider-8-mappingAvatar": "",
            "provider-8-mappingBiography": "",
            "provider-8-mappingCountry": "",
            "provider-8-mappingDisplayName": "",
            "provider-8-mappingEmail": "",
            "provider-8-mappingFediverse": "",
            "provider-8-mappingGender": "",
            "provider-8-mappingGroups": "x-grants",
            "provider-8-mappingHeadline": "",
            "provider-8-mappingLocality": "",
            "provider-8-mappingOrganisation": "",
            "provider-8-mappingPhonenumber": "",
            "provider-8-mappingPostalcode": "",
            "provider-8-mappingQuota": "",
            "provider-8-mappingRegion": "",
            "provider-8-mappingRole": "",
            "provider-8-mappingStreetaddress": "",
            "provider-8-mappingTwitter": "",
            "provider-8-mappingUid": "preferred_username",
            "provider-8-mappingWebsite": "",
            "provider-8-providerBasedId": "0",
            "provider-8-sendIdTokenHint": "0",
            "provider-8-uniqueUid": "0",
            "types": "authentication",
            "use_pkce": "true"
        }
    }
}

isdnfan avatar Mar 06 '24 20:03 isdnfan

I'm not sure if the command occ config:app:set --value=true user_oidc use_pkce writes a string value and not boolean. unfortunately occ config:app:set doesn't support --type=boolean as occ config:system:set does..

I'm little surprised but the config doesn't end in the config.php (community docker) so I'm unsure how to verify if the setting was applied in the right way.

isdnfan avatar Mar 06 '24 20:03 isdnfan

Hi, I'm using PKCE and I had to set it as a system setting: occ config:system:set --value=true --type=boolean user_oidc use_pkce This will add the array and enable PKCE.

sebrhex avatar Apr 23 '24 15:04 sebrhex

thank you! it looks system in occ config:system:set does the trick! Just tested and PCKE seems to work.

but nevertheless it should be enabled by default ->> #807

isdnfan avatar Jun 27 '24 20:06 isdnfan

Closing as this particular discussion seems to be resolved now.

edward-ly avatar Oct 03 '24 17:10 edward-ly