openid-connect-generic icon indicating copy to clipboard operation
openid-connect-generic copied to clipboard

Published 20 hours ago verified publisher icon oidc-wp

wrong URL encoding on callback after authenticating against Nextcloud

Open leoniscsem opened this issue 3 years ago • 3 comments

Describe the bug When authenticating against Nextcloud 22 on nginx, the user does not end up at the intended redirect URL, but on the home page instead. Independent of the callback URL settings of the plugin (Ajax / alternative URL).

Check the encoding of the redirect URL: edirect_uri=https%3A%2F%2Fwordpress.domain.net%2Fopenid-connect-authorize

Log:

Type: make_authentication_url
Date: 2022-01-07 12:32:27
User: 0
URI : /wp-login.php?redirect_to=https%3A%2F%2Fwordpress.domain.net%2Fwp-admin%2F&reauth=1
	

string(280) "https://nextcloud.domain.net/apps/oauth2/authorize?response_type=code&scope=ocs.data.id%20openid&client_id=QWZSM5d0QY8QpvPihgvNSwNuPJ71Hp5OcQSjPKyJAUsCPvWESUNc4TwGbYR01GSL&state=fc77fb443c4a1792dc17224dff275283&redirect_uri=https%3A%2F%2Fwordpress.domain.net%2Fopenid-connect-authorize"

To Reproduce Steps to reproduce the behavior:

  1. Go to /wp-login.php
  2. Click on the OpenID login button
  3. authenticate in Nextcloud
  4. grant access
  5. be redirected to home page of WordPress instance
  6. check users in wp-admin, find no new user created
  7. check logs in plugin overview

Expected behavior To be redirected to the intended callback URL. With proper encoding.

Isolating the problem (mark completed items with an [x]):

  • [ ] I have deactivated other plugins and confirmed this bug occurs when only this plugin is active.
  • [ x ] This bug happens with a default WordPress theme active.
  • [ x ] I can reproduce this bug consistently using the steps above.

WordPress Environment

  • PHP Version: 7.4 / 8.1
  • WordPress Version: 5.8.3
  • Plugin Version: latest release as of yesterday
  • Identity Provider: Nextcloud
  • Relevant Plugin Settings:
OpenID Scope				ocs.data.id openid
Login Endpoint URL 			<cloud-url>/apps/oauth2/authorize
Userinfo Endpoint URL 			<cloud-url>/ocs/v1.php/cloud/user
Token Validation Endpoint URL 		<cloud-url>/apps/oauth2/api/v1/token
Identity Key				sub
Nickname Key				preferred_username
Identify with User Name 		checked
Enable Refresh Token			checked
Create user if does not exist		checked
Redirect login screen  session expired 	checked
Alternate Redirect URI 			checked

I could also provide the nginx server blocks for both the WordPress and the Nextcloud instances. It's just that neither WordPress nor Nextcloud have issues with it when using the MiniOrange plugin, and when I authenticate other applications against our Nextcloud setup.

leoniscsem avatar Jan 07 '22 12:01 leoniscsem

I will have to do some further testing given it looks like you are using the Alternate Redirect URL feature. I've done many test setups with other IDPs including Microsoft Azure AD, Google Workspace, Amazon Cognito, Oracle Identity Cloud, Keycloak and there have shown to be no problems with the use of the standard redirect URL setup. Have you tried without using the Alternative Redirect URL feature?

timnolte avatar Jan 07 '22 13:01 timnolte

Yes, unfortunately it creates the same result in the encoding.

Type: make_authentication_url
Date: 2022-01-10 04:50:31
User: 0
URI : /wp-login.php
	

string(317) "https://nextcloud.domain.tld/apps/oauth2/authorize?response_type=code&scope=ocs.data.id%20openid&client_id=NanVowIdakdfWEFSu0mDmkgkGehbTQSj957Aps1VpZMrRjZPffaXeCMDcVPGn7PhhPf6&state=9bb83fc5eb807e28142b051908b56405&redirect_uri=https%3A%2F%2Fwordpress.domain.tld%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Dopenid-connect-authorize"

I have unfortunately no clue where to look at. Could it be related to DB encoding?

leoniscsem avatar Jan 10 '22 04:01 leoniscsem

@leoniscsem just to confirm that there is no issue with encoding. In your last message the redirect_uri sent to your NextCloud instance, when urldecoded is the correct URL. I dropped https%3A%2F%2Fwordpress.domain.tld%2Fwp-admin%2Fadmin-ajax.php%3Faction%3Dopenid-connect-authorize into an online decoder and it return exactly the correct URL that your NextCloud instance should be returning back to. For clarification, the redirect_uri is not intended to be the final destination for your users, that parameter is the endpoint that plugin uses to perform all of the authentication verification. The place where your user ends up is tracked by the state that is generated. It seems like there is some other redirect issue going on if your users are being sent back to the home page. Have you ensured that your permalinks and Nginx configuration are setup correctly as it actually seems like, especially with the Alternate Redirect URL setting that the permalink isn't being setup correctly. You may need to visit the permalinks settings screen and click on the Save to ensure that permalinks are updated in WordPress. It does look like there is a NextCloud Docker image available so I might be able to spend some time setting this up for my own testing and provide guidance on a known working configuration. I have recently done this with Keycloak afer a user reported having problems getting Keycloak working with the WordPress site and the plugin. You can find the start of IDP configuration guides in the plugin Wiki here on GitHub.

timnolte avatar Mar 19 '22 02:03 timnolte