opencloud icon indicating copy to clipboard operation
opencloud copied to clipboard
Published 3 weeks ago verified publisher icon opencloud-eu

Native clients Login fails because OpenCloud expects and enforces case-sensitive OIDC client_id

Open Blacks-Army opened this issue 2 months ago • 6 comments

Describe the bug

When integrating OpenCloud with Kanidm as the IdP, I ran into a problem:

  • The web client (WEB_OIDC_CLIENT_ID=opencloudweb) works fine with Kanidm, even though Kanidm stores client IDs case-insensitively.
  • The native clients (desktop, Android, iOS, Cyberduck) fail to log in because they expect their client_id to match exactly, including casing.

Steps to reproduce

  1. Create a Kanidm OAuth2 client with ID openclouddesktop.
  2. Try to log in with the OpenCloud Desktop client (which sends OpenCloudDesktop).
  3. Login fails with the client_id mismatch error (Error in the OpenCloud Webpage).

Expected behavior

OpenCloud should accept client_id values case-insensitively, since many IdPs store them normalized (usually lowercase).

Actual behavior

Native clients use hardcoded client IDs:

  • Desktop → OpenCloudDesktop
  • Android → OpenCloudAndroid
  • iOS → OpenCloudIOS
  • Cyberduck → Cyberduck

Kanidm internally normalizes client IDs to lowercase. So OpenCloudDesktop becomes openclouddesktop. OpenCloud enforces strict case-sensitive matching of client_id. This mismatch causes login to fail, even if all other settings (redirect URIs, scopes, role mappings) are correct. With the same settings login via Web works.

The Error Message: Error: Anmeldung fehlgeschlagen Das Publikum des id_token enthält nicht "OpenCloudDesktop".

Setup

Not needed

Additional context

For the web client, admins can configure the client ID freely (WEB_OIDC_CLIENT_ID), so casing isn’t a problem. For the native clients, the client_id is hardcoded in the apps, so admins have no way to adjust casing. This creates unnecessary friction: everything works on the web, but the native apps break unless the IdP supports case-sensitive client IDs.

Suggested fix: Normalize client_id (e.g., lowercase) inside OpenCloud before comparing with the IdP or make it case-insensitively.

Blacks-Army avatar Oct 06 '25 22:10 Blacks-Army

Error: Anmeldung fehlgeschlagen Das Publikum des id_token enthält nicht "OpenCloudDesktop".

@TheOneRing This is really strange translation. I think it's coming from the desktop app? Can we fix that or does that come from some 3rd party lib? I guess it is referring to the aud (Audience) claim 😄

The issue itself is again caused by the hard-coded client ids we're still depending on. The oidc standard defines the aud claim to be case-sensitive (https://openid.net/specs/openid-connect-core-1_0.html#IDToken) so we can't just normalize it in the client. And just lower-casing all of the might fix the issue with kanidm but will still not fix the problems with IDP where you can influence the client id. (Related tickets are https://github.com/opencloud-eu/desktop/issues/217 and https://github.com/opencloud-eu/desktop/issues/246)

rhafer avatar Oct 07 '25 08:10 rhafer

Error: Anmeldung fehlgeschlagen Das Publikum des id_token enthält nicht "OpenCloudDesktop".

@TheOneRing This is really strange translation. I think it's coming from the desktop app? Can we fix that or does that come from some 3rd party lib? I guess it is referring to the aud (Audience) claim 😄

The issue itself is again caused by the hard-coded client ids we're still depending on. The oidc standard defines the aud claim to be case-sensitive (https://openid.net/specs/openid-connect-core-1_0.html#IDToken) so we can't just normalize it in the client. And just lower-casing all of the might fix the issue with kanidm but will still not fix the problems with IDP where you can influence the client id. (Related tickets are https://github.com/opencloud-eu/desktop/issues/217 and https://github.com/opencloud-eu/desktop/issues/246)

Just an idea: maybe it would be possible to provide an endpoint that delivers the needed claims and client IDs for the clients, so we can set them in environment variables.

Blacks-Army avatar Oct 07 '25 08:10 Blacks-Army

Error: Anmeldung fehlgeschlagen Das Publikum des id_token enthält nicht "OpenCloudDesktop".

@TheOneRing This is really strange translation. I think it's coming from the desktop app? Can we fix that or does that come from some 3rd party lib? I guess it is referring to the aud (Audience) claim 😄

The issue itself is again caused by the hard-coded client ids we're still depending on. The oidc standard defines the aud claim to be case-sensitive (https://openid.net/specs/openid-connect-core-1_0.html#IDToken) so we can't just normalize it in the client. And just lower-casing all of the might fix the issue with kanidm but will still not fix the problems with IDP where you can influence the client id. (Related tickets are opencloud-eu/desktop#217 and opencloud-eu/desktop#246)

It's the community translation, you can contribute on Transifex.

TheOneRing avatar Oct 07 '25 10:10 TheOneRing

Or please provide an option to use an App Password to login

Blacks-Army avatar Oct 07 '25 15:10 Blacks-Army

Would you mind checking if setting the aud values via custom claim. like this:

kanidm system oauth2 update-claim-map openclouddesktop aud OpenCloudDesktop

fixes the problem for you? And if it does, I'd appreciate to know more about your config, or if it doesn't if you run into: #1713

ByteSquire avatar Oct 26 '25 17:10 ByteSquire

Hey, the issue was that the client id in the issuer uri was different. I have set the client id to opencloudios and now it works on the web (set the same client id as the iOS app for web) and for mountainduck where you also can set a custom client id. Not ideal but yeah works for me.

Blacks-Army avatar Oct 26 '25 18:10 Blacks-Army