ocis
ocis copied to clipboard
owncloud
oCIS + Keycloak + desktop app: crash and wrong URL when re-authenticating
Hello,
I have followed the guide to install owncloud's ocis with keycloak, and everything works as expected using the web browser.
When using the Desktop app, I can authenticate correctly once, but after a few minutes (around 10 minutes) the app kicks me out and I need to re-authenticate. At this point, the URL for the authentication is wrong, and not pointing to the correct keycloak URL.
Steps to reproduce
- open the Owncloud desktop app (Windows 11)
- add the account for
owncloud.mydomain.netand press next - Authenticate using the provided URL (correct):
https://keycloak.mydomain.net/realms/oCIS/protocol/openid-connect/auth?[.... tokens ...]
- wait a few minutes to be logged out
- Re-authenticate using the provided URL (wrong):
https://owncloud.mydomain.net/index.php/apps/oauth2/authorize?[.... tokens ...]
The only way to get the correct URL again is to forget the account and re-create it.
Additional issues
- The ocis docker container log (attached) shows a go stacktrace just when I request the auth URL.
- The oCIS desktop app HTTP log (attached) shows that it's using the wrong "well-known" URL:
https://owncloud.mydomain.net/.well-known/openid-configurationinstead ofhttps://keycloak.mydomain.net/.well-known/openid-configuration.
Setup
I used the docker-compose examples from the Documentation, and imported the oCIS realm in my Keycloak instance.
My environment variables in the ocis docker are:
IDM_ADMIN_PASSWORD | admin
-- | --
IDM_CREATE_DEMO_USERS | false
OCIS_INSECURE | true
OCIS_LOG_COLOR | false
OCIS_LOG_LEVEL | info
OCIS_OIDC_ISSUER | https://keycloak.mydomain.net/realms/oCIS
OCIS_URL | https://owncloud.mydomain.net
PATH | /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PGID | 1000
PROXY_AUTOPROVISION_ACCOUNTS | true
PROXY_ENABLE_BASIC_AUTH | false
PROXY_OIDC_ISSUER | https://keycloak.mydomain.net/realms/oCIS
PROXY_OIDC_REWRITE_WELLKNOWN | true
PROXY_ROLE_ASSIGNMENT_DRIVER | oidc
PROXY_TLS | false
PROXY_USER_CS3_CLAIM | username
PROXY_USER_OIDC_CLAIM | preferred_username
PUID | 1000
WEB_OIDC_AUTHORITY | https://keycloak.mydomain.net/realms/oCIS
WEB_OIDC_CLIENT_ID | web
WEB_OIDC_METADATA_URL | https://keycloak.mydomain.net/realms/oCIS/.well-known/openid-configuration
Go Stacktrace when authenticating from the Desktop app:
2024/03/26 14:59:59 http: panic serving 192.168.90.254:35814: runtime error: invalid memory address or nil pointer dereference
goroutine 19100 [running]:
net/http.(*conn).serve.func1()
net/http/server.go:1898 +0xbe
panic({0x439f7c0?, 0x6473280?})
runtime/panic.go:770 +0x132
net/http.(*Client).deadline(0x61c385?)
net/http/client.go:193 +0xe
net/http.(*Client).do(0x0, 0xc0087eb7a0)
net/http/client.go:608 +0x1f6
net/http.(*Client).Do(...)
net/http/client.go:590
net/http.(*Client).Get(0x0, {0xc0084145a0?, 0x422ba40?})
net/http/client.go:487 +0x5f
github.com/owncloud/ocis/v2/services/proxy/pkg/staticroutes.(*StaticRouteHandler).oIDCWellKnownRewrite(0xc00141f188, {0x7f6c1bc96560, 0xc002ff8540}, 0x1?)
github.com/owncloud/ocis/v2/services/proxy/pkg/staticroutes/oidc_well-known.go:14 +0x73
net/http.HandlerFunc.ServeHTTP(0xc000fdca50?, {0x7f6c1bc96560?, 0xc002ff8540?}, 0xc008488270?)
net/http/server.go:2166 +0x29
github.com/go-chi/chi/v5.(*Mux).routeHTTP(0xc00155c780, {0x7f6c1bc96560, 0xc002ff8540}, 0xc0087eb560)
github.com/go-chi/chi/[email protected]/mux.go:459 +0x2e6
net/http.HandlerFunc.ServeHTTP(0xc00b3fe960?, {0x7f6c1bc96560?, 0xc002ff8540?}, 0xc000bddc40?)
net/http/server.go:2166 +0x29
github.com/go-chi/chi/v5.(*Mux).ServeHTTP(0xc00155c780, {0x7f6c1bc96560, 0xc002ff8540}, 0xc0087eb560)
github.com/go-chi/chi/[email protected]/mux.go:73 +0x32f
github.com/go-chi/chi/v5.(*Mux).Mount.func1({0x7f6c1bc96560, 0xc002ff8540}, 0xc0087eb560)
github.com/go-chi/chi/[email protected]/mux.go:327 +0x1bb
net/http.HandlerFunc.ServeHTTP(0xc000fdca50?, {0x7f6c1bc96560?, 0xc002ff8540?}, 0xc00792bf84?)
net/http/server.go:2166 +0x29
github.com/go-chi/chi/v5.(*Mux).routeHTTP(0xc00155c720, {0x7f6c1bc96560, 0xc002ff8540}, 0xc0087eb560)
github.com/go-chi/chi/[email protected]/mux.go:459 +0x2e6
net/http.HandlerFunc.ServeHTTP(0x49527c0?, {0x7f6c1bc96560?, 0xc002ff8540?}, 0x64775b0?)
net/http/server.go:2166 +0x29
github.com/go-chi/chi/v5.(*Mux).ServeHTTP(0xc00155c720, {0x7f6c1bc96560, 0xc002ff8540}, 0xc0087eb440)
github.com/go-chi/chi/[email protected]/mux.go:90 +0x2ee
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.createHome.ServeHTTP({{0x4930460, 0xc00155c720}, {{{0x493da90, 0xc001537440}, 0x1, {0x0, 0x0}, {0xc001addc00, 0x12, 0x1f4}, ...}}, ...}, ...)
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/create_home.go:44 +0x642
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.Policies.func1.1({0x7f6c1bc96560?, 0xc002ff8540?}, 0xea24d5f9b3cb6da0?)
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/policies.go:52 +0x277
net/http.HandlerFunc.ServeHTTP(0x0?, {0x7f6c1bc96560?, 0xc002ff8540?}, 0x0?)
net/http/server.go:2166 +0x29
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.selectorCookie.ServeHTTP({{0x492d278, 0xc0015680a0}, {{{0x493da90, 0xc001537440}, 0x1, {0x0, 0x0}, {0xc001addc00, 0x12, 0x1f4}, ...}}, ...}, ...)
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/selector_cookie.go:36 +0x266
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.accountResolver.ServeHTTP({{0x4930fc0, 0xc000fe3400}, {{{0x493da90, 0xc001537440}, 0x1, {0x0, 0x0}, {0xc001addc00, 0x12, 0x1f4}, ...}}, ...}, ...)
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/account_resolver.go:89 +0xb68
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.Authentication.func1.1({0x7f6c1bc96560, 0xc002ff8540}, 0xc0087eb320)
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/authentication.go:71 +0x3b7
net/http.HandlerFunc.ServeHTTP(0x49527c0?, {0x7f6c1bc96560?, 0xc002ff8540?}, 0x677cac0?)
net/http/server.go:2166 +0x29
github.com/owncloud/ocis/v2/services/proxy/pkg/router.Middleware.func1.1({0x7f6c1bc96560, 0xc002ff8540}, 0xc0087eb200)
github.com/owncloud/ocis/v2/services/proxy/pkg/router/router.go:32 +0x23f
net/http.HandlerFunc.ServeHTTP(0xc00b3fe690?, {0x7f6c1bc96560?, 0xc002ff8540?}, 0xc000bdef01?)
net/http/server.go:2166 +0x29
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.HTTPSRedirect.func1({0x7f6c1bc96560, 0xc002ff8540}, 0xc0087eb200)
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/https_redirect.go:17 +0x136
net/http.HandlerFunc.ServeHTTP(0x6483150?, {0x7f6c1bc96560?, 0xc002ff8540?}, 0xc008488000?)
net/http/server.go:2166 +0x29
github.com/owncloud/ocis/v2/services/proxy/pkg/command.loadMiddlewares.AccessLog.func37.1({0x7f6c1bc96560, 0xc002ff84c0}, 0xc0087eb200)
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:21 +0x130
net/http.HandlerFunc.ServeHTTP(0x49527c0?, {0x7f6c1bc96560?, 0xc002ff84c0?}, 0x3fbee00?)
net/http/server.go:2166 +0x29
github.com/go-chi/chi/v5/middleware.RequestID.func1({0x7f6c1bc96560, 0xc002ff84c0}, 0xc0087eafc0)
github.com/go-chi/chi/[email protected]/middleware/request_id.go:76 +0x20e
net/http.HandlerFunc.ServeHTTP(0xc0087eafc0?, {0x7f6c1bc96560?, 0xc002ff84c0?}, 0xc000bdf1d8?)
net/http/server.go:2166 +0x29
github.com/go-chi/chi/v5/middleware.RealIP.func1({0x7f6c1bc96560, 0xc002ff84c0}, 0xc0087eafc0)
github.com/go-chi/chi/[email protected]/middleware/realip.go:36 +0x95
net/http.HandlerFunc.ServeHTTP(0x6483170?, {0x7f6c1bc96560?, 0xc002ff84c0?}, 0x6?)
net/http/server.go:2166 +0x29
github.com/owncloud/ocis/v2/services/proxy/pkg/command.loadMiddlewares.Instrumenter.func36.1({0x494d170, 0xc001e7c5a0}, 0xc0087eafc0)
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/metrics.go:20 +0x17c
net/http.HandlerFunc.ServeHTTP(0xbdf2f0?, {0x494d170?, 0xc001e7c5a0?}, 0x494a310?)
net/http/server.go:2166 +0x29
github.com/owncloud/ocis/v2/ocis-pkg/middleware.TraceContext.func1({0x494d170, 0xc001e7c5a0}, 0xc0087eaea0)
github.com/owncloud/ocis/v2/ocis-pkg/middleware/tracing.go:19 +0x168
net/http.HandlerFunc.ServeHTTP(0x49527c0?, {0x494d170?, 0xc001e7c5a0?}, 0x494a310?)
net/http/server.go:2166 +0x29
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.tracer.ServeHTTP({{0x492d278?, 0xc00155a438?}, {0x493e210?, 0xc001525c20?}}, {0x494d170, 0xc001e7c5a0}, 0xc0087ead80)
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/tracing.go:50 +0x474
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.(*middleware).serveHTTP(0xc0015509c0, {0x4945f48, 0xc0022edc00}, 0xc0087eab40, {0x492ebc0, 0xc0019a8980})
go.opentelemetry.io/contrib/instrumentation/net/http/[email protected]/handler.go:225 +0x1243
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.NewMiddleware.func1.1({0x4945f48?, 0xc0022edc00?}, 0x4e366f?)
go.opentelemetry.io/contrib/instrumentation/net/http/[email protected]/handler.go:83 +0x35
net/http.HandlerFunc.ServeHTTP(0x473479?, {0x4945f48?, 0xc0022edc00?}, 0xc000bdfb68?)
net/http/server.go:2166 +0x29
net/http.serverHandler.ServeHTTP({0xc00b4ec930?}, {0x4945f48?, 0xc0022edc00?}, 0x6?)
net/http/server.go:3137 +0x8e
net/http.(*conn).serve(0xc001c69cb0, {0x49527c0, 0xc00165dbc0})
net/http/server.go:2039 +0x5e8
created by net/http.(*Server).Serve in goroutine 242
net/http/server.go:3285 +0x4b4
2024/03/26 14:59:59 http: panic serving 192.168.90.254:35816: runtime error: invalid memory address or nil pointer dereference
goroutine 19102 [running]:
net/http.(*conn).serve.func1()
net/http/server.go:1898 +0xbe
panic({0x439f7c0?, 0x6473280?})
runtime/panic.go:770 +0x132
net/http.(*Client).deadline(0x61c385?)
net/http/client.go:193 +0xe
net/http.(*Client).do(0x0, 0xc007fae480)
net/http/client.go:608 +0x1f6
net/http.(*Client).Do(...)
net/http/client.go:590
net/http.(*Client).Get(0x0, {0xc002dccb90?, 0x0?})
net/http/client.go:487 +0x5f
github.com/owncloud/ocis/v2/services/proxy/pkg/staticroutes.(*StaticRouteHandler).oIDCWellKnownRewrite(0xc00141f188, {0x7f6c1bc96560, 0xc001091ec0}, 0x1?)
github.com/owncloud/ocis/v2/services/proxy/pkg/staticroutes/oidc_well-known.go:14 +0x73
net/http.HandlerFunc.ServeHTTP(0xc000fdc870?, {0x7f6c1bc96560?, 0xc001091ec0?}, 0xc00934fe30?)
net/http/server.go:2166 +0x29
github.com/go-chi/chi/v5.(*Mux).routeHTTP(0xc00155c780, {0x7f6c1bc96560, 0xc001091ec0}, 0xc007fae240)
github.com/go-chi/chi/[email protected]/mux.go:459 +0x2e6
net/http.HandlerFunc.ServeHTTP(0xc00b4ed1a0?, {0x7f6c1bc96560?, 0xc001091ec0?}, 0xc00257dc40?)
net/http/server.go:2166 +0x29
github.com/go-chi/chi/v5.(*Mux).ServeHTTP(0xc00155c780, {0x7f6c1bc96560, 0xc001091ec0}, 0xc007fae240)
github.com/go-chi/chi/[email protected]/mux.go:73 +0x32f
github.com/go-chi/chi/v5.(*Mux).Mount.func1({0x7f6c1bc96560, 0xc001091ec0}, 0xc007fae240)
github.com/go-chi/chi/[email protected]/mux.go:327 +0x1bb
net/http.HandlerFunc.ServeHTTP(0xc000fdc870?, {0x7f6c1bc96560?, 0xc001091ec0?}, 0xc00934fb34?)
net/http/server.go:2166 +0x29
github.com/go-chi/chi/v5.(*Mux).routeHTTP(0xc00155c720, {0x7f6c1bc96560, 0xc001091ec0}, 0xc007fae240)
github.com/go-chi/chi/[email protected]/mux.go:459 +0x2e6
net/http.HandlerFunc.ServeHTTP(0x49527c0?, {0x7f6c1bc96560?, 0xc001091ec0?}, 0x64775b0?)
net/http/server.go:2166 +0x29
github.com/go-chi/chi/v5.(*Mux).ServeHTTP(0xc00155c720, {0x7f6c1bc96560, 0xc001091ec0}, 0xc007fae120)
github.com/go-chi/chi/[email protected]/mux.go:90 +0x2ee
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.createHome.ServeHTTP({{0x4930460, 0xc00155c720}, {{{0x493da90, 0xc001537440}, 0x1, {0x0, 0x0}, {0xc001addc00, 0x12, 0x1f4}, ...}}, ...}, ...)
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/create_home.go:44 +0x642
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.Policies.func1.1({0x7f6c1bc96560?, 0xc001091ec0?}, 0x49a3a0eef93fc216?)
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/policies.go:52 +0x277
net/http.HandlerFunc.ServeHTTP(0x0?, {0x7f6c1bc96560?, 0xc001091ec0?}, 0x0?)
net/http/server.go:2166 +0x29
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.selectorCookie.ServeHTTP({{0x492d278, 0xc0015680a0}, {{{0x493da90, 0xc001537440}, 0x1, {0x0, 0x0}, {0xc001addc00, 0x12, 0x1f4}, ...}}, ...}, ...)
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/selector_cookie.go:36 +0x266
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.accountResolver.ServeHTTP({{0x4930fc0, 0xc000fe3400}, {{{0x493da90, 0xc001537440}, 0x1, {0x0, 0x0}, {0xc001addc00, 0x12, 0x1f4}, ...}}, ...}, ...)
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/account_resolver.go:89 +0xb68
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.Authentication.func1.1({0x7f6c1bc96560, 0xc001091ec0}, 0xc007fae000)
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/authentication.go:71 +0x3b7
net/http.HandlerFunc.ServeHTTP(0x49527c0?, {0x7f6c1bc96560?, 0xc001091ec0?}, 0x677cac0?)
net/http/server.go:2166 +0x29
github.com/owncloud/ocis/v2/services/proxy/pkg/router.Middleware.func1.1({0x7f6c1bc96560, 0xc001091ec0}, 0xc0074f5e60)
github.com/owncloud/ocis/v2/services/proxy/pkg/router/router.go:32 +0x23f
net/http.HandlerFunc.ServeHTTP(0xc00b4ecea0?, {0x7f6c1bc96560?, 0xc001091ec0?}, 0xc002322f01?)
net/http/server.go:2166 +0x29
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.HTTPSRedirect.func1({0x7f6c1bc96560, 0xc001091ec0}, 0xc0074f5e60)
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/https_redirect.go:17 +0x136
net/http.HandlerFunc.ServeHTTP(0x6483150?, {0x7f6c1bc96560?, 0xc001091ec0?}, 0xc00934fc80?)
net/http/server.go:2166 +0x29
github.com/owncloud/ocis/v2/services/proxy/pkg/command.loadMiddlewares.AccessLog.func37.1({0x7f6c1bc96560, 0xc001091e40}, 0xc0074f5e60)
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/accesslog.go:21 +0x130
net/http.HandlerFunc.ServeHTTP(0x49527c0?, {0x7f6c1bc96560?, 0xc001091e40?}, 0x3fbee00?)
net/http/server.go:2166 +0x29
github.com/go-chi/chi/v5/middleware.RequestID.func1({0x7f6c1bc96560, 0xc001091e40}, 0xc0074f5c20)
github.com/go-chi/chi/[email protected]/middleware/request_id.go:76 +0x20e
net/http.HandlerFunc.ServeHTTP(0xc0074f5c20?, {0x7f6c1bc96560?, 0xc001091e40?}, 0xc0023231d8?)
net/http/server.go:2166 +0x29
github.com/go-chi/chi/v5/middleware.RealIP.func1({0x7f6c1bc96560, 0xc001091e40}, 0xc0074f5c20)
github.com/go-chi/chi/[email protected]/middleware/realip.go:36 +0x95
net/http.HandlerFunc.ServeHTTP(0x6483170?, {0x7f6c1bc96560?, 0xc001091e40?}, 0x6?)
net/http/server.go:2166 +0x29
github.com/owncloud/ocis/v2/services/proxy/pkg/command.loadMiddlewares.Instrumenter.func36.1({0x494d170, 0xc0017aa900}, 0xc0074f5c20)
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/metrics.go:20 +0x17c
net/http.HandlerFunc.ServeHTTP(0x23232f0?, {0x494d170?, 0xc0017aa900?}, 0x494a310?)
net/http/server.go:2166 +0x29
github.com/owncloud/ocis/v2/ocis-pkg/middleware.TraceContext.func1({0x494d170, 0xc0017aa900}, 0xc0074f5b00)
github.com/owncloud/ocis/v2/ocis-pkg/middleware/tracing.go:19 +0x168
net/http.HandlerFunc.ServeHTTP(0x49527c0?, {0x494d170?, 0xc0017aa900?}, 0x494a310?)
net/http/server.go:2166 +0x29
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware.tracer.ServeHTTP({{0x492d278?, 0xc00155a438?}, {0x493e210?, 0xc001525c20?}}, {0x494d170, 0xc0017aa900}, 0xc0074f59e0)
github.com/owncloud/ocis/v2/services/proxy/pkg/middleware/tracing.go:50 +0x474
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.(*middleware).serveHTTP(0xc0015509c0, {0x4945f48, 0xc001408c40}, 0xc0074f57a0, {0x492ebc0, 0xc0019a8980})
go.opentelemetry.io/contrib/instrumentation/net/http/[email protected]/handler.go:225 +0x1243
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.NewMiddleware.func1.1({0x4945f48?, 0xc001408c40?}, 0x4e366f?)
go.opentelemetry.io/contrib/instrumentation/net/http/[email protected]/handler.go:83 +0x35
net/http.HandlerFunc.ServeHTTP(0x473479?, {0x4945f48?, 0xc001408c40?}, 0xc002622b68?)
net/http/server.go:2166 +0x29
net/http.serverHandler.ServeHTTP({0xc00b4ece70?}, {0x4945f48?, 0xc001408c40?}, 0x6?)
net/http/server.go:3137 +0x8e
net/http.(*conn).serve(0xc002009830, {0x49527c0, 0xc00165dbc0})
net/http/server.go:2039 +0x5e8
created by net/http.(*Server).Serve in goroutine 242
net/http/server.go:3285 +0x4b4
ownCloud Desktop app HTTP log:
24-03-26 15:16:48:383 [ info gui.account.state ]: Invalid credentials for "https://owncloud.mydomain.net"
24-03-26 15:16:48:383 [ info gui.account.state ]: refreshing oauth
24-03-26 15:16:48:383 [ info gui.account.state ]: refreshing oauth failed
24-03-26 15:16:48:383 [ info gui.account.state ]: asking user
24-03-26 15:16:48:383 [ info gui.account.state ]: AccountState state change: OCC::AccountState::Connected -> OCC::AccountState::AskingCredentials
24-03-26 15:16:48:383 [ debug gui.account.settings ] [ OCC::AccountSettings::slotAccountStateChanged ]: showing modal dialog asking user to log in again via OAuth2
24-03-26 15:16:48:435 [ debug sync.credentials.oauth ] [ OCC::AccountBasedOAuth::startAuthentication ]: fetching dynamic registration data
24-03-26 15:16:48:435 [ info sync.credentials.manager ]: get "ownCloud_credentials:owncloud.mydomain.net:f35dd146-7a56-44d1-95ab-d9faa93137e1:http/clientSecret"
24-03-26 15:16:48:435 [ debug sync.credentials.manager ] [ OCC::CredentialJob::start ]: We don't know "http/clientSecret" skipping retrieval from keychain
24-03-26 15:16:48:439 [ debug sync.credentials.oauth ] [ OCC::AccountBasedOAuth::startAuthentication::::operator() ]: fetched dynamic registration data successfully
24-03-26 15:16:48:439 [ debug sync.credentials.oauth ] [ `anonymous-namespace'::logCredentialsJobResult ]: credentials job has finished
24-03-26 15:16:48:439 [ info sync.credentials.oauth ]: Failed to read client id ""
24-03-26 15:16:48:439 [ debug sync.credentials.oauth ] [ OCC::OAuth::startAuthentication ]: starting authentication
24-03-26 15:16:48:439 [ debug sync.credentials.oauth ] [ OCC::AccountBasedOAuth::fetchWellKnown ]: starting CheckServerJob before fetching "/.well-known/openid-configuration"
24-03-26 15:16:48:483 [ info sync.httplogger ]: "847ab280-8a2c-429b-bd31-fafb97fe4ac5: Request: GET https://owncloud.mydomain.net/status.php Header: { OC-Connection-Validator: desktop, User-Agent: Mozilla/5.0 (Windows) mirall/5.2.1.13040 (ownCloud, windows-10.0.22635 ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, Accept-Language: en_NZ, X-Request-ID: 847ab280-8a2c-429b-bd31-fafb97fe4ac5, Original-Request-ID: 847ab280-8a2c-429b-bd31-fafb97fe4ac5, } Data: []"
24-03-26 15:16:48:681 [ info sync.httplogger ]: "847ab280-8a2c-429b-bd31-fafb97fe4ac5: Response: GET 200 (197ms) https://owncloud.mydomain.net/status.php Header: { Date: Tue, 26 Mar 2024 14:16:48 GMT, Content-Type: application/json, Transfer-Encoding: chunked, Connection: keep-alive, content-security-policy: default-src 'none';, permissions-policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=(), referrer-policy: same-origin, strict-transport-security: max-age=63072000; includeSubDomains; preload, vary: Accept-Encoding, Origin, x-content-type-options: nosniff, x-download-options: noopen, x-frame-options: SAMEORIGIN, x-permitted-cross-domain-policies: none, x-request-id: 847ab280-8a2c-429b-bd31-fafb97fe4ac5, x-robots-tag: none,noarchive,nosnippet,notranslate,noimageindex,, x-xss-protection: 1; mode=block, CF-Cache-Status: DYNAMIC, Report-To: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v4?s=DKSGN%2BxXxHIFMm2fPf5%2B0dKs3u0fr4hKn4C79CYcVNQWUsY9KRqvLWnPBm8hHhfk5QpNGLfwtVjKhm13KJpRlt9uj2tED%2BVQM7L680xehEE50NtWeZq602lp6%2Bwup8lmR79frTV8Ag%3D%3D\"}],\"group\":\"cf-nel\",\"max_age\":604800}, NEL: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}, Server: cloudflare, CF-RAY: 86a7c2b55db92f87-MAD, Content-Encoding: br, alt-svc: h3=\":443\"; ma=86400, } Data: [{\n \"installed\": true,\n \"maintenance\": false,\n \"needsDbUpgrade\": false,\n \"version\": \"10.11.0.0\",\n \"versionstring\": \"10.11.0\",\n \"edition\": \"Community\",\n \"productname\": \"Infinite Scale\",\n \"product\": \"Infinite Scale\",\n \"productversion\": \"5.1.0-prealpha+8f0b536ef\"\n}]"
24-03-26 15:16:48:681 [ info sync.checkserverjob ]: status.php returns: QJsonDocument({"edition":"Community","installed":true,"maintenance":false,"needsDbUpgrade":false,"product":"Infinite Scale","productname":"Infinite Scale","productversion":"5.1.0-prealpha+8f0b536ef","version":"10.11.0.0","versionstring":"10.11.0"}) QNetworkReply::NoError Reply: QNetworkReplyHttpImpl(0x1e1bd842750)
24-03-26 15:16:48:681 [ debug sync.credentials.oauth ] [ OCC::AccountBasedOAuth::fetchWellKnown::::operator() ]: CheckServerJob succeeded, fetching "/.well-known/openid-configuration"
24-03-26 15:16:48:681 [ debug sync.credentials.oauth ] [ OCC::OAuth::fetchWellKnown ]: fetching "/.well-known/openid-configuration"
24-03-26 15:16:48:725 [ info sync.httplogger ]: "fe9ce41f-3b17-46b5-aa62-3f93f3d39c07: Request: GET https://owncloud.mydomain.net/.well-known/openid-configuration Header: { User-Agent: Mozilla/5.0 (Windows) mirall/5.2.1.13040 (ownCloud, windows-10.0.22635 ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, Accept-Language: en_NZ, X-Request-ID: fe9ce41f-3b17-46b5-aa62-3f93f3d39c07, Original-Request-ID: fe9ce41f-3b17-46b5-aa62-3f93f3d39c07, } Data: []"
24-03-26 15:16:48:826 [ info sync.httplogger ]: "fe9ce41f-3b17-46b5-aa62-3f93f3d39c07: Response: GET 502 (Error: Error transferring https://owncloud.mydomain.net/.well-known/openid-configuration - server replied: Bad Gateway,101ms) https://owncloud.mydomain.net/.well-known/openid-configuration Header: { Date: Tue, 26 Mar 2024 14:16:48 GMT, Content-Type: text/html; charset=UTF-8, Content-Length: 6360, Connection: keep-alive, Report-To: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v4?s=YXdXNTsgTw%2BO%2BEdAoBF80NlI9SI%2BuEeyARPPeTQ275MgP1X3tPjC0XP1A79g8FuOcDM2rsmIrol2bVl4rw1tGTULDyO4oeFL6sIu1P5CcejUdEpRoasYRX2oMnvGB5r4oom8w%2BHybg%3D%3D\"}],\"group\":\"cf-nel\",\"max_age\":604800}, NEL: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}, X-Frame-Options: SAMEORIGIN, Referrer-Policy: same-origin, Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, Expires: Thu, 01 Jan 1970 00:00:01 GMT, Server: cloudflare, CF-RAY: 86a7c2b6df9f8675-MAD, alt-svc: h3=\":443\"; ma=86400, } Data: [<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]> <html class=\"no-js ie7 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 8]> <html class=\"no-js ie8 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if gt IE 8]><!--> <html class=\"no-js\" lang=\"en-US\"> <!--<![endif]-->\n<head>\n\n\n<title>owncloud.mydomain.net | 502: Bad gateway</title>\n<meta charset=\"UTF-8\" />\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\n<meta http-equiv=\"X-UA-Compatible\" content=\"IE=Edge\" />\n<meta name=\"robots\" content=\"noindex, nofollow\" />\n<meta name=\"viewport\" content=\"width=device-width,initial-scale=1\" />\n<link rel=\"stylesheet\" id=\"cf_styles-css\" href=\"/cdn-cgi/styles/main.css\" />\n\n\n</head>\n<body>\n<div id=\"cf-wrapper\">\n <div id=\"cf-error-details\" class=\"p-0\">\n <header class=\"mx-auto pt-10 lg:pt-6 lg:px-8 w-240 lg:w-full mb-8\">\n <h1 class=\"inline-block sm:block sm:mb-2 font-light text-60 lg:text-4xl text-black-dark leading-tight mr-2\">\n <span class=\"inline-block\">Bad gateway</span>\n <span class=\"code-label\">Error code 502</span>\n </h1>\n <div>\n Visit <a href=\"https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_502&utm_campaign=owncloud.mydomain.net\" target=\"_blank\" rel=\"noopener noreferrer\">cloudflare.com</a> for more information.\n </div>\n <div class=\"mt-3\">2024-03-26 14:16:48 UTC</div>\n </header>\n <div class=\"my-8 bg-gradient-gray\">\n <div class=\"w-240 lg:w-full mx-auto\">\n <div class=\"clearfix md:px-8\">\n \n<div id=\"cf-browser-status\" class=\" relative w-1/3 md:w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border-0 md:border-b md:border-gray-400 overflow-hidden float-left md:float-none text-center\">\n <div class=\"relative mb-10 md:m-0\">\n \n <span class=\"cf-icon-browser block md:hidden h-20 bg-center bg-no-repeat\"></span>\n <span class=\"cf-icon-ok w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top-0 -ml-6 -bottom-4\"></span>\n \n </div>\n <span class=\"md:block w-full truncate\">You</span>\n <h3 class=\"md:inline-block mt-3 md:mt-0 text-2xl text-gray-600 font-light leading-1.3\">\n \n Browser\n \n </h3>\n <span class=\"leading-1.3 text-2xl text-green-success\">Working</span>\n</div>\n\n<div id=\"cf-cloudflare-status\" class=\" relative w-1/3 md:w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border-0 md:border-b md:border-gray-400 overflow-hidden float-left md:float-none text-center\">\n <div class=\"relative mb-10 md:m-0\">\n <a href=\"https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_502&utm_campaign=owncloud.mydomain.net\" target=\"_blank\" rel=\"noopener noreferrer\">\n <span class=\"cf-icon-cloud block md:hidden h-20 bg-center bg-no-repeat\"></span>\n <span class=\"cf-icon-ok w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top-0 -ml-6 -bottom-4\"></span>\n </a>\n </div>\n <span class=\"md:block w-full truncate\">Madrid</span>\n <h3 class=\"md:inline-block mt-3 md:mt-0 text-2xl text-gray-600 font-light leading-1.3\">\n <a href=\"https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_502&utm_campaign=owncloud.mydomain.net\" target=\"_blank\" rel=\"noopener noreferrer\">\n Cloudflare\n </a>\n </h3>\n <span class=\"leading-1.3 text-2xl text-green-success\">Working</span>\n</div>\n\n<div id=\"cf-host-status\" class=\"cf-error-source relative w-1/3 md:w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border-0 md:border-b md:border-gray-400 overflow-hidden float-left md:float-none text-center\">\n <div class=\"relative mb-10 md:m-0\">\n \n <span class=\"cf-icon-server block md:hidden h-20 bg-center bg-no-repeat\"></span>\n <span class=\"cf-icon-error w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top-0 -ml-6 -bottom-4\"></span>\n \n </div>\n <span class=\"md:block w-full truncate\">owncloud.mydomain.net</span>\n <h3 class=\"md:inline-block mt-3 md:mt-0 text-2xl text-gray-600 font-light leading-1.3\">\n \n Host\n \n </h3>\n <span class=\"leading-1.3 text-2xl text-red-error\">Error</span>\n</div>\n\n </div>\n </div>\n </div>\n\n <div class=\"w-240 lg:w-full mx-auto mb-8 lg:px-8\">\n <div class=\"clearfix\">\n <div class=\"w-1/2 md:w-full float-left pr-6 md:pb-10 md:pr-0 leading-relaxed\">\n <h2 class=\"text-3xl font-normal leading-1.3 mb-4\">What happened?</h2>\n <p>The web server reported a bad gateway error.</p>\n </div>\n <div class=\"w-1/2 md:w-full float-left leading-relaxed\">\n <h2 class=\"text-3xl font-normal leading-1.3 mb-4\">What can I do?</h2>\n <p class=\"mb-6\">Please try again in a few minutes.</p>\n </div>\n </div>\n </div>\n\n <div class=\"cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300\">\n <p class=\"text-13\">\n <span class=\"cf-footer-item sm:block sm:mb-1\">Cloudflare Ray ID: <strong class=\"font-semibold\">86a7c2b6df9f8675</strong></span>\n <span class=\"cf-footer-separator sm:hidden\">•</span>\n <span id=\"cf-footer-item-ip\" class=\"cf-footer-item hidden sm:block sm:mb-1\">\n Your IP:\n <button type=\"button\" id=\"cf-footer-ip-reveal\" class=\"cf-footer-ip-reveal-btn\">Click to reveal</button>\n <span class=\"hidden\" id=\"cf-footer-ip\">89.130.253.140</span>\n <span class=\"cf-footer-separator sm:hidden\">•</span>\n </span>\n <span class=\"cf-footer-item sm:block sm:mb-1\"><span>Performance & security by</span> <a rel=\"noopener noreferrer\" href=\"https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_502&utm_campaign=owncloud.mydomain.net\" id=\"brand_link\" target=\"_blank\">Cloudflare</a></span>\n \n </p>\n <script>(function(){function d(){var b=a.getElementById(\"cf-footer-item-ip\"),c=a.getElementById(\"cf-footer-ip-reveal\");b&&\"classList\"in b&&(b.classList.remove(\"hidden\"),c.addEventListener(\"click\",function(){c.classList.add(\"hidden\");a.getElementById(\"cf-footer-ip\").classList.remove(\"hidden\")}))}var a=document;document.addEventListener&&a.addEventListener(\"DOMContentLoaded\",d)})();</script>\n</div><!-- /.error-footer -->\n\n\n </div>\n</div>\n</body>\n</html>\n]"
I'm using the latest version of both the Desktop app and the ocis / keycloak containers:
~ $ ocis version
Version: 5.1.0-prealpha+8f0b536ef
Compiled: 2024-03-26 00:00:00 +0000 UTC
thanks!
@TheOneRing Do you have a hunch why this happens?
The URL https://owncloud.mydomain.net/index.php/apps/oauth2/authorize? is from oc10?
@doruchan Is it possible, that this local user has been used against ownCloud10 before?
No, I haven't used owncloud before. Everything has been installed from scratch so it's unlikely. I can try logging in with one of the test accounts that came with the keycloak imported realm tho.
Is this a normal response for the page "owncloud.mydomain.net/status.php"?
{
"installed": true,
"maintenance": false,
"needsDbUpgrade": false,
"version": "10.11.0.0",
"versionstring": "10.11.0",
"edition": "Community",
"productname": "Infinite Scale",
"product": "Infinite Scale",
"productversion": "5.1.0-prealpha+8f0b536ef"
}
version 10.11.0?
The client only uses the .well-known from the system entered during setup.
So https://owncloud.mydomain.net/.well-known/openid-configuration should point to your keycloak server.
Is this a normal response for the page "owncloud.mydomain.net/status.php"?
{ "installed": true, "maintenance": false, "needsDbUpgrade": false, "version": "10.11.0.0", "versionstring": "10.11.0", "edition": "Community", "productname": "Infinite Scale", "product": "Infinite Scale", "productversion": "5.1.0-prealpha+8f0b536ef" }version 10.11.0?
That is correct. Compatibility fir oc10.
The client only uses the .well-known from the system entered during setup. So
https://owncloud.mydomain.net/.well-known/openid-configurationshould point to your keycloak server.
But how can an oc10 Oauth2 url come from the ocis well known?
Is there an oc10 running behind the same reverse proxy?
The client only uses the .well-known from the system entered during setup.
By setup you mean the environment variable WEB_OIDC_METADATA_URL? It's set to the keycloak's well-known, and I also have the PROXY_OIDC_REWRITE_WELLKNOWN set to true. Do I miss anything else?
Is there an oc10 running behind the same reverse proxy?
No :/ Only keycloak, owncloud (ocis) and traefik.
No unfortunately - I have backed up my config folder and reconfigured my ocis from scratch with ocis init, but I can already see that this page returns a 404:
https://owncloud.mydomain.net/.well-known/openid-configuration
when in the testing server with keycloak I can see that this works: https://ocis.ocis-keycloak.released.owncloud.works/.well-known/openid-configuration
So there's something wrong in my configuration. I haven't set anything manually, just using the environment variables from my docker-compose to drive the configuration.
Oh, interesting, I'm trying the example from the "latest" deployment and it doesn't work: https://ocis.ocis-keycloak.latest.owncloud.works/.well-known/openid-configuration
Bad Gateway
So maybe it's something to do with the latest version?
Oh, interesting, I'm trying the example from the "latest" deployment and it doesn't work: https://ocis.ocis-keycloak.latest.owncloud.works/.well-known/openid-configuration
Bad Gateway
So maybe it's something to do with the latest version?
So I locked the 5.0.0 version instead of "latest", and I can now see this page working correctly:
https://owncloud.mydomain.net/.well-known/openid-configuration
It's definitely an issue with the latest.
cheers
Latest is working fine now.
@TheOneRing I also saw that URL https://owncloud.mydomain.net/index.php/apps/oauth2/authorize? in another ticket.
It was a new central post https://central.owncloud.org/t/ocis-5-x-and-keycloak-25-auto-relogin-fails-after-restart-of-the-desktop-client/49527
How on earth could something like this happen with a Desktop Client connected to ocis? That is an old oc10 URL.
@dragotin @DeepDiver1975 Please check this out. This doesn't make any sense.
Hm, I guess the client just using index.php/apps/oauth2/authorize as a fallback when it can't read the .well-known endpoint. See:
https://github.com/owncloud/client/blob/af2cdbbea907c5e8bbda21c0e573a490a7c3ba3a/src/libsync/creds/oauth.cpp#L463C4-L466C1
So something might wrong with the PROXY_OIDC_REWRITE_WELLKNOWN settings. (Or implementation). It seems to work on the demo instances though.
@rhafer yes you're right, thank you for looking it up. That something went wrong can also be seen in the client log in the top post.
24-03-26 15:16:48:725 [ info sync.httplogger ]: "fe9ce41f-3b17-46b5-aa62-3f93f3d39c07: Request: GET https://owncloud.mydomain.net/.well-known/openid-configuration Header: { User-Agent: Mozilla/5.0 (Windows) mirall/5.2.1.13040 (ownCloud, windows-10.0.22635 ClientArchitecture: x86_64 OsArchitecture: x86_64), Accept: */*, Accept-Language: en_NZ, X-Request-ID: fe9ce41f-3b17-46b5-aa62-3f93f3d39c07, Original-Request-ID: fe9ce41f-3b17-46b5-aa62-3f93f3d39c07, } Data: []"
24-03-26 15:16:48:826 [ info sync.httplogger ]: "fe9ce41f-3b17-46b5-aa62-3f93f3d39c07: Response: GET 502 (Error: Error transferring https://owncloud.mydomain.net/.well-known/openid-configuration - server replied: Bad Gateway,101ms) https://owncloud.mydomain.net/.well-known/openid-configuration Header: { Date: Tue, 26 Mar 2024 14:16:48 GMT, Content-Type: text/html; charset=UTF-8, Content-Length: 6360, Connection: keep-alive, Report-To: {\"endpoints\":[{\"url\":\"https:\\/\\/a.nel.cloudflare.com\\/report\\/v4?s=YXdXNTsgTw%2BO%2BEdAoBF80NlI9SI%2BuEeyARPPeTQ275MgP1X3tPjC0XP1A79g8FuOcDM2rsmIrol2bVl4rw1tGTULDyO4oeFL6sIu1P5CcejUdEpRoasYRX2oMnvGB5r4oom8w%2BHybg%3D%3D\"}],\"group\":\"cf-nel\",\"max_age\":604800}, NEL: {\"success_fraction\":0,\"report_to\":\"cf-nel\",\"max_age\":604800}, X-Frame-Options: SAMEORIGIN, Referrer-Policy: same-origin, Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0, Expires: Thu, 01 Jan 1970 00:00:01 GMT, Server: cloudflare, CF-RAY: 86a7c2b6df9f8675-MAD, alt-svc: h3=\":443\"; ma=86400, } Data: [<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]> <html class=\"no-js ie7 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 8]> <html class=\"no-js ie8 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if gt IE 8]><!--> <html class=\"no-js\" lang=\"en-US\"> <!--<![endif]-->\n<head>\n\n\n<title>owncloud.mydomain.net | 502: Bad gateway</title>\n<meta charset=\"UTF-8\" />\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\" />\n<meta http-equiv=\"X-UA-Compatible\" content=\"IE=Edge\" />\n<meta name=\"robots\" content=\"noindex, nofollow\" />\n<meta name=\"viewport\" content=\"width=device-width,initial-scale=1\" />\n<link rel=\"stylesheet\" id=\"cf_styles-css\" href=\"/cdn-cgi/styles/main.css\" />\n\n\n</head>\n<body>\n<div id=\"cf-wrapper\">\n <div id=\"cf-error-details\" class=\"p-0\">\n <header class=\"mx-auto pt-10 lg:pt-6 lg:px-8 w-240 lg:w-full mb-8\">\n <h1 class=\"inline-block sm:block sm:mb-2 font-light text-60 lg:text-4xl text-black-dark leading-tight mr-2\">\n <span class=\"inline-block\">Bad gateway</span>\n <span class=\"code-label\">Error code 502</span>\n </h1>\n <div>\n Visit <a href=\"https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_502&utm_campaign=owncloud.mydomain.net\" target=\"_blank\" rel=\"noopener noreferrer\">cloudflare.com</a> for more information.\n </div>\n <div class=\"mt-3\">2024-03-26 14:16:48 UTC</div>\n </header>\n <div class=\"my-8 bg-gradient-gray\">\n <div class=\"w-240 lg:w-full mx-auto\">\n <div class=\"clearfix md:px-8\">\n \n<div id=\"cf-browser-status\" class=\" relative w-1/3 md:w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border-0 md:border-b md:border-gray-400 overflow-hidden float-left md:float-none text-center\">\n <div class=\"relative mb-10 md:m-0\">\n \n <span class=\"cf-icon-browser block md:hidden h-20 bg-center bg-no-repeat\"></span>\n <span class=\"cf-icon-ok w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top-0 -ml-6 -bottom-4\"></span>\n \n </div>\n <span class=\"md:block w-full truncate\">You</span>\n <h3 class=\"md:inline-block mt-3 md:mt-0 text-2xl text-gray-600 font-light leading-1.3\">\n \n Browser\n \n </h3>\n <span class=\"leading-1.3 text-2xl text-green-success\">Working</span>\n</div>\n\n<div id=\"cf-cloudflare-status\" class=\" relative w-1/3 md:w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border-0 md:border-b md:border-gray-400 overflow-hidden float-left md:float-none text-center\">\n <div class=\"relative mb-10 md:m-0\">\n <a href=\"https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_502&utm_campaign=owncloud.mydomain.net\" target=\"_blank\" rel=\"noopener noreferrer\">\n <span class=\"cf-icon-cloud block md:hidden h-20 bg-center bg-no-repeat\"></span>\n <span class=\"cf-icon-ok w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top-0 -ml-6 -bottom-4\"></span>\n </a>\n </div>\n <span class=\"md:block w-full truncate\">Madrid</span>\n <h3 class=\"md:inline-block mt-3 md:mt-0 text-2xl text-gray-600 font-light leading-1.3\">\n <a href=\"https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_502&utm_campaign=owncloud.mydomain.net\" target=\"_blank\" rel=\"noopener noreferrer\">\n Cloudflare\n </a>\n </h3>\n <span class=\"leading-1.3 text-2xl text-green-success\">Working</span>\n</div>\n\n<div id=\"cf-host-status\" class=\"cf-error-source relative w-1/3 md:w-full py-15 md:p-0 md:py-8 md:text-left md:border-solid md:border-0 md:border-b md:border-gray-400 overflow-hidden float-left md:float-none text-center\">\n <div class=\"relative mb-10 md:m-0\">\n \n <span class=\"cf-icon-server block md:hidden h-20 bg-center bg-no-repeat\"></span>\n <span class=\"cf-icon-error w-12 h-12 absolute left-1/2 md:left-auto md:right-0 md:top-0 -ml-6 -bottom-4\"></span>\n \n </div>\n <span class=\"md:block w-full truncate\">owncloud.mydomain.net</span>\n <h3 class=\"md:inline-block mt-3 md:mt-0 text-2xl text-gray-600 font-light leading-1.3\">\n \n Host\n \n </h3>\n <span class=\"leading-1.3 text-2xl text-red-error\">Error</span>\n</div>\n\n </div>\n </div>\n </div>\n\n <div class=\"w-240 lg:w-full mx-auto mb-8 lg:px-8\">\n <div class=\"clearfix\">\n <div class=\"w-1/2 md:w-full float-left pr-6 md:pb-10 md:pr-0 leading-relaxed\">\n <h2 class=\"text-3xl font-normal leading-1.3 mb-4\">What happened?</h2>\n <p>The web server reported a bad gateway error.</p>\n </div>\n <div class=\"w-1/2 md:w-full float-left leading-relaxed\">\n <h2 class=\"text-3xl font-normal leading-1.3 mb-4\">What can I do?</h2>\n <p class=\"mb-6\">Please try again in a few minutes.</p>\n </div>\n </div>\n </div>\n\n <div class=\"cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300\">\n <p class=\"text-13\">\n <span class=\"cf-footer-item sm:block sm:mb-1\">Cloudflare Ray ID: <strong class=\"font-semibold\">86a7c2b6df9f8675</strong></span>\n <span class=\"cf-footer-separator sm:hidden\">•</span>\n <span id=\"cf-footer-item-ip\" class=\"cf-footer-item hidden sm:block sm:mb-1\">\n Your IP:\n <button type=\"button\" id=\"cf-footer-ip-reveal\" class=\"cf-footer-ip-reveal-btn\">Click to reveal</button>\n <span class=\"hidden\" id=\"cf-footer-ip\">89.130.253.140</span>\n <span class=\"cf-footer-separator sm:hidden\">•</span>\n </span>\n <span class=\"cf-footer-item sm:block sm:mb-1\"><span>Performance & security by</span> <a rel=\"noopener noreferrer\" href=\"https://www.cloudflare.com/5xx-error-landing?utm_source=errorcode_502&utm_campaign=owncloud.mydomain.net\" id=\"brand_link\" target=\"_blank\">Cloudflare</a></span>\n \n </p>\n <script>(function(){function d(){var b=a.getElementById(\"cf-footer-item-ip\"),c=a.getElementById(\"cf-footer-ip-reveal\");b&&\"classList\"in b&&(b.classList.remove(\"hidden\"),c.addEventListener(\"click\",function(){c.classList.add(\"hidden\");a.getElementById(\"cf-footer-ip\").classList.remove(\"hidden\")}))}var a=document;document.addEventListener&&a.addEventListener(\"DOMContentLoaded\",d)})();</script>\n</div><!-- /.error-footer -->\n\n\n </div>\n</div>\n</body>\n</html>\n]"
Uploading ownCloud.log… ownCloud.log
I am using two sync accounts, one for OC 10, the other for OCIS, with separate local directories. Both are connected to a keycloak IDP and use the same user in the realm. The re-login of an already created OCIS account after the restart of the client fails completely. Its only possible to create a new OCIS account in the client and login one time then.
for reference, here is the well-known json from my IDP, https://login.netzwissen.de/realms/netzwissen/.well-known/openid-configuration
[new-request.json](https://github.com/user-attachments/files/15935612/new-request.json
The issue seems to be that the .well-known endpoint on the ocis domain was not reachable or returned an empty data set.
ok, is that an OCIS bug or desktop app bug? Or mis-config on my side? I see no config settings for the .well-known endpoint, except the boolean for the rewrite ... My *.env:
# basic setup for reverse proxy
OCIS_URL=https://ocis.netzwissen.de
PROXY_HTTP_ADDR=0.0.0.0:9200
PROXY_TLS=false
OCIS_INSECURE=false
OCIS_CONFIG_DIR=/etc/ocis
OCIS_BASE_DATA_PATH=/mnt/data/ocis
OCIS_LOG_LEVEL=debug
OCIS_LOG_FILE=/var/log/ocis/ocis.log
# idp setup keycloak
OCIS_EXCLUDE_RUN_SERVICES=idp
OCIS_OIDC_ISSUER=https://login.netzwissen.de/realms/netzwissen
WEB_OIDC_CLIENT_ID=ocis-web
PROXY_AUTOPROVISION_ACCOUNTS=true
PROXY_OIDC_REWRITE_WELLKNOWN=true
can we do anything else to help solving this issue? Anything for testing? I could activate a second OCIS instance at ocisd.netzwissen.de for testing ...
I need to understand your setup better.
I know, that these things do not happen with https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_keycloak
The challenge is, that it is not that easy to "show me your keycloak" configuration.
- Each client is configurable on its own, which icreases the complexity (see our client json examples)
- You are doing autoprovisioning
- oCIS reads OIDC claims from the user during login and creates the user in the interal LDAP. You need to be sure that the user can always be mapped from OIDC to the internal user.
- you need to make sure, that the desktop client has
offline_accessin the scopes to obtain a refresh token. The refresh token is needed after the restart of your desktop
These are the configs on ocis master and 6.0.0 Rolling to control the auto provisioning mapping.
| PROXY_AUTOPROVISION_ACCOUNTS | bool | false | Set this to ’true’ to automatically provision users that do not yet exist in the users service on-demand upon first sign-in. To use this a write-enabled libregraph user backend needs to be setup an running. |
|---|---|---|---|
| PROXY_AUTOPROVISION_CLAIM_USERNAME | string | preferred_username | The name of the OIDC claim that holds the username. |
| PROXY_AUTOPROVISION_CLAIM_EMAIL | string | The name of the OIDC claim that holds the email. | |
| PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME | string | name | The name of the OIDC claim that holds the display name. |
Hi @micbar , thanks for the insights, I will check my own config, and try to modify if necessary. My idea behind the auto provision feature: I wanted that users already existing on the IDP and the old OC10 can seamlessly login into the OCIS instance. And then -in a second step- just move (or copy) their sync data to the new OCIS sync directory on their device.
"offline_access" is a good point. I updated to keycloak 25 just recently and played with the persistant user sessions https://www.keycloak.org/2024/06/keycloak-2500-released Maybe i have a mistake in the configfuration there ...
I changed the client scope in keycloak 25. In the default configuration, the offline_access scope is optional, now it is "default". Hope that helps ...
unfortunately no change. The first OIDC login of the desktop sync client is successful, but the re-login still fails. I am a bit lost ...