[BUG] Unable to authenticate using OpenID Connect

[zSafe1]

Unable to authenticate using OpenID Connect (Authelia)

Steps to reproduce

1. Enter a custom domain
2. Click Continue
3. A safari window opens and closes again

Client

iOS version: 16.5

ownCloud app version: 12

Device model: iPhone 13

Server configuration

Setup: nginx-proxy-manager - Authelia - OwnCloud Infinity Scale

Web server: nginx proxy manager with Authelia (OpenID Connect)

ownCloud version: Docker Latest (DIGEST: a98a962d4ab8)

Webinterface:

Logging in via the web interface works without any issues. (I must note that authentication was only possible after adding the "allowed_origins:" parameter to authelia (perhaps only an issue when using nginx proxy manager).

Mac Desktop App:

When I log in via the Mac desktop app, I am redirected to the following page in Safari after successfully logging in: https://127.0.0.1:60527/?code=authelia_ac_*************&scope=openid+offline_access+email+profile&state=*********. Only when I change https to http in the URL does the Mac desktop app open and the login works.

iOS App:

After I add the domain (https://ocis.example-domain.at), the app informs me that the ssl certificate is fine. Whenever I click on Continue, a safari window opens and closes again.

CONFIG

Nginx-Proxy-Manager

Custom Nginx Configuration for Authelia:

location / {
   include /snippets/proxy.conf;
   if ($args ~* (.*)(&prompt=select_account%20consent)(.*)) {
   set $args $1$3;
   rewrite ^(.*)$ $1;
   }
   proxy_pass $forward_scheme://$server:$port;
}

Authelia

configuration.yml:

[...]
identity_providers:
  oidc:
    access_token_lifespan: 1w
    authorize_code_lifespan: 1m
    id_token_lifespan: 10h
    refresh_token_lifespan: 1M
    enable_client_debug_messages: true
    cors:
      endpoints:
        - authorization
        - token
        - revocation
        - introspection
        - userinfo
      allowed_origins:
        - https://example-domain.at
        - https://ocis.example-domain.at
        - https://auth.example-domain.at
      allowed_origins_from_client_redirect_uris: true
    clients:
      - id: NZFZ8otaaNcO01Ezworq8suOKl72yJnaxACCDpoj
        description: ownCloud web client
        public: true
        consent_mode: implicit
        redirect_uris:
          - https://ocis.example-domain.at/
          - https://ocis.example-domain.at/oidc-callback.html
          - https://ocis.example-domain.at/oidc-silent-redirect.html
      - id: xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69
        description: ownCloud desktop client
        secret: 'UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh'
        consent_mode: implicit
        scopes:
          - openid
          - groups
          - profile
          - email
          - offline_access
        redirect_uris:
          - http://127.0.0.1
        grant_types:
          - refresh_token
          - authorization_code
        userinfo_signing_algorithm: none
      - id: e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD
        description: ownCloud Android app
        secret: 'dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD'
        consent_mode: implicit
        scopes:
          - openid
          - groups
          - profile
          - email
          - offline_access
        redirect_uris:
          - oc://android.owncloud.com
      - id: mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1
        description: ownCloud iOS app
        secret: KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx
        consent_mode: implicit
        scopes:
          - openid
          - profile
          - email
          - offline_access
          - groups
        redirect_uris:
          - oc://ios.owncloud.com
          - oc.ios://ios.owncloud.com
        userinfo_signing_algorithm: none

OwnCloud Infinity Scale

container-vars.env:

DEMO_USERS=false                                  # do not create demo users
PROXY_TLS=false                                   # use the HTTP server instead of the HTTPS server.
OCIS_INSECURE=true                                # generate self-signed certificates
OCIS_URL=https://ocis.example-domain.at                 # replace with your domain
PROXY_HTTP_ADDR=0.0.0.0:9200                      # listen on all available interfaces

OCIS_LOG_LEVEL=info
OCIS_LOG_COLOR=true
OCIS_LOG_PRETTY=true

OCIS_OIDC_ISSUER=https://auth.example-domain.at
WEB_OIDC_CLIENT_ID=NZFZ8otaaNcO01Ezworq8suOKl72yJnaxACCDpoj
PROXY_OIDC_REWRITE_WELLKNOWN=true

PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none

Logs

ownCloud iOS App log

2023-06-13 23:16:27.004000+0200 ownCloud[54277:5010774] [info] | [LogIntro] Starting logging to /Users/user/Library/GroupContainersAlias/group.com.owncloud.ios-app/logs/com.owncloud.ios-app.log [OCLogFileWriter.m:104|FULL]
2023-06-13 23:16:27.004000+0200 ownCloud[54277:5010774] [info] | [LogIntro] Host: com.owncloud.ios-app 12.0 (267) #v12.0-appstore.2 - milestone/12.0@5730d91f; SDK: 12.0 (267) #57d2c06; OS: iPadOS 16.5; Device: iPad (iPad8,6); Localizations: [de]; Class Setttings: action.allowed: default: `( )` -> computed: `( )`\naction.create-document-mode: reg-default: `create-and-open` -> computed: `create-and-open`\naction.disallowed: default: `( )` -> computed: `( )`\nhttp.user-agent: default: `ownCloudApp/{{app.version}} ({{app.part}}/{{app.build}}; {{os.name}}/{{os.version}}; {{device.model}})` -> computed: `ownCloudApp/{{app.version}} ({{app.part}}/{{app.build}}; {{os.name}}/{{os.version}}; {{device.model}})`\ncore.thumbnail-available-for-mime-type-prefixes: default: `(     "*" )` -> computed: `(     "*" )`\ncore.cookie-support-enabled: default: `1` -> computed: `1`\nauthentication.browser-session-class: default: `operating-system` -> computed: `operating-system`\nauthentication.browser-session-prefers-ephermal: default: `0` -> computed: `0`\nlog.format: default: `text` -> computed: `text`\nlog.single-lined: default: `0` -> computed: `0`\nlog.privacy-mask: default: `0` -> computed: `0`\nlog.colored: default: `0` -> computed: `0`\nlog.level: default: `4` -> user-prefs: `0` -> computed: `0`\nlog.maximum-message-size: default: `0` -> computed: `0`\nlog.replace-newline: default: `1` -> computed: `1`\nlog.enabled-components: default: `(     "writer.stderr",     "writer.file" )` -> computed: `(     "writer.stderr",     "writer.file" )`\nlog.blank-filtered-messages: default: `0` -> computed: `0`\nlog.synchronous: default: `0` -> computed: `0`\nbranding.enable-review-prompt: reg-default: `0` -> computed: `0`\nbranding.url-privacy: reg-default: `https://owncloud.org/privacy-policy/` -> computed: `https://owncloud.org/privacy-policy/`\nbranding.send-feedback-address: reg-default: `ios-app@owncloud.com` -> computed: `ios-app@owncloud.com`\nbranding.can-add-account: reg-default: `1` -> computed: `1`\nbranding.url-help: reg-default: `https://owncloud.com/docs-guides/` -> computed: `https://owncloud.com/docs-guides/`\nbranding.can-edit-account: reg-default: `1` -> computed: `1`\nbranding.url-documentation: reg-default: `https://doc.owncloud.com/ios-app/latest/` -> computed: `https://doc.owncloud.com/ios-app/latest/`\nbranding.url-terms-of-use: reg-default: `https://raw.githubusercontent.com/owncloud/ios-app/master/LICENSE` -> computed: `https://raw.githubusercontent.com/owncloud/ios-app/master/LICENSE`\nextensions.disallowed: default: `( )` -> computed: `( )`\nconnection.force-background-url-sessions: default: `0` -> computed: `0`\nconnection.minimum-server-version: default: `10.0` -> computed: `10.0`\nconnection.allow-cellular: default: `1` -> computed: `1`\nconnection.preferred-authentication-methods: default: `(     "com.owncloud.openid-connect",     "com.owncloud.oauth2",     "com.owncloud.basicauth" )` -> computed: `(     "com.owncloud.openid-connect",     "com.owncloud.oauth2",     "com.owncloud.basicauth" )`\nconnection.allow-background-url-sessions: default: `1` -> computed: `1`\nconnection.plain-http-policy: default: `warn` -> computed: `warn`\nconnection.always-request-private-link: default: `0` -> computed: `0`\nconnection.transparent-temporary-redirect: default: `0` -> computed: `0`\n; Log options: level=Debug, destinations=["writer.stderr", "writer.file"], options=["option.log-requests-and-responses"], maskPrivateData=false [OCLogFileWriter.m:105|FULL]
2023-06-13 23:16:27.004000+0200 ownCloud[54277:5010774] [dbug] | [IPNC] Posting notification 'org.owncloud.log_records_remote_change' (ignoreSelf=1) [OCIPNotificationCenter.m:228|FULL]
2023-06-13 23:16:27.006000+0200 ownCloud[54277.4975929] [dbug] | [IPNC] Received notification 'org.owncloud.log_records_remote_change' [OCIPNotificationCenter.m:169|FULL]
2023-06-13 23:16:28.680000+0200 ownCloud[54277.4975929] [dbug] | [Keychain, Read] No item found for FBCC3C1F-D7E2-4834-BBC9-70744E451E70:authenticationData [OCKeychain.m:97|FULL]
2023-06-13 23:16:28.675000+0200 ownCloud[54277.4975929] [dbug] | [IPNC] Adding observer=<OCBookmark: 0x14a168680, uuid: FBCC3C1F-D7E2-4834-BBC9-70744E451E70, databaseVersion: 2, userInfo: {\n    "bookmark-creation" =     {\n        "app-build-number" = 267;\n        "app-version" = "12.0";\n        "creation-date" = "2023-06-13 21:16:28 +0000";\n        "log-intro" = "Host: com.owncloud.ios-app 12.0 (267) #v12.0-appstore.2 - milestone/12.0@5730d91f; SDK: 12.0 (267) #57d2c06; OS: iPadOS 16.5; Device: iPad (iPad8,6); Localizations: [de]; Class Setttings: action.allowed: default: `( )` -> computed: `( )`\naction.create-document-mode: reg-default: `create-and-open` -> computed: `create-and-open`\naction.disallowed: default: `( )` -> computed: `( )`\nhttp.user-agent: default: `ownCloudApp/{{app.version}} ({{app.part}}/{{app.build}}; {{os.name}}/{{os.version}}; {{device.model}})` -> computed: `ownCloudApp/{{app.version}} ({{app.part}}/{{app.build}}; {{os.name}}/{{os.version}}; {{device.model}})`\ncore.thumbnail-available-for-mime-type-prefixes: default: `(     \"*\" )` -> computed: `(     \"*\" )`\ncore.cookie-support-enabled: default: `1` -> computed: `1`\nauthentication.browser-session-class: default: `operating-system` -> computed: `operating-system`\nauthentication.browser-session-prefers-ephermal: default: `0` -> computed: `0`\nlog.format: default: `text` -> computed: `text`\nlog.single-lined: default: `0` -> computed: `0`\nlog.privacy-mask: default: `0` -> computed: `0`\nlog.colored: default: `0` -> computed: `0`\nlog.level: default: `4` -> user-prefs: `0` -> computed: `0`\nlog.maximum-message-size: default: `0` -> computed: `0`\nlog.replace-newline: default: `1` -> computed: `1`\nlog.enabled-components: default: `(     \"writer.stderr\",     \"writer.file\" )` -> computed: `(     \"writer.stderr\",     \"writer.file\" )`\nlog.blank-filtered-messages: default: `0` -> computed: `0`\nlog.synchronous: default: `0` -> computed: `0`\nbranding.enable-review-prompt: reg-default: `0` -> computed: `0`\nbranding.url-privacy: reg-default: `https://owncloud.org/privacy-policy/` -> computed: `https://owncloud.org/privacy-policy/`\nbranding.send-feedback-address: reg-default: `ios-app@owncloud.com` -> computed: `ios-app@owncloud.com`\nbranding.can-add-account: reg-default: `1` -> computed: `1`\nbranding.url-help: reg-default: `https://owncloud.com/docs-guides/` -> computed: `https://owncloud.com/docs-guides/`\nbranding.can-edit-account: reg-default: `1` -> computed: `1`\nbranding.url-documentation: reg-default: `https://doc.owncloud.com/ios-app/latest/` -> computed: `https://doc.owncloud.com/ios-app/latest/`\nbranding.url-terms-of-use: reg-default: `https://raw.githubusercontent.com/owncloud/ios-app/master/LICENSE` -> computed: `https://raw.githubusercontent.com/owncloud/ios-app/master/LICENSE`\nextensions.disallowed: default: `( )` -> computed: `( )`\nconnection.force-background-url-sessions: default: `0` -> computed: `0`\nconnection.minimum-server-version: default: `10.0` -> computed: `10.0`\nconnection.allow-cellular: default: `1` -> computed: `1`\nconnection.preferred-authentication-methods: default: `(     \"com.owncloud.openid-connect\",     \"com.owncloud.oauth2\",     \"com.owncloud.basicauth\" )` -> computed: `(     \"com.owncloud.openid-connect\",     \"com.owncloud.oauth2\",     \"com.owncloud.basicauth\" )`\nconnection.allow-background-url-sessions: default: `1` -> computed: `1`\nconnection.plain-http-policy: default: `warn` -> computed: `warn`\nconnection.always-request-private-link: default: `0` -> computed: `0`\nconnection.transparent-temporary-redirect: default: `0` -> computed: `0`\n; Log options: level=Debug, destinations=[\"writer.stderr\", \"writer.file\"], options=[\"option.log-requests-and-responses\"], maskPrivateData=false";\n        "sdk-commit" = 57d2c06;\n        "sdk-version" = "12.0 (267) #57d2c06";\n    };\n}> for 'com.owncloud.bookmark.auth-update' [OCIPNotificationCenter.m:99|FULL]
2023-06-13 23:16:28.681000+0200 ownCloud[54277.4975929] [dbug] | [Keychain, Read] No item found for FBCC3C1F-D7E2-4834-BBC9-70744E451E70:authenticationData [OCKeychain.m:97|FULL]
2023-06-13 23:16:28.685000+0200 ownCloud[54277.4975929] [info] | [OS] -canOpenURL: failed for URL: "org-appextension-feature-password-management://" - error: "Der Vorgang konnte nicht abgeschlossen werden. (OSStatus-Fehler -10814.)" [NSLog:0|FULL]
2023-06-13 23:16:30.525000+0200 ownCloud[54277:5009514] [dbug] | [CONN] Retrieved ephermal pipeline <OCHTTPPipeline: 0x14c1eb600> with error=(null) [OCConnection.m:488|FULL]
2023-06-13 23:16:30.525000+0200 ownCloud[54277:5009514] [dbug] | [CONN] Retrieved local pipeline <OCHTTPPipeline: 0x14802d140> with error=(null) [OCConnection.m:493|FULL]
2023-06-13 23:16:30.525000+0200 ownCloud[54277:5009514] [dbug] | [CONN] Retrieved longlived pipeline <OCHTTPPipeline: 0x14819c560> with error=(null) [OCConnection.m:500|FULL]
2023-06-13 23:16:30.526000+0200 ownCloud[54277.4975929] [dbug] | [APP] Created cookie storage Optional(<OCHTTPCookieStorage: 0x148422050>) [BookmarkViewController.swift:88|FULL]
2023-06-13 23:16:30.534000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Local, …] -> GET https://ocis.example-domain.at/.well-known/webfinger?resource=https://ocis.example-domain.at/ [… PipelineID:ephermal, Instance:0x14c1eb600, HTTP, Request, GET, RequestID:27E9B91B-4CC9-4237-BF3F-A9F5F0DFCDAE, URLSessionTaskID:14, HTSum] [OCHTTPPipeline.m:1182|FULL]
2023-06-13 23:16:30.534000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Request, …] Sending request:\n# REQUEST ---------------------------------------------------------\nURL:         https://ocis.example-domain.at/.well-known/webfinger?resource=https://ocis.example-domain.at/\nError:       -\nReq Signals: (null)\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGET /.well-known/webfinger HTTP/1.1\nHost: ocis.example-domain.at\n[Redirect Policy: handle locally]\nOriginal-Request-ID: 27E9B91B-4CC9-4237-BF3F-A9F5F0DFCDAE\nX-Request-ID: 27E9B91B-4CC9-4237-BF3F-A9F5F0DFCDAE\nUser-Agent: ownCloudApp/12.0 (App/267; iPadOS/16.5; iPad)\n----------------------------------------------------------------- [… GET, RequestID:27E9B91B-4CC9-4237-BF3F-A9F5F0DFCDAE, URLSessionTaskID:14] [OCHTTPPipeline.m:1183|FULL]
2023-06-13 23:16:30.578000+0200 ownCloud[54277:5010933] [dbug] | [HTTP, Local, …] Task [taskIdentifier=<14>, xRequestID=27E9B91B-4CC9-4237-BF3F-A9F5F0DFCDAE, method=GET, url=https://ocis.example-domain.at/.well-known/webfinger?resource=https://ocis.example-domain.at/] didFinishCollectingMetrics: { total: [2023-06-13 21:16:30 +0000 - 2023-06-13 21:16:30 +0000, 0.04 sec], startedAfter: 0.00, redirects: 0, transactions: [1: fetchStart: 0.00, request: 0.03..0.03 (0.00), cloud: 0.03..0.04 (0.01), response: 0.04..0.04 (0.00)] } [… PipelineID:ephermal, Instance:0x14c1eb600, HTTP, Metrics, GET, RequestID:27E9B91B-4CC9-4237-BF3F-A9F5F0DFCDAE, URLSessionTaskID:14] [OCHTTPPipeline.m:2047|FULL]
2023-06-13 23:16:30.579000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Local, …] <- 200 OK (GET https://ocis.example-domain.at/.well-known/webfinger?resource=https://ocis.example-domain.at/) [… PipelineID:ephermal, Instance:0x14c1eb600, HTTP, Response, GET, RequestID:27E9B91B-4CC9-4237-BF3F-A9F5F0DFCDAE, URLSessionTaskID:14, HTSum] [OCHTTPPipeline.m:1305|FULL]
2023-06-13 23:16:30.579000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Response, …] Received response:\n# RESPONSE --------------------------------------------------------\nMethod:      GET\nURL:         https://ocis.example-domain.at/.well-known/webfinger?resource=https://ocis.example-domain.at/\nRequest-ID:  27E9B91B-4CC9-4237-BF3F-A9F5F0DFCDAE\nError:       -\nReq Signals: (null)\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n200 NO ERROR\nContent-Type: application/json; charset=utf-8\nLast-Modified: Tue, 13 Jun 2023 21:16:30 GMT\ncontent-security-policy: frame-ancestors 'none'\nServer: openresty\nx--version: 016af6916\nExpires: Thu, 01 Jan 1970 00:00:00 GMT\nCache-Control: no-cache, no-store, max-age=0, must-revalidate, value\nDate: Tue, 13 Jun 2023 21:16:30 GMT\nContent-Length: 137\nx-content-type-options: nosniff\nx-frame-options: DENY\nVary: Origin\n\n{"subject":"https://ocis.example-domain.at/","links":[{"rel":"http://openid.net/specs/connect/1.0/issuer","href":"https://auth.example-domain.at"}]}\n\n----------------------------------------------------------------- [… GET, RequestID:27E9B91B-4CC9-4237-BF3F-A9F5F0DFCDAE, URLSessionTaskID:14] [OCHTTPPipeline.m:1306|FULL]
2023-06-13 23:16:30.594000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Local, …] -> GET https://auth.example-domain.at/.well-known/openid-configuration [… PipelineID:ephermal, Instance:0x14c1eb600, HTTP, Request, GET, RequestID:174FAF45-1286-42F5-B493-07C4809A368B, URLSessionTaskID:15, HTSum] [OCHTTPPipeline.m:1182|FULL]
2023-06-13 23:16:30.594000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Request, …] Sending request:\n# REQUEST ---------------------------------------------------------\nURL:         https://auth.example-domain.at/.well-known/openid-configuration\nError:       -\nReq Signals: (null)\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGET /.well-known/openid-configuration HTTP/1.1\nHost: auth.example-domain.at\n[Redirect Policy: handle locally]\nUser-Agent: ownCloudApp/12.0 (App/267; iPadOS/16.5; iPad)\nX-Request-ID: 174FAF45-1286-42F5-B493-07C4809A368B\nOriginal-Request-ID: 174FAF45-1286-42F5-B493-07C4809A368B\nReferer: https://ocis.example-domain.at/\n----------------------------------------------------------------- [… GET, RequestID:174FAF45-1286-42F5-B493-07C4809A368B, URLSessionTaskID:15] [OCHTTPPipeline.m:1183|FULL]
2023-06-13 23:16:30.603000+0200 ownCloud[54277:5010933] [dbug] | [HTTP, Local, …] Task [taskIdentifier=<15>, xRequestID=174FAF45-1286-42F5-B493-07C4809A368B, method=GET, url=https://auth.example-domain.at/.well-known/openid-configuration] didFinishCollectingMetrics: { total: [2023-06-13 21:16:30 +0000 - 2023-06-13 21:16:30 +0000, 0.01 sec], startedAfter: 0.00, redirects: 0, transactions: [1: fetchStart: 0.00, request: 0.00..0.00 (0.00), cloud: 0.00..0.01 (0.01), response: 0.01..0.01 (0.00)] } [… PipelineID:ephermal, Instance:0x14c1eb600, HTTP, Metrics, GET, RequestID:174FAF45-1286-42F5-B493-07C4809A368B, URLSessionTaskID:15] [OCHTTPPipeline.m:2047|FULL]
2023-06-13 23:16:30.604000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Local, …] <- 200 OK (GET https://auth.example-domain.at/.well-known/openid-configuration) [… PipelineID:ephermal, Instance:0x14c1eb600, HTTP, Response, GET, RequestID:174FAF45-1286-42F5-B493-07C4809A368B, URLSessionTaskID:15, HTSum] [OCHTTPPipeline.m:1305|FULL]
2023-06-13 23:16:30.604000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Response, …] Received response:\n# RESPONSE --------------------------------------------------------\nMethod:      GET\nURL:         https://auth.example-domain.at/.well-known/openid-configuration\nRequest-ID:  174FAF45-1286-42F5-B493-07C4809A368B\nError:       -\nReq Signals: (null)\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n200 NO ERROR\nContent-Type: application/json; charset=utf-8\nPragma: no-cache\ncontent-security-policy: default-src 'none';\nx-xss-protection: 1; mode=block\nServer: openresty\nreferrer-policy: strict-origin-when-cross-origin\npermissions-policy: interest-cohort=()\nDate: Tue, 13 Jun 2023 21:16:30 GMT\nCache-Control: no-store\nContent-Length: 1453\nx-content-type-options: nosniff\nx-frame-options: SAMEORIGIN\nVary: Accept-Encoding\n\n{"issuer":"https://auth.example-domain.at","jwks_uri":"https://auth.example-domain.at/jwks.json","authorization_endpoint":"https://auth.example-domain.at/api/oidc/authorization","token_endpoint":"https://auth.example-domain.at/api/oidc/token","subject_types_supported":["public"],"response_types_supported":["code","token","id_token","code token","code id_token","token id_token","code token id_token","none"],"response_modes_supported":["form_post","query","fragment"],"scopes_supported":["offline_access","openid","profile","groups","email"],"claims_supported":["amr","aud","azp","client_id","exp","iat","iss","jti","rat","sub","auth_time","nonce","email","email_verified","alt_emails","groups","preferred_username","name"],"introspection_endpoint":"https://auth.example-domain.at/api/oidc/introspection","revocation_endpoint":"https://auth.example-domain.at/api/oidc/revocation","code_challenge_methods_supported":["S256"],"require_pushed_authorization_requests":false,"userinfo_endpoint":"https://auth.example-domain.at/api/oidc/userinfo","id_token_signing_alg_values_supported":["RS256"],"userinfo_signing_alg_values_supported":["none","RS256"],"request_object_signing_alg_values_supported":["none","RS256"],"request_uri_parameter_supported":false,"require_request_uri_registration":false,"claims_parameter_supported":false,"frontchannel_logout_supported":false,"frontchannel_logout_session_supported":false,"backchannel_logout_supported":false,"backchannel_logout_session_supported":false}\n----------------------------------------------------------------- [… GET, RequestID:174FAF45-1286-42F5-B493-07C4809A368B, URLSessionTaskID:15] [OCHTTPPipeline.m:1306|FULL]
2023-06-13 23:16:32.676000+0200 ownCloud[54277.4975929] [dbug] | [IPNC] Adding observer=<OCAuthenticationMethodOpenIDConnect: 0x14a70e670> for 'com.owncloud.bookmark.auth-update' [OCIPNotificationCenter.m:99|FULL]
2023-06-13 23:16:32.676000+0200 ownCloud[54277:5010774] [dbug] | [CONN] Retrieved ephermal pipeline <OCHTTPPipeline: 0x14c1eb600> with error=(null) [OCConnection.m:488|FULL]
2023-06-13 23:16:32.676000+0200 ownCloud[54277:5010774] [dbug] | [CONN] Retrieved local pipeline <OCHTTPPipeline: 0x14802d140> with error=(null) [OCConnection.m:493|FULL]
2023-06-13 23:16:32.676000+0200 ownCloud[54277:5010774] [dbug] | [CONN] Retrieved longlived pipeline <OCHTTPPipeline: 0x14819c560> with error=(null) [OCConnection.m:500|FULL]
2023-06-13 23:16:32.678000+0200 ownCloud[54277.4975929] [dbug] | [IPNC] Adding observer=<OCAuthenticationMethodOpenIDConnect: 0x148428230> for 'com.owncloud.bookmark.auth-update' [OCIPNotificationCenter.m:99|FULL]
2023-06-13 23:16:32.678000+0200 ownCloud[54277.4975929] [dbug] | [IPNC] Removing observer=<OCAuthenticationMethodOpenIDConnect: 0x14a70e670> for 'com.owncloud.bookmark.auth-update' [OCIPNotificationCenter.m:125|FULL]
2023-06-13 23:16:32.679000+0200 ownCloud[54277:4975984] [WARN] | [HTTP, Local, …] Attempt to attach a handler (<OCConnection: 0x14a75a100>) for partition FBCC3C1F-D7E2-4834-BBC9-70744E451E70 for which one is already attached (<OCConnection: 0x14a15eb50>). Detaching previous one. [… PipelineID:default, Instance:0x14802d140] [OCHTTPPipeline.m:1587|FULL]
2023-06-13 23:16:32.680000+0200 ownCloud[54277:4975984] [WARN] | [HTTP, Local, …] Attempt to attach a handler (<OCConnection: 0x14a75a100>) for partition FBCC3C1F-D7E2-4834-BBC9-70744E451E70 for which one is already attached (<OCConnection: 0x14a15eb50>). Detaching previous one. [… PipelineID:ephermal, Instance:0x14c1eb600] [OCHTTPPipeline.m:1587|FULL]
2023-06-13 23:16:32.680000+0200 ownCloud[54277:4975984] [WARN] | [HTTP, Background, …] Attempt to attach a handler (<OCConnection: 0x14a75a100>) for partition FBCC3C1F-D7E2-4834-BBC9-70744E451E70 for which one is already attached (<OCConnection: 0x14a15eb50>). Detaching previous one. [… PipelineID:background, Instance:0x14819c560, URLSessionID:background;com.owncloud.ios-app] [OCHTTPPipeline.m:1587|FULL]
2023-06-13 23:16:32.682000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Local, …] -> GET https://auth.example-domain.at/.well-known/openid-configuration [… PipelineID:ephermal, Instance:0x14c1eb600, HTTP, Request, GET, RequestID:5BE31C67-EDAD-4EEF-B599-53DEA22AE790, URLSessionTaskID:16, HTSum] [OCHTTPPipeline.m:1182|FULL]
2023-06-13 23:16:32.682000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Request, …] Sending request:\n# REQUEST ---------------------------------------------------------\nURL:         https://auth.example-domain.at/.well-known/openid-configuration\nError:       -\nReq Signals: (null)\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGET /.well-known/openid-configuration HTTP/1.1\nHost: auth.example-domain.at\n[Redirect Policy: handle locally]\nUser-Agent: ownCloudApp/12.0 (App/267; iPadOS/16.5; iPad)\nX-Request-ID: 5BE31C67-EDAD-4EEF-B599-53DEA22AE790\nOriginal-Request-ID: 5BE31C67-EDAD-4EEF-B599-53DEA22AE790\nReferer: https://ocis.example-domain.at/\n----------------------------------------------------------------- [… GET, RequestID:5BE31C67-EDAD-4EEF-B599-53DEA22AE790, URLSessionTaskID:16] [OCHTTPPipeline.m:1183|FULL]
2023-06-13 23:16:32.700000+0200 ownCloud[54277:5009514] [dbug] | [HTTP, Local, …] Task [taskIdentifier=<16>, xRequestID=5BE31C67-EDAD-4EEF-B599-53DEA22AE790, method=GET, url=https://auth.example-domain.at/.well-known/openid-configuration] didFinishCollectingMetrics: { total: [2023-06-13 21:16:32 +0000 - 2023-06-13 21:16:32 +0000, 0.02 sec], startedAfter: 0.00, redirects: 0, transactions: [1: fetchStart: 0.00, request: 0.00..0.00 (0.00), cloud: 0.00..0.02 (0.02), response: 0.02..0.02 (0.00)] } [… PipelineID:ephermal, Instance:0x14c1eb600, HTTP, Metrics, GET, RequestID:5BE31C67-EDAD-4EEF-B599-53DEA22AE790, URLSessionTaskID:16] [OCHTTPPipeline.m:2047|FULL]
2023-06-13 23:16:32.701000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Local, …] <- 200 OK (GET https://auth.example-domain.at/.well-known/openid-configuration) [… PipelineID:ephermal, Instance:0x14c1eb600, HTTP, Response, GET, RequestID:5BE31C67-EDAD-4EEF-B599-53DEA22AE790, URLSessionTaskID:16, HTSum] [OCHTTPPipeline.m:1305|FULL]
2023-06-13 23:16:32.701000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Response, …] Received response:\n# RESPONSE --------------------------------------------------------\nMethod:      GET\nURL:         https://auth.example-domain.at/.well-known/openid-configuration\nRequest-ID:  5BE31C67-EDAD-4EEF-B599-53DEA22AE790\nError:       -\nReq Signals: (null)\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n200 NO ERROR\nContent-Type: application/json; charset=utf-8\nPragma: no-cache\ncontent-security-policy: default-src 'none';\nx-xss-protection: 1; mode=block\nServer: openresty\nreferrer-policy: strict-origin-when-cross-origin\npermissions-policy: interest-cohort=()\nDate: Tue, 13 Jun 2023 21:16:32 GMT\nCache-Control: no-store\nContent-Length: 1453\nx-content-type-options: nosniff\nx-frame-options: SAMEORIGIN\nVary: Accept-Encoding\n\n{"issuer":"https://auth.example-domain.at","jwks_uri":"https://auth.example-domain.at/jwks.json","authorization_endpoint":"https://auth.example-domain.at/api/oidc/authorization","token_endpoint":"https://auth.example-domain.at/api/oidc/token","subject_types_supported":["public"],"response_types_supported":["code","token","id_token","code token","code id_token","token id_token","code token id_token","none"],"response_modes_supported":["form_post","query","fragment"],"scopes_supported":["offline_access","openid","profile","groups","email"],"claims_supported":["amr","aud","azp","client_id","exp","iat","iss","jti","rat","sub","auth_time","nonce","email","email_verified","alt_emails","groups","preferred_username","name"],"introspection_endpoint":"https://auth.example-domain.at/api/oidc/introspection","revocation_endpoint":"https://auth.example-domain.at/api/oidc/revocation","code_challenge_methods_supported":["S256"],"require_pushed_authorization_requests":false,"userinfo_endpoint":"https://auth.example-domain.at/api/oidc/userinfo","id_token_signing_alg_values_supported":["RS256"],"userinfo_signing_alg_values_supported":["none","RS256"],"request_object_signing_alg_values_supported":["none","RS256"],"request_uri_parameter_supported":false,"require_request_uri_registration":false,"claims_parameter_supported":false,"frontchannel_logout_supported":false,"frontchannel_logout_session_supported":false,"backchannel_logout_supported":false,"backchannel_logout_session_supported":false}\n----------------------------------------------------------------- [… GET, RequestID:5BE31C67-EDAD-4EEF-B599-53DEA22AE790, URLSessionTaskID:16] [OCHTTPPipeline.m:1306|FULL]
2023-06-13 23:16:32.702000+0200 ownCloud[54277.4975929] [dbug] | [AUTH, Openid-Connect] Starting auth session with URL https://auth.example-domain.at/api/oidc/authorization?prompt=select_account%20consent&response_type=code&code_challenge_method=S256&code_challenge=RaKLK0_mwdt449NWu5Tgd-z-6sWZp_z0RKd9RRJDgjg&scope=openid%20offline_access%20email%20profile&redirect_uri=oc://ios.owncloud.com&client_id=mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1 [OCAuthenticationMethodOAuth2.m:464|FULL]
2023-06-13 23:16:32.726000+0200 ownCloud[54277.4975929] [dbug] | [AUTH, Openid-Connect] Started (1) auth session <ASWebAuthenticationSession: 0x13ee22dd0> [OCAuthenticationMethodOAuth2.m:470|FULL]
2023-06-13 23:16:36.583000+0200 ownCloud[54277.4975929] [dbug] | [AUTH, Openid-Connect] Received UIApplicationWillResignActiveNotification notification: flush auth secret [OCAuthenticationMethod.m:154|FULL]
2023-06-13 23:16:36.584000+0200 ownCloud[54277.4975929] [dbug] | [APP, TASK_MANAGER] Scheduling tasks in state background, location id: OCExtensionLocationIdentifier(_rawValue: appDidBecomeBackgrounded) [ScheduledTaskManager.swift:234|FULL]
2023-06-13 23:16:36.584000+0200 ownCloud[54277.4975929] [dbug] | [APP, TASK_MANAGER] Task extension match: OCExtensionIdentifier(_rawValue: com.owncloud.action.instant_media_upload) [ScheduledTaskManager.swift:242|FULL]
2023-06-13 23:16:36.584000+0200 ownCloud[54277.4975929] [dbug] | [APP, TASK_MANAGER] Scheduled 1 tasks [ScheduledTaskManager.swift:267|FULL]
2023-06-13 23:16:36.587000+0200 ownCloud[54277:5010933] [dbug] | [APP, INSTANT_MEDIA_UPLOAD] Task started [InstantMediaUploadTaskExtension.swift:38|FULL]
2023-06-13 23:16:36.587000+0200 ownCloud[54277:5010933] [dbug] | [APP, INSTANT_MEDIA_UPLOAD] Task finished [InstantMediaUploadTaskExtension.swift:71|FULL]
2023-06-13 23:16:36.587000+0200 ownCloud[54277:5010933] [dbug] | [APP, TASK_MANAGER] All tasks executed [ScheduledTaskManager.swift:289|FULL]
2023-06-13 23:16:36.599000+0200 ownCloud[54277.4975929] [dbug] | [BGMAN] Process moved to the background [OCBackgroundManager.m:125|FULL]
2023-06-13 23:16:36.960000+0200 ownCloud[54277.4975929] [dbug] | [AUTH, Openid-Connect] Auth session returned with callbackURL=oc://ios.owncloud.com?error=invalid_state&error_description=The+state+is+missing+or+does+not+have+enough+characters+and+is+therefore+considered+too+weak.+Request+parameter+%27state%27+must+be+at+least+be+8+characters+long+to+ensure+sufficient+entropy.&state=, error=(null) [OCAuthenticationMethodOAuth2.m:402|FULL]
2023-06-13 23:16:36.960000+0200 ownCloud[54277.4975929] [dbug] | [AUTH, Openid-Connect] Auth session concluded with error=Error Domain=OCError Code=3 "Authorization failed. (error 3)" (-[OCAuthenticationMethodOAuth2 generateBookmarkAuthenticationDataWithConnection:options:completionHandler:]_block_invoke [OCAuthenticationMethodOAuth2.m:436]) UserInfo={NSDebugDescription=-[OCAuthenticationMethodOAuth2 generateBookmarkAuthenticationDataWithConnection:options:completionHandler:]_block_invoke [OCAuthenticationMethodOAuth2.m:436], OCErrorDate=2023-06-13 21:16:36 +0000} [OCAuthenticationMethodOAuth2.m:453|FULL]
2023-06-13 23:16:36.960000+0200 ownCloud[54277.4975929] [dbug] | [CONN, DEALLOC] connection deallocated [OCConnection.m:478|FULL]
2023-06-13 23:16:36.960000+0200 ownCloud[54277.4975929] [dbug] | [IPNC] Removing observer=<OCAuthenticationMethodOpenIDConnect: 0x148428230> for 'com.owncloud.bookmark.auth-update' [OCIPNotificationCenter.m:125|FULL]
2023-06-13 23:16:36.968000+0200 ownCloud[54277.4975929] [dbug] | [APP, TASK_MANAGER] Scheduling tasks in state foreground, location id: OCExtensionLocationIdentifier(_rawValue: appDidComeToForeground) [ScheduledTaskManager.swift:234|FULL]
2023-06-13 23:16:36.968000+0200 ownCloud[54277.4975929] [dbug] | [APP, TASK_MANAGER] Task extension match: OCExtensionIdentifier(_rawValue: com.owncloud.action.instant_media_upload) [ScheduledTaskManager.swift:242|FULL]
2023-06-13 23:16:36.968000+0200 ownCloud[54277.4975929] [dbug] | [APP, TASK_MANAGER] Task extension match: OCExtensionIdentifier(_rawValue: com.owncloud.action.pending_media_upload) [ScheduledTaskManager.swift:242|FULL]
2023-06-13 23:16:36.968000+0200 ownCloud[54277.4975929] [dbug] | [APP, TASK_MANAGER] Scheduled 2 tasks [ScheduledTaskManager.swift:267|FULL]
2023-06-13 23:16:36.968000+0200 ownCloud[54277:5009243] [dbug] | [APP, REMAINING_MEDIA_UPLOAD] Preparing... [PendingMediaUploadTaskExtension.swift:31|FULL]
2023-06-13 23:16:36.969000+0200 ownCloud[54277:5009243] [dbug] | [APP, REMAINING_MEDIA_UPLOAD] No bookmark selected... [PendingMediaUploadTaskExtension.swift:35|FULL]
2023-06-13 23:16:36.968000+0200 ownCloud[54277:5010774] [dbug] | [APP, INSTANT_MEDIA_UPLOAD] Task started [InstantMediaUploadTaskExtension.swift:38|FULL]
2023-06-13 23:16:36.969000+0200 ownCloud[54277:5010774] [dbug] | [APP, INSTANT_MEDIA_UPLOAD] Task finished [InstantMediaUploadTaskExtension.swift:71|FULL]
2023-06-13 23:16:36.969000+0200 ownCloud[54277:5010774] [dbug] | [APP, TASK_MANAGER] All tasks executed [ScheduledTaskManager.swift:289|FULL]
2023-06-13 23:16:36.977000+0200 ownCloud[54277.4975929] [dbug] | [BGMAN] Process moved to the foreground [OCBackgroundManager.m:125|FULL]

[webzit]

1. state parameter is missing.

2. Authelia requires the state parameter by default per best security practice.

authelia/authelia#5566 (comment)

[michaelstingl]

2023-06-13 23:16:32.702000+0200 ownCloud[54277.4975929] [dbug] | 
[AUTH, Openid-Connect] Starting auth session with URL https://auth.example-domain.at/api/oidc/authorization?prompt=select_account%20consent&
response_type=code&
code_challenge_method=S256&
code_challenge=RaKLK0_mwdt449NWu5Tgd-z-6sWZp_z0RKd9RRJDgjg&
scope=openid%20offline_access%20email%20profile&
redirect_uri=oc://ios.owncloud.com&
client_id=mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1 [OCAuthenticationMethodOAuth2.m:464|FULL]

2023-06-13 23:16:36.960000+0200 ownCloud[54277.4975929] [dbug] | 
[AUTH, Openid-Connect] Auth session returned with callbackURL=oc://ios.owncloud.com?error=invalid_state&
error_description=The+state+is+missing+or+does+not+have+enough+characters+and+is+therefore+considered+too+weak.+Request+parameter+%27state%27+must+be+at+least+be+8+characters+long+to+ensure+sufficient+entropy.&
state=, error=(null) [OCAuthenticationMethodOAuth2.m:402|FULL]

2023-06-13 23:16:36.960000+0200 ownCloud[54277.4975929] [dbug] | 
[AUTH, Openid-Connect] Auth session concluded with error=Error Domain=OCError Code=3 "Authorization failed. (error 3)" (-[OCAuthenticationMethodOAuth2 generateBookmarkAuthenticationDataWithConnection:options:completionHandler:]_block_invoke [OCAuthenticationMethodOAuth2.m:436]) UserInfo={NSDebugDescription=-[OCAuthenticationMethodOAuth2 generateBookmarkAuthenticationDataWithConnection:options:completionHandler:]_block_invoke [OCAuthenticationMethodOAuth2.m:436], OCErrorDate=2023-06-13 21:16:36 +0000} [OCAuthenticationMethodOAuth2.m:453|FULL]

From:
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-00#section-4.1.1.3

"state": OPTIONAL. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client.

From @IljaN :

There is indeed a "security best practices" draft RFC which mandates a state parameter: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-protecting-redirect-based-f

[TheOneRing]

Here is how we generate the state in the desktop.
https://github.com/owncloud/client/blob/bc7eff287d93961eaef2cca8ca1d3964cb678bf5/src/libsync/creds/oauth.cpp#L260-L260

[michaelstingl]

Here is how we generate the state in the desktop.
https://github.com/owncloud/client/blob/bc7eff287d93961eaef2cca8ca1d3964cb678bf5/src/libsync/creds/oauth.cpp#L260-L260

@felix-schwarz @hosy add OIDC state for 12.1 ? (could be available in the public TestFlight very soon)

[felix-schwarz]

The iOS client already supports PKCE, which strikes me as a stronger mechanism than a state parameter.

The RFC on OAuth 2.0 best practices also recommends PKCE over state.

However, I have no objections to also add state. It should be a fairly straightforward change.

[michaelstingl]

It was also added to the Android app:

• include state parameter in oidc call to prevent CSRF android#3465
• add the state parameter to the oidc authentication request android#3466

[james-d-elliott]

While it's true that PKCE prevents most of the same attacks that and more than the nonce or state parameters, the state parameter also may prevent spoofing of a server error response, provided the relying party verifies it. PKCE can not prevent this specific type of spoofing in the current specification as it's not required to include the code_challenge in these responses (which would effectively achieve the same goal), and don't think there is any guidance on verifying it at this stage so practically zero implementation.

This gives the state parameter a unique place in the security measures implementers choose. It should also be noted we only require it by default.

[felix-schwarz]

Version 12.0.2 will support the state parameter.

[webzit]

Just to confirm: Authelia + Nginx Proxy Manager works fine with TestFlight build 269 (12.0.2)

Thank you - great work!

For others who use the same setup, I had to slightly change the config for authelia in nginx proxy manager

location / {
    include /snippets/proxy.conf;
        if ($args ~* (.*)(prompt=select_account%20consent&)(.*)) {
            set $args $1$3;
            rewrite ^(.*)$ $1;
        }
   proxy_pass $forward_scheme://$server:$port;
}