Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FR: Add support for CAS Apereo #294

Open
wixaw opened this issue Jun 12, 2023 · 3 comments
Open

FR: Add support for CAS Apereo #294

wixaw opened this issue Jun 12, 2023 · 3 comments
Labels
enhancement New feature or request

Comments

@wixaw
Copy link

wixaw commented Jun 12, 2023

Hello
Owncloud does not retrieve user attributes from the OIDC server, although we have this information in the Token (see log)
We use CAS Apereo for OpenID Connect
For information, on our gitlab instance, we get all the attributes

Config owncloud :

'openid-connect' =>
array (
  'provider-url' => 'https://sso.domain.fr/cas/oidc',
  'client-id' => 'oidc-cloudtest',
  'client-secret' => 'xxxx',
  'loginButtonName' => 'Login via Domain Connect',
  'auto-provision' =>
  array (
    'enabled' => true,
    'email-claim' => 'email',
    'update' =>
    array (
      'enabled' => true,
    ),
  ),
  'mode' => 'userid',
  'search-attribute' => 'sub',
),

Log owncloud :

{
  "reqId": "ZIblbqHnwAuBz@dXDiATQAAASg8",
  "level": 0,
  "time": "2023-06-12T11:29:18+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "--",
  "app": "OpenID",
  "method": "GET",
  "url": "\/apps\/openidconnect\/redirect?redirect_url=%252Fsettings%252Fpersonal",
  "message": "Entering LoginFlowController::login"
}
{
  "reqId": "ZIblbqHnwAuBz@dXDiATQAAASg8",
  "level": 0,
  "time": "2023-06-12T11:29:18+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "--",
  "app": "OpenID",
  "method": "GET",
  "url": "\/apps\/openidconnect\/redirect?redirect_url=%252Fsettings%252Fpersonal",
  "message": "Before openid->authenticate"
}
{
  "reqId": "ZIblbwLOUWd2nsxuuZq9dQAAFQA",
  "level": 0,
  "time": "2023-06-12T11:29:19+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "admin",
  "app": "OC\\User\\Session::validateToken",
  "method": "GET",
  "url": "\/ocs\/v2.php\/apps\/notifications\/api\/v1\/notifications?format=json",
  "message": "token xxxxxxxxxx with token id 3945134 found, validating"
}
{
  "reqId": "ZIblbwLOUWd2nsxuuZq9dQAAFQA",
  "level": 0,
  "time": "2023-06-12T11:29:19+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "admin",
  "app": "OC\\Authentication\\Token\\DefaultTokenProvider::updateTokenActivity",
  "method": "GET",
  "url": "\/ocs\/v2.php\/apps\/notifications\/api\/v1\/notifications?format=json",
  "message": "updating activity of token 3945134 to 1686562159"
}
{
  "reqId": "ZIblbwLOUWd2nsxuuZq9dQAAFQA",
  "level": 0,
  "time": "2023-06-12T11:29:19+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "admin",
  "app": "OC\\User\\Session::validateToken",
  "method": "GET",
  "url": "\/ocs\/v2.php\/apps\/notifications\/api\/v1\/notifications?format=json",
  "message": "token xxxxxxxxxx with token id 3945134 found, validating"
}
{
  "reqId": "ZIblc6HnwAuBz@dXDiATQQAASw8",
  "level": 0,
  "time": "2023-06-12T11:29:23+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "--",
  "app": "OpenID",
  "method": "GET",
  "url": "\/apps\/openidconnect\/redirect?code=OC-3-iJkRO-xxxxxxxxxx-Cu8Kd&state=xxxxxxxxxx&nonce=xxxxxxxxxx",
  "message": "Entering LoginFlowController::login"
}
{
  "reqId": "ZIblc6HnwAuBz@dXDiATQQAASw8",
  "level": 0,
  "time": "2023-06-12T11:29:23+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "--",
  "app": "OpenID",
  "method": "GET",
  "url": "\/apps\/openidconnect\/redirect?code=OC-3-iJkRO-xxxxxxxxxx-Cu8Kd&state=xxxxxxxxxx&nonce=xxxxxxxxxx",
  "message": "Before openid->authenticate"
}
{
  "reqId": "ZIblc6HnwAuBz@dXDiATQQAASw8",
  "level": 0,
  "time": "2023-06-12T11:29:23+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "--",
  "app": "PHP",
  "method": "GET",
  "url": "\/apps\/openidconnect\/redirect?code=OC-3-iJkRO-xxxxxxxxxx-Cu8Kd&state=xxxxxxxxxx&nonce=xxxxxxxxxx",
  "message": "Undefined offset: 1 at \/local\/owncloud.1060prod\/apps\/openidconnect\/vendor\/jumbojett\/openid-connect-php\/src\/OpenIDConnectClient.php#1319"
}
{
  "reqId": "ZIblc6HnwAuBz@dXDiATQQAASw8",
  "level": 0,
  "time": "2023-06-12T11:29:23+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "--",
  "app": "OpenID",
  "method": "GET",
  "url": "\/apps\/openidconnect\/redirect?code=OC-3-iJkRO-xxxxxxxxxx-Cu8Kd&state=xxxxxxxxxx&nonce=xxxxxxxxxx",
  "message": "LoginFlowController::login : Token info: {\n    \"access_token\": \"AT-3-FX-xxxxxxxxxx\",\n    \"refresh_token\": \"RT-3-xxxxxxxxxx--Glsf4aaPvyKB\",\n    \"id_token\": \"{"alg":"RS256","typ":"JWT","kid":"cas-iAMmVNys"}{
    "jti": "TGT-xxxxxxx-sso.domain.fr",
    "sid": "0e98d7d19931xxxxxae4845c4944",
    "iss": "https://sso.domain.fr/cas/oidc",
    "aud": "oidc-cloudtest",
    "exp": 1686590963,
    "iat": 1686562163,
    "nbf": 1686561863,
    "sub": "dupon",
    "amr": [
      "LdapAuthenticationHandler"
    ],
    "client_id": "oidc-cloudtest",
    "auth_time": 1686562161,
    "state": "xxxxxxxxxx",
    "nonce": "xxxxxxxx",
    "at_hash": "xxxxg",
    "email": "[email protected]",
    "family_name": "dupon",
    "given_name": "Annie",
    "name": "dupon Annie",
    "preferred_username": "dupon"
  }
xxxxx\",\n    \"access_token_payload\": null\n}"
}
{
  "reqId": "ZIblc6HnwAuBz@dXDiATQQAASw8",
  "level": 0,
  "time": "2023-06-12T11:29:23+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "--",
  "app": "OpenID",
  "method": "GET",
  "url": "\/apps\/openidconnect\/redirect?code=OC-3-iJkRO-xxxxxxxxxx-Cu8Kd&state=xxxxxxxxxx&nonce=xxxxxxxxxx",
  "message": "User info: {\"sub\":\"dupon\",\"service\":\"https:\\\/\\\/cloud.domain.fr\\\/apps\\\/openidconnect\\\/redirect\",\"auth_time\":1686562161,\"attributes\":{\"name\":\"dupon Joe\",\"given_name\":\"Joe\",\"family_name\":\"dupon\",\"email\":\"[email protected]\"},\"id\":\"dupon\",\"client_id\":\"oidc-cloudtest\"}"
}
{
  "reqId": "ZIblc6HnwAuBz@dXDiATQQAASw8",
  "level": 0,
  "time": "2023-06-12T11:29:23+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "--",
  "app": "PHP",
  "method": "GET",
  "url": "\/apps\/openidconnect\/redirect?code=OC-3-iJkRO-xxxxxxxxxx-Cu8Kd&state=xxxxxxxxxx&nonce=xxxxxxxxxx",
  "message": "Undefined property: stdClass::$email at \/local\/owncloud.1060prod\/apps\/openidconnect\/lib\/Client.php#265"
}
{
  "reqId": "ZIblc6HnwAuBz@dXDiATQQAASw8",
  "level": 0,
  "time": "2023-06-12T11:29:23+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "--",
  "app": "OC\\Authentication\\Token\\DefaultTokenProvider::generateToken",
  "method": "GET",
  "url": "\/apps\/openidconnect\/redirect?code=OC-3-iJkRO-xxxxxxxxxx-Cu8Kd&state=xxxxxxxxxx&nonce=xxxxxxxxxx",
  "message": "generating token xxxxxxxxxx, uid dupon, loginName dupon, pwd empty, name Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/114.0.0.0 Safari\/537.36, type temporary"
}
{
  "reqId": "ZIblc6HnwAuBz@dXDiATQQAASw8",
  "level": 0,
  "time": "2023-06-12T11:29:23+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "--",
  "app": "core",
  "method": "GET",
  "url": "\/apps\/openidconnect\/redirect?code=OC-3-iJkRO-xxxxxxxxxx-Cu8Kd&state=xxxxxxxxxx&nonce=xxxxxxxxxx",
  "message": "OC\\Authentication\\LoginPolicies\\GroupLoginPolicy policy registered"
}
{
  "reqId": "ZIblc6HnwAuBz@dXDiATQQAASw8",
  "level": 1,
  "time": "2023-06-12T11:29:23+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "--",
  "app": "OC\\User\\Session::loginInOwnCloud",
  "method": "GET",
  "url": "\/apps\/openidconnect\/redirect?code=OC-3-iJkRO-xxxxxxxxxx-Cu8Kd&state=xxxxxxxxxx&nonce=xxxxxxxxxx",
  "message": "login dupon using \"OCA\\OpenIdConnect\\OpenIdConnectAuthModule\" login type"
}
{
  "reqId": "ZIblc6HnwAuBz@dXDiATQgAATA8",
  "level": 0,
  "time": "2023-06-12T11:29:23+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "dupon",
  "app": "PHP",
  "method": "GET",
  "url": "\/settings\/personal",
  "message": "Undefined offset: 1 at \/local\/owncloud.1060prod\/apps\/openidconnect\/vendor\/jumbojett\/openid-connect-php\/src\/OpenIDConnectClient.php#1319"
}
{
  "reqId": "ZIblc6HnwAuBz@dXDiATQgAATA8",
  "level": 0,
  "time": "2023-06-12T11:29:23+02:00",
  "remoteAddr": "ip.ip.ip..28",
  "user": "dupon",
  "app": "no app in context",
  "method": "GET",
  "url": "\/settings\/personal",
  "message": "Introspection info: {\"token\":\"AT-3-FX-xxxxxxxxxx\",\"active\":true,\"sub\":\"dupon\",\"scope\":\"email openid profile\",\"iat\":1686562163,\"exp\":1686590963,\"realmName\":\"LdapAuthenticationHandler\",\"uniqueSecurityName\":\"dupon\",\"tokenType\":\"Bearer\",\"aud\":\"https:\\\/\\\/cloud.domain.fr\\\/apps\\\/openidconnect\\\/redirect\",\"iss\":\"https:\\\/\\\/sso.domain.fr\\\/cas\\\/oidc\",\"client_id\":\"oidc-cloudtest\",\"grant_type\":\"authorization_code\"}"
}

Log OIDC server :


cas      | 2023-06-12 09:16:48,868 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
cas      | =============================================================
cas      | WHO: dupon
cas      | WHAT: {grant_type=authorization_code, service=https://cloud.domain.fr/apps/openidconnect/redirect, response_type=none, scopes=[email, openid, profile], client_id=oidc-cloudtest, token=OC-2-********9o7RYaSVBPux6Mr1A9mm}
cas      | ACTION: OAUTH2_ACCESS_TOKEN_REQUEST_CREATED
cas      | APPLICATION: CAS
cas      | WHEN: Mon Jun 12 09:16:48 UTC 2023
cas      | CLIENT IP ADDRESS: ip.ip.ip..44
cas      | SERVER IP ADDRESS: 10.10.1.3
cas      | =============================================================
cas      |
cas      | >
cas      | 2023-06-12 09:16:48,878 WARN [org.apereo.cas.oidc.token.OidcIdTokenGeneratorService] - <Individual claims requested by OpenID scopes are forced to be included in the ID token. This is a violation of the OpenID Connect specification and a workaround via dedicated CAS configuration. Claims should be requested from the userinfo/profile endpoints in exchange for an access token.>
cas      | 2023-06-12 09:16:48,882 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
cas      | =============================================================
cas      | WHO: dupon
cas      | WHAT: {access_token=AT-2-********VDdTEZwfdFOyqB-HvakR, refresh_token=RT-2-********suD-P6Ic7QMcx4kMYNjv, scope=email openid profile, id_token=********..., token_type=Bearer, expires_in=28800}
cas      | ACTION: OAUTH2_ACCESS_TOKEN_RESPONSE_CREATED
cas      | APPLICATION: CAS
cas      | WHEN: Mon Jun 12 09:16:48 UTC 2023
cas      | CLIENT IP ADDRESS: ip.ip.ip..44
cas      | SERVER IP ADDRESS: 10.10.1.3
cas      | =============================================================
cas      |
cas      | >
cas      | 2023-06-12 09:16:48,954 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
cas      | =============================================================
cas      | WHO: dupon
cas      | WHAT: {service=https://cloud.domain.fr/apps/openidconnect/redirect, attributes={name=[dupon Joe], given_name=[Joe], family_name=[dupon], email=[[email protected]]}, id=dupon, scopes=[email, openid, profile], client_id=oidc-cloudtest}
cas      | ACTION: OAUTH2_USER_PROFILE_CREATED
cas      | APPLICATION: CAS
cas      | WHEN: Mon Jun 12 09:16:48 UTC 2023
cas      | CLIENT IP ADDRESS: ip.ip.ip..44
cas      | SERVER IP ADDRESS: 10.10.1.3
cas      | =============================================================
cas      |
cas      | >
cas      | 2023-06-12 09:16:49,763 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
cas      | =============================================================
cas      | WHO: audit:unknown
cas      | WHAT: {result=Service Access Granted, service=https://cloud.domain.fr/apps/openidconnect/redirect, requiredAttributes={}}
cas      | ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
cas      | APPLICATION: CAS
cas      | WHEN: Mon Jun 12 09:16:49 UTC 2023
cas      | CLIENT IP ADDRESS: ip.ip.ip..44
cas      | SERVER IP ADDRESS: 10.10.1.3
cas      | =============================================================
cas      |
cas      | >

Thanks you in advance

@DeepDiver1975
Copy link
Member

We use CAS Apereo for OpenID Connect

This is not a supported IdP as of now - https://doc.owncloud.com/server/next/admin_manual/configuration/user/oidc/oidc.html#supported-identity-providers

@DeepDiver1975 DeepDiver1975 changed the title Don't get name and mail attributes FR: Add support for CAS Apereo Jun 12, 2023
@DeepDiver1975 DeepDiver1975 added the enhancement New feature or request label Jun 12, 2023
@wixaw
Copy link
Author

wixaw commented Jun 13, 2023

Ok, do you have an availability date?

@DeepDiver1975
Copy link
Member

Ok, do you have an availability date?

No - this is exclusively customer demand driven due the effort of setting up and maintaining test environments over the whole product life cycle. Sorry

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants