openidconnect 2.2.0 and Duo SSO/code_challenge_methods_supported

[andrewyager]

We've been testing the OIDC 2.2.0 rc1

I have observed the following regression; namely that in the new RC, the following error is thrown in the OwnCloud interface.

The provider code_challenge_methods_supported could not be fetched.

I do note that the Duo OIDC support is still "beta" and we have observed instances of them not fully implementing the OICD specification; however this does work under 2.1.1 and does not work under 2.2.0.

[DeepDiver1975]

Anything in addition in the ownCloud log ?
Thx

[andrewyager]

Nothing that seems overly useful. Am running with everything logging enabled at present.

{"reqId":"iBsjORLFrtg275dsTK6w","level":0,"time":"2022-08-05T07:16:13+00:00","remoteAddr":"x.x.x.x","user":"--","app":"OpenID","method":"GET","url":"\/apps\/openidconnect\/redirect","message":"Entering LoginFlowController::login"}
{"reqId":"iBsjORLFrtg275dsTK6w","level":0,"time":"2022-08-05T07:16:13+00:00","remoteAddr":"x.x.x.x","user":"--","app":"OpenID","method":"GET","url":"\/apps\/openidconnect\/redirect","message":"Before openid->authenticate"}
{"reqId":"iBsjORLFrtg275dsTK6w","level":3,"time":"2022-08-05T07:16:14+00:00","remoteAddr":"x.x.x.x","user":"--","app":"OpenID","method":"GET","url":"\/apps\/openidconnect\/redirect","message":"Exception: {\"Exception\":\"Jumbojett\\\\OpenIDConnectClientException\",\"Message\":\"The provider code_challenge_methods_supported could not be fetched. Make sure your provider has a well known configuration available.\",\"Code\":0,\"Trace\":\"#0 \\\/var\\\/www\\\/owncloud\\\/apps\\\/openidconnect\\\/vendor\\\/jumbojett\\\/openid-connect-php\\\/src\\\/OpenIDConnectClient.php(503): Jumbojett\\\\OpenIDConnectClient->getWellKnownConfigValue()\\n#1 \\\/var\\\/www\\\/owncloud\\\/apps\\\/openidconnect\\\/vendor\\\/jumbojett\\\/openid-connect-php\\\/src\\\/OpenIDConnectClient.php(686): Jumbojett\\\\OpenIDConnectClient->getProviderConfigValue()\\n#2 \\\/var\\\/www\\\/owncloud\\\/apps\\\/openidconnect\\\/vendor\\\/jumbojett\\\/openid-connect-php\\\/src\\\/OpenIDConnectClient.php(428): Jumbojett\\\\OpenIDConnectClient->requestAuthorization()\\n#3 \\\/var\\\/www\\\/owncloud\\\/apps\\\/openidconnect\\\/lib\\\/Client.php(381): Jumbojett\\\\OpenIDConnectClient->authenticate()\\n#4 \\\/var\\\/www\\\/owncloud\\\/apps\\\/openidconnect\\\/lib\\\/Controller\\\/LoginFlowController.php(133): OCA\\\\OpenIdConnect\\\\Client->authenticate()\\n#5 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(170): OCA\\\\OpenIdConnect\\\\Controller\\\\LoginFlowController->login(*** sensitive parameters replaced ***)\\n#6 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(89): OC\\\\AppFramework\\\\Http\\\\Dispatcher->executeController()\\n#7 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/App.php(100): OC\\\\AppFramework\\\\Http\\\\Dispatcher->dispatch()\\n#8 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/AppFramework\\\/Routing\\\/RouteActionHandler.php(47): OC\\\\AppFramework\\\\App::main()\\n#9 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/Route\\\/Router.php(344): OC\\\\AppFramework\\\\Routing\\\\RouteActionHandler->__invoke()\\n#10 \\\/var\\\/www\\\/owncloud\\\/lib\\\/base.php(928): OC\\\\Route\\\\Router->match()\\n#11 \\\/var\\\/www\\\/owncloud\\\/index.php(54): OC::handleRequest()\\n#12 {main}\",\"File\":\"\\\/var\\\/www\\\/owncloud\\\/apps\\\/openidconnect\\\/vendor\\\/jumbojett\\\/openid-connect-php\\\/src\\\/OpenIDConnectClient.php\",\"Line\":544}"}

[DeepDiver1975]

That is helpful. Thx

Any chance you can share the url of your IDP? Thx

[andrewyager]

Sure - https://sso-5078d358.sso.duosecurity.com/oidc/DIY305725PR9C3NFKP6A is the base URL; with discovery at https://sso-5078d358.sso.duosecurity.com/oidc/DIY305725PR9C3NFKP6A/.well-known/openid-configuration

[DeepDiver1975]

Looks like the 3rd party library change is causing this - will fix that. Thanks a lot! 👍

[DeepDiver1975]

Previously used library uses
https://github.com/JuliusPC/OpenID-Connect-PHP/blob/9269c42644fb4285a0a55141cc7272bb19d76932/src/Client.php#L1718

Fix come up with a fix for this ....

[DeepDiver1975]

jumbojett/OpenID-Connect-PHP#317

[DeepDiver1975]

@andrewyager if I understand the wellknown configuration correctly - duo is not supporting PKCE? Is that true? THX

[DeepDiver1975]

https://github.com/owncloud/openidconnect/releases/tag/v2.2.0-rc.2
@andrewyager

[andrewyager]

Confirmed working now! This does not yet work for app access; but this is a limitation of Duo not yet supporting an offline_access claim which they are in the progress of delivering support for.

[andrewyager]

@andrewyager if I understand the wellknown configuration correctly - duo is not supporting PKCE? Is that true? THX

I've asked Duo about this.

[hodyroff]

Looks like PKCE is supported by DUO in the meantime: https://duo.com/blog/duo-single-sign-on-support-for-openid-connect-apps-now-generally-available

[mmattel]

Q: shall we add the PKCE (Proof Key for Code Exchange) support requirement in our documentation ?

[DeepDiver1975]

PKCE is not a hard requirement. Nothing to document from my pov

[mmattel]

I dont get it. Not a hard requirement, but did not work without... ?

[DeepDiver1975]

but did not work without... ?

nobody said this ...