Skip to content

Use webfinger for OIDC parameter discovery#847

Open
kaivol wants to merge 3 commits intoopencloud-eu:mainfrom
kaivol:use-webfinger-for-oidc-parameter-discovery
Open

Use webfinger for OIDC parameter discovery#847
kaivol wants to merge 3 commits intoopencloud-eu:mainfrom
kaivol:use-webfinger-for-oidc-parameter-discovery

Conversation

@kaivol
Copy link
Copy Markdown

@kaivol kaivol commented Mar 17, 2026

Closes #811.

Client side implementation of the changes described in https://github.com/opencloud-eu/opencloud/blob/main/docs/adr/0003-oidc-client-config-discovery.md.

Based on #776.

@kaivol kaivol force-pushed the use-webfinger-for-oidc-parameter-discovery branch from b345a3c to 063efde Compare April 7, 2026 10:21
@kaivol kaivol marked this pull request as ready for review April 7, 2026 10:22
@budimanjojo budimanjojo mentioned this pull request Apr 14, 2026
Open
@kulmann kulmann requested a review from dragotin April 28, 2026 07:15
@RichardFevrier
Copy link
Copy Markdown

RichardFevrier commented Apr 28, 2026
edited
Loading

Did this PR worked for you @kulmann ?

Just tried it without success on my side, when both web + iOS are working perfectly.

I have tested the webfinger with:

curl -L cloud.mydomain.com/.well-known/webfinger?resource=https://cloud.opencloud.test&rel=http://openid.net/specs/connect/1.0/issuer&platform=desktop | jq
  % Total    % Received % Xferd  Average Speed  Time    Time    Time   Current
                                 Dload  Upload  Total   Spent   Left   Speed
  0      0   0      0   0      0      0      0                              0
100    305 100    305   0      0   2324      0                              0
{
  "subject": "https://cloud.opencloud.test",
  "properties": {
    "http://opencloud.eu/ns/oidc/client_id": "OpenCloudDesktop",
    "http://opencloud.eu/ns/oidc/scopes": [
      "openid",
      "profile",
      "email",
      "groups",
      "offline_access"
    ]
  },
  "links": [
    {
      "rel": "http://openid.net/specs/connect/1.0/issuer",
      "href": "https://auth.mydomain.com"
    }
  ]
}

Which returns groups that is mandatory on my setup since Authelia groups binds to OpenCloud roles.

But when the Authelia page appears I can see that groups are not part of the request.

Edit:
debugged it further:

26-04-28 13:38:21:512 [ debug sync.credentials.oauth ]  [ OCC::OAuth::openBrowser ]:    opening browser
26-04-28 13:38:21:512 [ debug sync.credentials.oauth ]  [ isUrlValid ]: Checking URL for validity: QUrl("https://auth.mydomain.com/api/oidc/authorization?response_type=code&client_id=OpenCloudDesktop&redirect_uri=http://127.0.0.1:32979&code_challenge=Kgkj2cHF9MwXPDyTkZETDhc4Pv07hAXBxgSV8DfBhCI&code_challenge_method=S256&scope=openid offline_access email profile&prompt=consent select_account&state=c5bNXSEMgYIazaZ3aMqJjz3mI7SfpbP00YlzmVl-Q2w%3D")
[2] Sandbox: CanCreateUserNamespace() clone() failure: EPERM

You can see that scopes (scope=openid offline_access email profile) doesn't contain groups.

@kaivol kaivol force-pushed the use-webfinger-for-oidc-parameter-discovery branch from 063efde to 01406ed Compare April 29, 2026 19:03
@kaivol
Copy link
Copy Markdown
Author

kaivol commented Apr 29, 2026

@RichardFevrier thanks for testing the PR!
I made some changes, so it should work now.

I also bumped the C++ standard version to 23, i hope this is fine.

@RichardFevrier
Copy link
Copy Markdown

RichardFevrier commented Apr 29, 2026

Thanks for your work @kaivol I'll test that tomorrow! 🤩

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dragotin dragotin Awaiting requested review from dragotin

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Use webfinger for OIDC parameter discovery

2 participants

@kaivol @RichardFevrier