Trying to connect Apache Guacamole to NextCloud OIDC - Support Implicit Flow
Closed this issue · 18 comments
Hi, I am trying to connect Apache Guacamole to Nexcloud OIDC/OpenID
Maybe I can get some help here, because I get an error. (p.s. I do not have much knowledge about the OpenID protocol)
Here some configuration information:
Guacamole OpenID configuration (documentation -> https://guacamole.apache.org/doc/gug/openid-auth.html):
openid-authorization-endpoint: https://<NextCloud_FQDN>/index.php/apps/oidc/authorize
openid-jwks-endpoint: https://<NextCloud_FQDN>/index.php/apps/oidc/jwks
openid-issuer: https://<NextCloud_FQDN>
openid-client-id: <secret_key>
openid-redirect-uri: https://<Guacamole_FQDN>/guacamole/#/
openid-username-claim-type: preferred_username
openid-scope: openid profile email groups
Nexcloud OpenID configuration (Security -> OpenID Connect clients):
Name: guacamole
Redirection URI: https://<Guacamole_FQDN>/guacamole/#/
Client Identifier: <secret_key>
Secret -- NONE --
Signing Algorithm RS256
Type public
Limited to Groups
Only users in one of the following groups are allowed to use the client.
admin
When I try to use OpenID in Guacamole I get the following error:
https://<Guacamole_FQDN>/guacamole/#/?error=unsupported_response_type&state=
May you will see what I did wrong here and provide some insights and help
Thanks in advance
Kr,
Matthijs
Is this maybe because OIDC uses response type "code" and guacamole is using "id_token" ?
You are totally right Guacamole is using the Implicit Flow of OpenID Connect. This app currently only supports the Code Flow.
Therefore you receive the error.
I will investigate in the next days if the Implicit Flow could be implemented easily.
Thanks for the info, let me know if/when I can help with testing
Starting version 0.4.0 Implicit Flow is supported. But it has to be explicitly activated per client in the settings.
Please try if that solves the problem with Guacamole.
How do you mean "explicity activated per client" ? I do not see an option for that in NextCloud under Administration Settings -> Security -> OpenID Connect Clients ?
Another finding is that TOTP is not working anymore in Nextcloud login when OIDC 0.4.0 is installed, but maybe I am doing something wrong here.
Yes you have to change the flow from Code Authorization Flow to Code & Implicit Authorization Flow.
Hint: Why the Implicit Flow is not activated by default.
Implicit Flow is less secure than the Code Flow and meanwhile mentioned as deprecated.
About 2f Authentication I will check.
I did execute now several checks concerning the additional 2FA (TOTP) with version 0.4.0. During all the tests the login process was possible even with activated TOTP 2FA. So I am not able to reproduce any problems with TOTP.
Please give some more hints how you produced errors during the login with 2FA. Which version of Nextcloud and which version of TOTP app are you using? Is there an error that is shown?
Yes you have to change the flow from Code Authorization Flow to Code & Implicit Authorization Flow.
Hint: Why the Implicit Flow is not activated by default. Implicit Flow is less secure than the Code Flow and meanwhile mentioned as deprecated.
About 2f Authentication I will check.
But where ? I do not see the option to change that under Administration Settings -> Security -> OpenID Connect Clients ?
I am using NextCloud 25.0.3
This time I rolled back my VM snapshot before the 0.4.0 update, and I updated OIDC version 0.3.0 to version 0.4.0 through the webinterface instead of using "git clone"
I recieved the following error:
An error occurred during the request. Unable to proceed.
Database error when running migration 0008Date20230204190000 for app oidc Migration step 'OCA\OIDCIdentityProvider\Migration\Version0008Date20230204190000' is unknown✖
Skip to main content Skip to navigation of app
1 app has an update available
Update
(I do not use MediaWiki suggested in an earlier and closed issue)
p.s.
I have the TOTP issue only in Firefox (on a chromebook) in Chrome it works fine with 0.4.0
In Firefox the TOTP window does not show, instead it returns (loops) to the login window again. In 0.3.0 I do not have that issue in Firefox.
I use the "Two-Factor TOTP Provider" app version 7.0.0 (TOTP activated with NextCloud version 25.0.3)
I also did a small test to see what happens:
I uninstalled and completly removed/deleted de OIDC app from NextCloud
After that I deleted the following tables from the NextCloud MySQL database:
oc_oidc_access_tokens
oc_oidc_clients
oc_oidc_group_map
oc_oidc_redirect_uris
After that I installed the OIDC app version 0.4.0 again in NextCloud
This time OIDC app installed without an error message
But the tables were not created again in de NextCloud database.
So I got an error as soon as I navigated to Administration Settings -> Security
I do not know if this is the expected behaviour or not. I expect the tables to be removed when I deleted/removed the app, and created again when I reinstalled the app.
For now I rolled back to my VM snapshot again, running 0.3.0. Please let me know if I can test again or if you need additional information
*EDIT
Using the following SQL commands I can succesfully remove oidc including all the database entries (after I disabled and removed/deleted the app from nextcloud):
DELETE FROM oc_appconfig WHERE appid = "oidc";
DELETE FROM oc_migrations WHERE app = "oidc";
drop table oc_oidc_access_tokens;
drop table oc_oidc_clients;
drop table oc_oidc_group_map;
drop table oc_oidc_redirect_uris;
After that I can succesfully reinstall the oidc app version 0.4.0 and alle the tables get recreated, but still I do not an option under Administration Settings -> Security -> OpenID Connect Clients to change the client setting to Implicit Flow.
Rolled back to my VM snapshot again, running 0.3.0.
First of all about your update problem with the missing migration step:
I am not sure how you did the installation. But it seams that you did not successfully install 0.4.0 since a file for the migration steps missing. It seems that you have only updated the info.xml file.
I have seen meanwhile several installation of 0.4.0 without this problem.
I have the TOTP issue only in Firefox (on a chromebook) in Chrome it works fine with 0.4.0 In Firefox the TOTP window does not show, instead it returns (loops) to the login window again. In 0.3.0 I do not have that issue in Firefox. I use the "Two-Factor TOTP Provider" app version 7.0.0 (TOTP activated with NextCloud version 25.0.3)
That is somehow weird, since the code which is performing the login was not changed by introducing the Implicit Flow.
I never have tested it myself with Firefox (only with Chrome and Safari). I will test it in the next days.
I can confirm that the settings are not available in some installations. I will have a look on that.
Maybe a fresh install of 0.4.0 is without problems, and there is an issue with an upgrade from 0.3.0 to 0.4.0 because I see an error with the upgrade from 0.3.0 (that's wy I did the test of completely removing 0.3.0 including the database tables) I rolled back the VM snapshot to 0.3.0. Let me know if I can test again, or provide more information
Up to now I have not seen any problems when updating from 0.3.x to 0.4.x. Not even for new installations. So I can not reproduce your described error during an upgrade. Based on your error description I assume that some files were missing or were not up-to-date during the upgrade process. Maybe that was a temporary problem.
The creation of the database tables for apps is based on the Nextcloud core functionality.
The modification of the database schema is based on Nextcloud migrations (see also: https://docs.nextcloud.com/server/latest/developer_manual/basics/storage/migrations.html). Also this app uses these migrations. Nextcloud stores which migrations have been executed yet and does not execute them again if they have been successfully executed. Nextcloud does not check if a table is missing which should have been created within a migration step.
So if you want to reinstall the database table (after e.g. deletion of the table) you have to delete the migrations and oidc app version by your own from the database (as you did successfully), since this is not done by Nextcloud when you uninstall an app.
There are also no migrations for app uninstall in Nextcloud to delete the applications tables. So even an uninstall will not delete the tables from the database.
With this core functionality approach there is nothing the app could change to create/delete tables in the nextcloud database.
With version 0.4.2 you should be able to see the flow selection in settings section. With this version you should be able to activate and use the implicit flow.
I tried testing with 0.4.2 unfortunately Guacamole serves a standard error page after some sort of timeout (25 seconds), no error or warning entries in the Tomcat/Catalina logfiles to be found.
I think it is a guacamole/Tomcat issue
I got some logging from Tomcat/Guacamole:
2:17.121 [http-nio-8080-exec-9] INFO o.a.g.a.o.t.TokenValidationService - Rejected invalid OpenID token: JWT processing failed. Additional details: [[17] Unable to process JOSE object (cause: org.jose4j.lang.UnresolvableKeyException: Unable to find a suitable verification key for JWS w/ header {"typ":"JWT","alg":"RS256","kid":""} due to an unexpected exception (java.net.SocketTimeoutException: Read timed out) while obtaining or using keys from JWKS endpoint at https://<FQDN/index.php/apps/oidc/jwks)
Its an network infrastucture (firewall/proxy) issue, the guacamole server cannot connect back to Nexcloud
Good news, it's working. I solved the network infra issue (wrong configuration setting in the reverse proxy) The guacamole can connect back to the NextCloud server and de OIDC OpenId SSO is working great :-) Thanks for the support and information. Let me know when I can help test new functions/versions of OIDC.