`auto-provision` does not create database account when enabled.
Closed this issue · 5 comments
Like the title says. I have a OIDC provider (KeyCloak) and OwnCloud configured but when I login via OIDC the account does not get created in OwnCloud.
docker-compose exec owncloud occ config:app:get openidconnect openid-connect
{
"provider-url": "https://keycloak.example.com/auth/realms/test_pod_v2",
"client-id": "owncloud",
"client-secret": "9be9dc47-38a2-4c92-ab32-063501225515",
"loginButtonName": "My SSO",
"search-attribute": "preferred_username",
"auto-provision": {
"enabled": true
}
}OwnCloud login page after redirect from KeyCloak just displayed the text User with dummyuser is not known..
occ confirms no user is created.
docker-compose exec owncloud occ user:list
- admin: adminKeyCloud config for OwnCloud client.
{
"id": "37fb4a33-9670-4e63-bb30-55dfa1aa8558",
"clientId": "owncloud",
"rootUrl": "https://owncloud.example.com",
"adminUrl": "https://owncloud.example.com",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret": "**********",
"redirectUris": [
"https://owncloud.example.com/*"
],
"webOrigins": [
"https://owncloud.example.com"
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"id.token.as.detached.signature": "false",
"saml.assertion.signature": "false",
"saml.force.post.binding": "false",
"saml.multivalued.roles": "false",
"saml.encrypt": "false",
"oauth2.device.authorization.grant.enabled": "false",
"backchannel.logout.revoke.offline.tokens": "false",
"saml.server.signature": "false",
"saml.server.signature.keyinfo.ext": "false",
"use.refresh.tokens": "true",
"exclude.session.state.from.auth.response": "false",
"oidc.ciba.grant.enabled": "false",
"saml.artifact.binding": "false",
"backchannel.logout.session.required": "true",
"client_credentials.use_refresh_token": "false",
"saml_force_name_id_format": "false",
"require.pushed.authorization.requests": "false",
"saml.client.signature": "false",
"tls.client.certificate.bound.access.tokens": "false",
"saml.authnstatement": "false",
"display.on.consent.screen": "false",
"saml.onetimeuse.condition": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"defaultClientScopes": [
"web-origins",
"profile",
"roles",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
]
}No error logs for either app.
Please set the mode to userid (email is default but no email attribute is provided) - https://github.com/owncloud/openidconnect#all-configuration-values-explained
@DeepDiver1975 Thanks for the reply. That definitely changes something however the user is not created in the DB.
After some debugging - it just appears that the enabled() check returns false lib/Service/UserLookupService.php#L92.
# Accessing the config in `UserLookupService::enabled` returns empty here.
$this->getOpenIdConfiguration()['auto-provision']But occ config:app:get shows this ...
docker-compose exec owncloud occ config:app:get openidconnect openid-connect
{"provider-url": "https://keycloak.example.com/auth/realms/test_pod_v2", "client-id": "owncloud", "client-secret": "9be9dc47-38a2-4c92-ab32-063501225515", "loginButtonName": "My SSO", "search-attribute": "preferred_username", "mode": "userid", "auto-provision": {"enabled": true}}( I haven't written PHP in about 7 years - sorry if I'm using the wrong terms )
I was able to solve the problem by editing the config.php with the exact settings used with occ & deleting the settings in the database.
I encountered the exact same issue.
When setting the "auto-provision"-property in the database, it is not taken into account by the AutoProvisioningService.
I fixed this by refactoring the 'getOpenIdConfiguration'-method to resemble the 'getOpenIdConfig'-method in Client.php