Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ownCloud - missing state parameter #5566

Closed
7 tasks done
webzit opened this issue Jun 15, 2023 · 5 comments
Closed
7 tasks done

ownCloud - missing state parameter #5566

webzit opened this issue Jun 15, 2023 · 5 comments
Labels
area/openid-connect OpenID Connect 1.0 / OAuth 2.0 related features/bugs priority/4/normal Normal priority items type/invalid Issues/etc that are not valid or reported correctly

Comments

@webzit
Copy link

webzit commented Jun 15, 2023

Version

v4.37.5

Deployment Method

Docker

Reverse Proxy

NGINX Proxy Manager

Reverse Proxy Version

2.1.0

Description

Login using iOS App (ownCloud Infinity Scale) fails using Authelia because of missing state parameter

ownCloud Infinity Scale version: Docker Latest (DIGEST: a98a962d4ab8)

Reproduction

The Error occurs only using the iOS App of oCIS. Nevertheless there seems to be also a redirect issue as can be seen when using the Mac Desktop App of oCIS.

Webinterface

Logging in via the web interface works without any issues. (I must note that authentication was only possible after adding the "allowed_origins:" parameter to authelia (perhaps only an issue when using nginx proxy manager).

Mac Desktop App

When I log in via the Mac desktop app, I am redirected to the following page in Safari after successfully logging in: https://127.0.0.1:60527/?code=authelia_ac_*************&scope=openid+offline_access+email+profile&state=*********. Only when I change https to http in the URL does the Mac desktop app open and the login works.

iOS App

After I add the domain (https://ocis.example-domain.at/), the app informs me that the ssl certificate is fine. Whenever I click on Continue, a safari window opens and closes again.

Expectations

No response

Configuration (Authelia)

[...]
identity_providers:
  oidc:
    access_token_lifespan: 1w
    authorize_code_lifespan: 1m
    id_token_lifespan: 10h
    refresh_token_lifespan: 1M
    enable_client_debug_messages: true
    cors:
      endpoints:
        - authorization
        - token
        - revocation
        - introspection
        - userinfo
      allowed_origins:
        - https://example-domain.at
        - https://ocis.example-domain.at
        - https://auth.example-domain.at
      allowed_origins_from_client_redirect_uris: true
    clients:
      - id: NZFZ8otaaNcO01Ezworq8suOKl72yJnaxACCDpoj
        description: ownCloud web client
        public: true
        consent_mode: implicit
        redirect_uris:
          - https://ocis.example-domain.at/
          - https://ocis.example-domain.at/oidc-callback.html
          - https://ocis.example-domain.at/oidc-silent-redirect.html
      - id: xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69
        description: ownCloud desktop client
        secret: 'UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh'
        consent_mode: implicit
        scopes:
          - openid
          - groups
          - profile
          - email
          - offline_access
        redirect_uris:
          - http://127.0.0.1
        grant_types:
          - refresh_token
          - authorization_code
        userinfo_signing_algorithm: none
      - id: e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD
        description: ownCloud Android app
        secret: 'dInFYGV33xKzhbRmpqQltYNdfLdJIfJ9L5ISoKhNoT9qZftpdWSP71VrpGR9pmoD'
        consent_mode: implicit
        scopes:
          - openid
          - groups
          - profile
          - email
          - offline_access
        redirect_uris:
          - oc://android.owncloud.com
      - id: mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1
        description: ownCloud iOS app
        secret: KFeFWWEZO9TkisIQzR3fo7hfiMXlOpaqP8CFuTbSHzV1TUuGECglPxpiVKJfOXIx
        consent_mode: implicit
        scopes:
          - openid
          - profile
          - email
          - offline_access
          - groups
        redirect_uris:
          - oc://ios.owncloud.com
          - oc.ios://ios.owncloud.com
        userinfo_signing_algorithm: none

Logs (Authelia)

time="2023-06-15T13:39:01+02:00" level=error msg="Authorization Request failed with error: The state is missing or does not have enough characters and is therefore considered too weak. Request parameter 'state' must be at least be 8 characters long to ensure sufficient entropy." method=GET path=/api/oidc/authorization remote_ip=192.168.0.112 stack="github.com/authelia/authelia/v4/internal/handlers/handler_oidc_authorization.go:32           OpenIDConnectAuthorization\ngithub.com/authelia/authelia/v4/internal/middlewares/http_to_authelia_handler_adaptor.go:113 NewHTTPToAutheliaHandlerAdaptor.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/bridge.go:54                            (*BridgeBuilder).Build.func1.1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:35                           SecurityHeadersNoStore.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:25                           SecurityHeadersCSPNone.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/headers.go:16                           SecurityHeaders.func1\ngithub.com/authelia/authelia/v4/internal/middlewares/cors.go:216                             (*CORSPolicy).Middleware.func1\ngithub.com/fasthttp/router@v1.4.14/router.go:414                                             (*Router).Handler\ngithub.com/valyala/fasthttp@v1.43.0/http.go:154                                              (*Response).StatusCode\ngithub.com/valyala/fasthttp@v1.43.0/server.go:2338                                           (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:224                                        (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.43.0/workerpool.go:196                                        (*workerPool).getCh.func1\nruntime/asm_amd64.s:1594                                                                     goexit"

Logs (Proxy / Application)

2023-06-13 23:16:27.004000+0200 ownCloud[54277:5010774] [info] | [LogIntro] Starting logging to /Users/user/Library/GroupContainersAlias/group.com.owncloud.ios-app/logs/com.owncloud.ios-app.log [OCLogFileWriter.m:104|FULL]
2023-06-13 23:16:27.004000+0200 ownCloud[54277:5010774] [info] | [LogIntro] Host: com.owncloud.ios-app 12.0 (267) #v12.0-appstore.2 - milestone/12.0@5730d91f; SDK: 12.0 (267) #57d2c06; OS: iPadOS 16.5; Device: iPad (iPad8,6); Localizations: [de]; Class Setttings: action.allowed: default: `( )` -> computed: `( )`\naction.create-document-mode: reg-default: `create-and-open` -> computed: `create-and-open`\naction.disallowed: default: `( )` -> computed: `( )`\nhttp.user-agent: default: `ownCloudApp/{{app.version}} ({{app.part}}/{{app.build}}; {{os.name}}/{{os.version}}; {{device.model}})` -> computed: `ownCloudApp/{{app.version}} ({{app.part}}/{{app.build}}; {{os.name}}/{{os.version}}; {{device.model}})`\ncore.thumbnail-available-for-mime-type-prefixes: default: `(     "*" )` -> computed: `(     "*" )`\ncore.cookie-support-enabled: default: `1` -> computed: `1`\nauthentication.browser-session-class: default: `operating-system` -> computed: `operating-system`\nauthentication.browser-session-prefers-ephermal: default: `0` -> computed: `0`\nlog.format: default: `text` -> computed: `text`\nlog.single-lined: default: `0` -> computed: `0`\nlog.privacy-mask: default: `0` -> computed: `0`\nlog.colored: default: `0` -> computed: `0`\nlog.level: default: `4` -> user-prefs: `0` -> computed: `0`\nlog.maximum-message-size: default: `0` -> computed: `0`\nlog.replace-newline: default: `1` -> computed: `1`\nlog.enabled-components: default: `(     "writer.stderr",     "writer.file" )` -> computed: `(     "writer.stderr",     "writer.file" )`\nlog.blank-filtered-messages: default: `0` -> computed: `0`\nlog.synchronous: default: `0` -> computed: `0`\nbranding.enable-review-prompt: reg-default: `0` -> computed: `0`\nbranding.url-privacy: reg-default: `https://owncloud.org/privacy-policy/` -> computed: `https://owncloud.org/privacy-policy/`\nbranding.send-feedback-address: reg-default: `ios-app@owncloud.com` -> computed: `ios-app@owncloud.com`\nbranding.can-add-account: reg-default: `1` -> computed: `1`\nbranding.url-help: reg-default: `https://owncloud.com/docs-guides/` -> computed: `https://owncloud.com/docs-guides/`\nbranding.can-edit-account: reg-default: `1` -> computed: `1`\nbranding.url-documentation: reg-default: `https://doc.owncloud.com/ios-app/latest/` -> computed: `https://doc.owncloud.com/ios-app/latest/`\nbranding.url-terms-of-use: reg-default: `https://raw.githubusercontent.com/owncloud/ios-app/master/LICENSE` -> computed: `https://raw.githubusercontent.com/owncloud/ios-app/master/LICENSE`\nextensions.disallowed: default: `( )` -> computed: `( )`\nconnection.force-background-url-sessions: default: `0` -> computed: `0`\nconnection.minimum-server-version: default: `10.0` -> computed: `10.0`\nconnection.allow-cellular: default: `1` -> computed: `1`\nconnection.preferred-authentication-methods: default: `(     "com.owncloud.openid-connect",     "com.owncloud.oauth2",     "com.owncloud.basicauth" )` -> computed: `(     "com.owncloud.openid-connect",     "com.owncloud.oauth2",     "com.owncloud.basicauth" )`\nconnection.allow-background-url-sessions: default: `1` -> computed: `1`\nconnection.plain-http-policy: default: `warn` -> computed: `warn`\nconnection.always-request-private-link: default: `0` -> computed: `0`\nconnection.transparent-temporary-redirect: default: `0` -> computed: `0`\n; Log options: level=Debug, destinations=["writer.stderr", "writer.file"], options=["option.log-requests-and-responses"], maskPrivateData=false [OCLogFileWriter.m:105|FULL]
2023-06-13 23:16:27.004000+0200 ownCloud[54277:5010774] [dbug] | [IPNC] Posting notification 'org.owncloud.log_records_remote_change' (ignoreSelf=1) [OCIPNotificationCenter.m:228|FULL]
2023-06-13 23:16:27.006000+0200 ownCloud[54277.4975929] [dbug] | [IPNC] Received notification 'org.owncloud.log_records_remote_change' [OCIPNotificationCenter.m:169|FULL]
2023-06-13 23:16:28.680000+0200 ownCloud[54277.4975929] [dbug] | [Keychain, Read] No item found for FBCC3C1F-D7E2-4834-BBC9-70744E451E70:authenticationData [OCKeychain.m:97|FULL]
2023-06-13 23:16:28.675000+0200 ownCloud[54277.4975929] [dbug] | [IPNC] Adding observer=<OCBookmark: 0x14a168680, uuid: FBCC3C1F-D7E2-4834-BBC9-70744E451E70, databaseVersion: 2, userInfo: {\n    "bookmark-creation" =     {\n        "app-build-number" = 267;\n        "app-version" = "12.0";\n        "creation-date" = "2023-06-13 21:16:28 +0000";\n        "log-intro" = "Host: com.owncloud.ios-app 12.0 (267) #v12.0-appstore.2 - milestone/12.0@5730d91f; SDK: 12.0 (267) #57d2c06; OS: iPadOS 16.5; Device: iPad (iPad8,6); Localizations: [de]; Class Setttings: action.allowed: default: `( )` -> computed: `( )`\naction.create-document-mode: reg-default: `create-and-open` -> computed: `create-and-open`\naction.disallowed: default: `( )` -> computed: `( )`\nhttp.user-agent: default: `ownCloudApp/{{app.version}} ({{app.part}}/{{app.build}}; {{os.name}}/{{os.version}}; {{device.model}})` -> computed: `ownCloudApp/{{app.version}} ({{app.part}}/{{app.build}}; {{os.name}}/{{os.version}}; {{device.model}})`\ncore.thumbnail-available-for-mime-type-prefixes: default: `(     \"*\" )` -> computed: `(     \"*\" )`\ncore.cookie-support-enabled: default: `1` -> computed: `1`\nauthentication.browser-session-class: default: `operating-system` -> computed: `operating-system`\nauthentication.browser-session-prefers-ephermal: default: `0` -> computed: `0`\nlog.format: default: `text` -> computed: `text`\nlog.single-lined: default: `0` -> computed: `0`\nlog.privacy-mask: default: `0` -> computed: `0`\nlog.colored: default: `0` -> computed: `0`\nlog.level: default: `4` -> user-prefs: `0` -> computed: `0`\nlog.maximum-message-size: default: `0` -> computed: `0`\nlog.replace-newline: default: `1` -> computed: `1`\nlog.enabled-components: default: `(     \"writer.stderr\",     \"writer.file\" )` -> computed: `(     \"writer.stderr\",     \"writer.file\" )`\nlog.blank-filtered-messages: default: `0` -> computed: `0`\nlog.synchronous: default: `0` -> computed: `0`\nbranding.enable-review-prompt: reg-default: `0` -> computed: `0`\nbranding.url-privacy: reg-default: `https://owncloud.org/privacy-policy/` -> computed: `https://owncloud.org/privacy-policy/`\nbranding.send-feedback-address: reg-default: `ios-app@owncloud.com` -> computed: `ios-app@owncloud.com`\nbranding.can-add-account: reg-default: `1` -> computed: `1`\nbranding.url-help: reg-default: `https://owncloud.com/docs-guides/` -> computed: `https://owncloud.com/docs-guides/`\nbranding.can-edit-account: reg-default: `1` -> computed: `1`\nbranding.url-documentation: reg-default: `https://doc.owncloud.com/ios-app/latest/` -> computed: `https://doc.owncloud.com/ios-app/latest/`\nbranding.url-terms-of-use: reg-default: `https://raw.githubusercontent.com/owncloud/ios-app/master/LICENSE` -> computed: `https://raw.githubusercontent.com/owncloud/ios-app/master/LICENSE`\nextensions.disallowed: default: `( )` -> computed: `( )`\nconnection.force-background-url-sessions: default: `0` -> computed: `0`\nconnection.minimum-server-version: default: `10.0` -> computed: `10.0`\nconnection.allow-cellular: default: `1` -> computed: `1`\nconnection.preferred-authentication-methods: default: `(     \"com.owncloud.openid-connect\",     \"com.owncloud.oauth2\",     \"com.owncloud.basicauth\" )` -> computed: `(     \"com.owncloud.openid-connect\",     \"com.owncloud.oauth2\",     \"com.owncloud.basicauth\" )`\nconnection.allow-background-url-sessions: default: `1` -> computed: `1`\nconnection.plain-http-policy: default: `warn` -> computed: `warn`\nconnection.always-request-private-link: default: `0` -> computed: `0`\nconnection.transparent-temporary-redirect: default: `0` -> computed: `0`\n; Log options: level=Debug, destinations=[\"writer.stderr\", \"writer.file\"], options=[\"option.log-requests-and-responses\"], maskPrivateData=false";\n        "sdk-commit" = 57d2c06;\n        "sdk-version" = "12.0 (267) #57d2c06";\n    };\n}> for 'com.owncloud.bookmark.auth-update' [OCIPNotificationCenter.m:99|FULL]
2023-06-13 23:16:28.681000+0200 ownCloud[54277.4975929] [dbug] | [Keychain, Read] No item found for FBCC3C1F-D7E2-4834-BBC9-70744E451E70:authenticationData [OCKeychain.m:97|FULL]
2023-06-13 23:16:28.685000+0200 ownCloud[54277.4975929] [info] | [OS] -canOpenURL: failed for URL: "org-appextension-feature-password-management://" - error: "Der Vorgang konnte nicht abgeschlossen werden. (OSStatus-Fehler -10814.)" [NSLog:0|FULL]
2023-06-13 23:16:30.525000+0200 ownCloud[54277:5009514] [dbug] | [CONN] Retrieved ephermal pipeline <OCHTTPPipeline: 0x14c1eb600> with error=(null) [OCConnection.m:488|FULL]
2023-06-13 23:16:30.525000+0200 ownCloud[54277:5009514] [dbug] | [CONN] Retrieved local pipeline <OCHTTPPipeline: 0x14802d140> with error=(null) [OCConnection.m:493|FULL]
2023-06-13 23:16:30.525000+0200 ownCloud[54277:5009514] [dbug] | [CONN] Retrieved longlived pipeline <OCHTTPPipeline: 0x14819c560> with error=(null) [OCConnection.m:500|FULL]
2023-06-13 23:16:30.526000+0200 ownCloud[54277.4975929] [dbug] | [APP] Created cookie storage Optional(<OCHTTPCookieStorage: 0x148422050>) [BookmarkViewController.swift:88|FULL]
2023-06-13 23:16:30.534000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Local, …] -> GET https://ocis.example-domain.at/.well-known/webfinger?resource=https://ocis.example-domain.at/ [… PipelineID:ephermal, Instance:0x14c1eb600, HTTP, Request, GET, RequestID:27E9B91B-4CC9-4237-BF3F-A9F5F0DFCDAE, URLSessionTaskID:14, HTSum] [OCHTTPPipeline.m:1182|FULL]
2023-06-13 23:16:30.534000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Request, …] Sending request:\n# REQUEST ---------------------------------------------------------\nURL:         https://ocis.example-domain.at/.well-known/webfinger?resource=https://ocis.example-domain.at/\nError:       -\nReq Signals: (null)\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGET /.well-known/webfinger HTTP/1.1\nHost: ocis.example-domain.at\n[Redirect Policy: handle locally]\nOriginal-Request-ID: 27E9B91B-4CC9-4237-BF3F-A9F5F0DFCDAE\nX-Request-ID: 27E9B91B-4CC9-4237-BF3F-A9F5F0DFCDAE\nUser-Agent: ownCloudApp/12.0 (App/267; iPadOS/16.5; iPad)\n----------------------------------------------------------------- [… GET, RequestID:27E9B91B-4CC9-4237-BF3F-A9F5F0DFCDAE, URLSessionTaskID:14] [OCHTTPPipeline.m:1183|FULL]
2023-06-13 23:16:30.578000+0200 ownCloud[54277:5010933] [dbug] | [HTTP, Local, …] Task [taskIdentifier=<14>, xRequestID=27E9B91B-4CC9-4237-BF3F-A9F5F0DFCDAE, method=GET, url=https://ocis.example-domain.at/.well-known/webfinger?resource=https://ocis.example-domain.at/] didFinishCollectingMetrics: { total: [2023-06-13 21:16:30 +0000 - 2023-06-13 21:16:30 +0000, 0.04 sec], startedAfter: 0.00, redirects: 0, transactions: [1: fetchStart: 0.00, request: 0.03..0.03 (0.00), cloud: 0.03..0.04 (0.01), response: 0.04..0.04 (0.00)] } [… PipelineID:ephermal, Instance:0x14c1eb600, HTTP, Metrics, GET, RequestID:27E9B91B-4CC9-4237-BF3F-A9F5F0DFCDAE, URLSessionTaskID:14] [OCHTTPPipeline.m:2047|FULL]
2023-06-13 23:16:30.579000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Local, …] <- 200 OK (GET https://ocis.example-domain.at/.well-known/webfinger?resource=https://ocis.example-domain.at/) [… PipelineID:ephermal, Instance:0x14c1eb600, HTTP, Response, GET, RequestID:27E9B91B-4CC9-4237-BF3F-A9F5F0DFCDAE, URLSessionTaskID:14, HTSum] [OCHTTPPipeline.m:1305|FULL]
2023-06-13 23:16:30.579000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Response, …] Received response:\n# RESPONSE --------------------------------------------------------\nMethod:      GET\nURL:         https://ocis.example-domain.at/.well-known/webfinger?resource=https://ocis.example-domain.at/\nRequest-ID:  27E9B91B-4CC9-4237-BF3F-A9F5F0DFCDAE\nError:       -\nReq Signals: (null)\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n200 NO ERROR\nContent-Type: application/json; charset=utf-8\nLast-Modified: Tue, 13 Jun 2023 21:16:30 GMT\ncontent-security-policy: frame-ancestors 'none'\nServer: openresty\nx--version: 016af6916\nExpires: Thu, 01 Jan 1970 00:00:00 GMT\nCache-Control: no-cache, no-store, max-age=0, must-revalidate, value\nDate: Tue, 13 Jun 2023 21:16:30 GMT\nContent-Length: 137\nx-content-type-options: nosniff\nx-frame-options: DENY\nVary: Origin\n\n{"subject":"https://ocis.example-domain.at/","links":[{"rel":"http://openid.net/specs/connect/1.0/issuer","href":"https://auth.example-domain.at"}]}\n\n----------------------------------------------------------------- [… GET, RequestID:27E9B91B-4CC9-4237-BF3F-A9F5F0DFCDAE, URLSessionTaskID:14] [OCHTTPPipeline.m:1306|FULL]
2023-06-13 23:16:30.594000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Local, …] -> GET https://auth.example-domain.at/.well-known/openid-configuration [… PipelineID:ephermal, Instance:0x14c1eb600, HTTP, Request, GET, RequestID:174FAF45-1286-42F5-B493-07C4809A368B, URLSessionTaskID:15, HTSum] [OCHTTPPipeline.m:1182|FULL]
2023-06-13 23:16:30.594000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Request, …] Sending request:\n# REQUEST ---------------------------------------------------------\nURL:         https://auth.example-domain.at/.well-known/openid-configuration\nError:       -\nReq Signals: (null)\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGET /.well-known/openid-configuration HTTP/1.1\nHost: auth.example-domain.at\n[Redirect Policy: handle locally]\nUser-Agent: ownCloudApp/12.0 (App/267; iPadOS/16.5; iPad)\nX-Request-ID: 174FAF45-1286-42F5-B493-07C4809A368B\nOriginal-Request-ID: 174FAF45-1286-42F5-B493-07C4809A368B\nReferer: https://ocis.example-domain.at/\n----------------------------------------------------------------- [… GET, RequestID:174FAF45-1286-42F5-B493-07C4809A368B, URLSessionTaskID:15] [OCHTTPPipeline.m:1183|FULL]
2023-06-13 23:16:30.603000+0200 ownCloud[54277:5010933] [dbug] | [HTTP, Local, …] Task [taskIdentifier=<15>, xRequestID=174FAF45-1286-42F5-B493-07C4809A368B, method=GET, url=https://auth.example-domain.at/.well-known/openid-configuration] didFinishCollectingMetrics: { total: [2023-06-13 21:16:30 +0000 - 2023-06-13 21:16:30 +0000, 0.01 sec], startedAfter: 0.00, redirects: 0, transactions: [1: fetchStart: 0.00, request: 0.00..0.00 (0.00), cloud: 0.00..0.01 (0.01), response: 0.01..0.01 (0.00)] } [… PipelineID:ephermal, Instance:0x14c1eb600, HTTP, Metrics, GET, RequestID:174FAF45-1286-42F5-B493-07C4809A368B, URLSessionTaskID:15] [OCHTTPPipeline.m:2047|FULL]
2023-06-13 23:16:30.604000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Local, …] <- 200 OK (GET https://auth.example-domain.at/.well-known/openid-configuration) [… PipelineID:ephermal, Instance:0x14c1eb600, HTTP, Response, GET, RequestID:174FAF45-1286-42F5-B493-07C4809A368B, URLSessionTaskID:15, HTSum] [OCHTTPPipeline.m:1305|FULL]
2023-06-13 23:16:30.604000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Response, …] Received response:\n# RESPONSE --------------------------------------------------------\nMethod:      GET\nURL:         https://auth.example-domain.at/.well-known/openid-configuration\nRequest-ID:  174FAF45-1286-42F5-B493-07C4809A368B\nError:       -\nReq Signals: (null)\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n200 NO ERROR\nContent-Type: application/json; charset=utf-8\nPragma: no-cache\ncontent-security-policy: default-src 'none';\nx-xss-protection: 1; mode=block\nServer: openresty\nreferrer-policy: strict-origin-when-cross-origin\npermissions-policy: interest-cohort=()\nDate: Tue, 13 Jun 2023 21:16:30 GMT\nCache-Control: no-store\nContent-Length: 1453\nx-content-type-options: nosniff\nx-frame-options: SAMEORIGIN\nVary: Accept-Encoding\n\n{"issuer":"https://auth.example-domain.at","jwks_uri":"https://auth.example-domain.at/jwks.json","authorization_endpoint":"https://auth.example-domain.at/api/oidc/authorization","token_endpoint":"https://auth.example-domain.at/api/oidc/token","subject_types_supported":["public"],"response_types_supported":["code","token","id_token","code token","code id_token","token id_token","code token id_token","none"],"response_modes_supported":["form_post","query","fragment"],"scopes_supported":["offline_access","openid","profile","groups","email"],"claims_supported":["amr","aud","azp","client_id","exp","iat","iss","jti","rat","sub","auth_time","nonce","email","email_verified","alt_emails","groups","preferred_username","name"],"introspection_endpoint":"https://auth.example-domain.at/api/oidc/introspection","revocation_endpoint":"https://auth.example-domain.at/api/oidc/revocation","code_challenge_methods_supported":["S256"],"require_pushed_authorization_requests":false,"userinfo_endpoint":"https://auth.example-domain.at/api/oidc/userinfo","id_token_signing_alg_values_supported":["RS256"],"userinfo_signing_alg_values_supported":["none","RS256"],"request_object_signing_alg_values_supported":["none","RS256"],"request_uri_parameter_supported":false,"require_request_uri_registration":false,"claims_parameter_supported":false,"frontchannel_logout_supported":false,"frontchannel_logout_session_supported":false,"backchannel_logout_supported":false,"backchannel_logout_session_supported":false}\n----------------------------------------------------------------- [… GET, RequestID:174FAF45-1286-42F5-B493-07C4809A368B, URLSessionTaskID:15] [OCHTTPPipeline.m:1306|FULL]
2023-06-13 23:16:32.676000+0200 ownCloud[54277.4975929] [dbug] | [IPNC] Adding observer=<OCAuthenticationMethodOpenIDConnect: 0x14a70e670> for 'com.owncloud.bookmark.auth-update' [OCIPNotificationCenter.m:99|FULL]
2023-06-13 23:16:32.676000+0200 ownCloud[54277:5010774] [dbug] | [CONN] Retrieved ephermal pipeline <OCHTTPPipeline: 0x14c1eb600> with error=(null) [OCConnection.m:488|FULL]
2023-06-13 23:16:32.676000+0200 ownCloud[54277:5010774] [dbug] | [CONN] Retrieved local pipeline <OCHTTPPipeline: 0x14802d140> with error=(null) [OCConnection.m:493|FULL]
2023-06-13 23:16:32.676000+0200 ownCloud[54277:5010774] [dbug] | [CONN] Retrieved longlived pipeline <OCHTTPPipeline: 0x14819c560> with error=(null) [OCConnection.m:500|FULL]
2023-06-13 23:16:32.678000+0200 ownCloud[54277.4975929] [dbug] | [IPNC] Adding observer=<OCAuthenticationMethodOpenIDConnect: 0x148428230> for 'com.owncloud.bookmark.auth-update' [OCIPNotificationCenter.m:99|FULL]
2023-06-13 23:16:32.678000+0200 ownCloud[54277.4975929] [dbug] | [IPNC] Removing observer=<OCAuthenticationMethodOpenIDConnect: 0x14a70e670> for 'com.owncloud.bookmark.auth-update' [OCIPNotificationCenter.m:125|FULL]
2023-06-13 23:16:32.679000+0200 ownCloud[54277:4975984] [WARN] | [HTTP, Local, …] Attempt to attach a handler (<OCConnection: 0x14a75a100>) for partition FBCC3C1F-D7E2-4834-BBC9-70744E451E70 for which one is already attached (<OCConnection: 0x14a15eb50>). Detaching previous one. [… PipelineID:default, Instance:0x14802d140] [OCHTTPPipeline.m:1587|FULL]
2023-06-13 23:16:32.680000+0200 ownCloud[54277:4975984] [WARN] | [HTTP, Local, …] Attempt to attach a handler (<OCConnection: 0x14a75a100>) for partition FBCC3C1F-D7E2-4834-BBC9-70744E451E70 for which one is already attached (<OCConnection: 0x14a15eb50>). Detaching previous one. [… PipelineID:ephermal, Instance:0x14c1eb600] [OCHTTPPipeline.m:1587|FULL]
2023-06-13 23:16:32.680000+0200 ownCloud[54277:4975984] [WARN] | [HTTP, Background, …] Attempt to attach a handler (<OCConnection: 0x14a75a100>) for partition FBCC3C1F-D7E2-4834-BBC9-70744E451E70 for which one is already attached (<OCConnection: 0x14a15eb50>). Detaching previous one. [… PipelineID:background, Instance:0x14819c560, URLSessionID:background;com.owncloud.ios-app] [OCHTTPPipeline.m:1587|FULL]
2023-06-13 23:16:32.682000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Local, …] -> GET https://auth.example-domain.at/.well-known/openid-configuration [… PipelineID:ephermal, Instance:0x14c1eb600, HTTP, Request, GET, RequestID:5BE31C67-EDAD-4EEF-B599-53DEA22AE790, URLSessionTaskID:16, HTSum] [OCHTTPPipeline.m:1182|FULL]
2023-06-13 23:16:32.682000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Request, …] Sending request:\n# REQUEST ---------------------------------------------------------\nURL:         https://auth.example-domain.at/.well-known/openid-configuration\nError:       -\nReq Signals: (null)\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGET /.well-known/openid-configuration HTTP/1.1\nHost: auth.example-domain.at\n[Redirect Policy: handle locally]\nUser-Agent: ownCloudApp/12.0 (App/267; iPadOS/16.5; iPad)\nX-Request-ID: 5BE31C67-EDAD-4EEF-B599-53DEA22AE790\nOriginal-Request-ID: 5BE31C67-EDAD-4EEF-B599-53DEA22AE790\nReferer: https://ocis.example-domain.at/\n----------------------------------------------------------------- [… GET, RequestID:5BE31C67-EDAD-4EEF-B599-53DEA22AE790, URLSessionTaskID:16] [OCHTTPPipeline.m:1183|FULL]
2023-06-13 23:16:32.700000+0200 ownCloud[54277:5009514] [dbug] | [HTTP, Local, …] Task [taskIdentifier=<16>, xRequestID=5BE31C67-EDAD-4EEF-B599-53DEA22AE790, method=GET, url=https://auth.example-domain.at/.well-known/openid-configuration] didFinishCollectingMetrics: { total: [2023-06-13 21:16:32 +0000 - 2023-06-13 21:16:32 +0000, 0.02 sec], startedAfter: 0.00, redirects: 0, transactions: [1: fetchStart: 0.00, request: 0.00..0.00 (0.00), cloud: 0.00..0.02 (0.02), response: 0.02..0.02 (0.00)] } [… PipelineID:ephermal, Instance:0x14c1eb600, HTTP, Metrics, GET, RequestID:5BE31C67-EDAD-4EEF-B599-53DEA22AE790, URLSessionTaskID:16] [OCHTTPPipeline.m:2047|FULL]
2023-06-13 23:16:32.701000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Local, …] <- 200 OK (GET https://auth.example-domain.at/.well-known/openid-configuration) [… PipelineID:ephermal, Instance:0x14c1eb600, HTTP, Response, GET, RequestID:5BE31C67-EDAD-4EEF-B599-53DEA22AE790, URLSessionTaskID:16, HTSum] [OCHTTPPipeline.m:1305|FULL]
2023-06-13 23:16:32.701000+0200 ownCloud[54277:4975984] [dbug] | [HTTP, Response, …] Received response:\n# RESPONSE --------------------------------------------------------\nMethod:      GET\nURL:         https://auth.example-domain.at/.well-known/openid-configuration\nRequest-ID:  5BE31C67-EDAD-4EEF-B599-53DEA22AE790\nError:       -\nReq Signals: (null)\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n200 NO ERROR\nContent-Type: application/json; charset=utf-8\nPragma: no-cache\ncontent-security-policy: default-src 'none';\nx-xss-protection: 1; mode=block\nServer: openresty\nreferrer-policy: strict-origin-when-cross-origin\npermissions-policy: interest-cohort=()\nDate: Tue, 13 Jun 2023 21:16:32 GMT\nCache-Control: no-store\nContent-Length: 1453\nx-content-type-options: nosniff\nx-frame-options: SAMEORIGIN\nVary: Accept-Encoding\n\n{"issuer":"https://auth.example-domain.at","jwks_uri":"https://auth.example-domain.at/jwks.json","authorization_endpoint":"https://auth.example-domain.at/api/oidc/authorization","token_endpoint":"https://auth.example-domain.at/api/oidc/token","subject_types_supported":["public"],"response_types_supported":["code","token","id_token","code token","code id_token","token id_token","code token id_token","none"],"response_modes_supported":["form_post","query","fragment"],"scopes_supported":["offline_access","openid","profile","groups","email"],"claims_supported":["amr","aud","azp","client_id","exp","iat","iss","jti","rat","sub","auth_time","nonce","email","email_verified","alt_emails","groups","preferred_username","name"],"introspection_endpoint":"https://auth.example-domain.at/api/oidc/introspection","revocation_endpoint":"https://auth.example-domain.at/api/oidc/revocation","code_challenge_methods_supported":["S256"],"require_pushed_authorization_requests":false,"userinfo_endpoint":"https://auth.example-domain.at/api/oidc/userinfo","id_token_signing_alg_values_supported":["RS256"],"userinfo_signing_alg_values_supported":["none","RS256"],"request_object_signing_alg_values_supported":["none","RS256"],"request_uri_parameter_supported":false,"require_request_uri_registration":false,"claims_parameter_supported":false,"frontchannel_logout_supported":false,"frontchannel_logout_session_supported":false,"backchannel_logout_supported":false,"backchannel_logout_session_supported":false}\n----------------------------------------------------------------- [… GET, RequestID:5BE31C67-EDAD-4EEF-B599-53DEA22AE790, URLSessionTaskID:16] [OCHTTPPipeline.m:1306|FULL]
2023-06-13 23:16:32.702000+0200 ownCloud[54277.4975929] [dbug] | [AUTH, Openid-Connect] Starting auth session with URL https://auth.example-domain.at/api/oidc/authorization?prompt=select_account%20consent&response_type=code&code_challenge_method=S256&code_challenge=RaKLK0_mwdt449NWu5Tgd-z-6sWZp_z0RKd9RRJDgjg&scope=openid%20offline_access%20email%20profile&redirect_uri=oc://ios.owncloud.com&client_id=mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1 [OCAuthenticationMethodOAuth2.m:464|FULL]
2023-06-13 23:16:32.726000+0200 ownCloud[54277.4975929] [dbug] | [AUTH, Openid-Connect] Started (1) auth session <ASWebAuthenticationSession: 0x13ee22dd0> [OCAuthenticationMethodOAuth2.m:470|FULL]
2023-06-13 23:16:36.583000+0200 ownCloud[54277.4975929] [dbug] | [AUTH, Openid-Connect] Received UIApplicationWillResignActiveNotification notification: flush auth secret [OCAuthenticationMethod.m:154|FULL]
2023-06-13 23:16:36.584000+0200 ownCloud[54277.4975929] [dbug] | [APP, TASK_MANAGER] Scheduling tasks in state background, location id: OCExtensionLocationIdentifier(_rawValue: appDidBecomeBackgrounded) [ScheduledTaskManager.swift:234|FULL]
2023-06-13 23:16:36.584000+0200 ownCloud[54277.4975929] [dbug] | [APP, TASK_MANAGER] Task extension match: OCExtensionIdentifier(_rawValue: com.owncloud.action.instant_media_upload) [ScheduledTaskManager.swift:242|FULL]
2023-06-13 23:16:36.584000+0200 ownCloud[54277.4975929] [dbug] | [APP, TASK_MANAGER] Scheduled 1 tasks [ScheduledTaskManager.swift:267|FULL]
2023-06-13 23:16:36.587000+0200 ownCloud[54277:5010933] [dbug] | [APP, INSTANT_MEDIA_UPLOAD] Task started [InstantMediaUploadTaskExtension.swift:38|FULL]
2023-06-13 23:16:36.587000+0200 ownCloud[54277:5010933] [dbug] | [APP, INSTANT_MEDIA_UPLOAD] Task finished [InstantMediaUploadTaskExtension.swift:71|FULL]
2023-06-13 23:16:36.587000+0200 ownCloud[54277:5010933] [dbug] | [APP, TASK_MANAGER] All tasks executed [ScheduledTaskManager.swift:289|FULL]
2023-06-13 23:16:36.599000+0200 ownCloud[54277.4975929] [dbug] | [BGMAN] Process moved to the background [OCBackgroundManager.m:125|FULL]
2023-06-13 23:16:36.960000+0200 ownCloud[54277.4975929] [dbug] | [AUTH, Openid-Connect] Auth session returned with callbackURL=oc://ios.owncloud.com?error=invalid_state&error_description=The+state+is+missing+or+does+not+have+enough+characters+and+is+therefore+considered+too+weak.+Request+parameter+%27state%27+must+be+at+least+be+8+characters+long+to+ensure+sufficient+entropy.&state=, error=(null) [OCAuthenticationMethodOAuth2.m:402|FULL]
2023-06-13 23:16:36.960000+0200 ownCloud[54277.4975929] [dbug] | [AUTH, Openid-Connect] Auth session concluded with error=Error Domain=OCError Code=3 "Authorization failed. (error 3)" (-[OCAuthenticationMethodOAuth2 generateBookmarkAuthenticationDataWithConnection:options:completionHandler:]_block_invoke [OCAuthenticationMethodOAuth2.m:436]) UserInfo={NSDebugDescription=-[OCAuthenticationMethodOAuth2 generateBookmarkAuthenticationDataWithConnection:options:completionHandler:]_block_invoke [OCAuthenticationMethodOAuth2.m:436], OCErrorDate=2023-06-13 21:16:36 +0000} [OCAuthenticationMethodOAuth2.m:453|FULL]
2023-06-13 23:16:36.960000+0200 ownCloud[54277.4975929] [dbug] | [CONN, DEALLOC] connection deallocated [OCConnection.m:478|FULL]
2023-06-13 23:16:36.960000+0200 ownCloud[54277.4975929] [dbug] | [IPNC] Removing observer=<OCAuthenticationMethodOpenIDConnect: 0x148428230> for 'com.owncloud.bookmark.auth-update' [OCIPNotificationCenter.m:125|FULL]
2023-06-13 23:16:36.968000+0200 ownCloud[54277.4975929] [dbug] | [APP, TASK_MANAGER] Scheduling tasks in state foreground, location id: OCExtensionLocationIdentifier(_rawValue: appDidComeToForeground) [ScheduledTaskManager.swift:234|FULL]
2023-06-13 23:16:36.968000+0200 ownCloud[54277.4975929] [dbug] | [APP, TASK_MANAGER] Task extension match: OCExtensionIdentifier(_rawValue: com.owncloud.action.instant_media_upload) [ScheduledTaskManager.swift:242|FULL]
2023-06-13 23:16:36.968000+0200 ownCloud[54277.4975929] [dbug] | [APP, TASK_MANAGER] Task extension match: OCExtensionIdentifier(_rawValue: com.owncloud.action.pending_media_upload) [ScheduledTaskManager.swift:242|FULL]
2023-06-13 23:16:36.968000+0200 ownCloud[54277.4975929] [dbug] | [APP, TASK_MANAGER] Scheduled 2 tasks [ScheduledTaskManager.swift:267|FULL]
2023-06-13 23:16:36.968000+0200 ownCloud[54277:5009243] [dbug] | [APP, REMAINING_MEDIA_UPLOAD] Preparing... [PendingMediaUploadTaskExtension.swift:31|FULL]
2023-06-13 23:16:36.969000+0200 ownCloud[54277:5009243] [dbug] | [APP, REMAINING_MEDIA_UPLOAD] No bookmark selected... [PendingMediaUploadTaskExtension.swift:35|FULL]
2023-06-13 23:16:36.968000+0200 ownCloud[54277:5010774] [dbug] | [APP, INSTANT_MEDIA_UPLOAD] Task started [InstantMediaUploadTaskExtension.swift:38|FULL]
2023-06-13 23:16:36.969000+0200 ownCloud[54277:5010774] [dbug] | [APP, INSTANT_MEDIA_UPLOAD] Task finished [InstantMediaUploadTaskExtension.swift:71|FULL]
2023-06-13 23:16:36.969000+0200 ownCloud[54277:5010774] [dbug] | [APP, TASK_MANAGER] All tasks executed [ScheduledTaskManager.swift:289|FULL]
2023-06-13 23:16:36.977000+0200 ownCloud[54277.4975929] [dbug] | [BGMAN] Process moved to the foreground [OCBackgroundManager.m:125|FULL]

Documentation

OwnCloud Infinity Scale - container-vars.env:

DEMO_USERS=false                                  # do not create demo users
PROXY_TLS=false                                   # use the HTTP server instead of the HTTPS server.
OCIS_INSECURE=true                                # generate self-signed certificates
OCIS_URL=https://ocis.example-domain.at                 # replace with your domain
PROXY_HTTP_ADDR=0.0.0.0:9200                      # listen on all available interfaces

OCIS_LOG_LEVEL=info
OCIS_LOG_COLOR=true
OCIS_LOG_PRETTY=true

OCIS_OIDC_ISSUER=https://auth.example-domain.at
WEB_OIDC_CLIENT_ID=NZFZ8otaaNcO01Ezworq8suOKl72yJnaxACCDpoj
PROXY_OIDC_REWRITE_WELLKNOWN=true

PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none

Pre-Submission Checklist

  • I agree to follow the Code of Conduct

  • This is a bug report and not a support request

  • I have read the security policy and this bug report is not a security issue or security related issue

  • I have either included the complete configuration file or I am sure it's unrelated to the configuration

  • I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the Troubleshooting Sanitization reference guide

  • I have checked for related proxy or application logs and included them if available

  • I have checked for related issues and checked the documentation
@webzit webzit added priority/4/normal Normal priority items status/needs-triage Issues which have not expressly been classified by a team member yet type/bug/unconfirmed Unconfirmed Bugs labels Jun 15, 2023
@james-d-elliott
Copy link
Member

  1. This is an intentional security feature, not a bug. We require the state parameter by default per best security practice.
  2. You didn't complete the issue template.

@james-d-elliott james-d-elliott closed this as not planned Won't fix, can't repro, duplicate, stale Jun 15, 2023
@james-d-elliott james-d-elliott added type/invalid Issues/etc that are not valid or reported correctly type/bug/third-party Bugs with third party software, not with Authelia itself. and removed type/bug/unconfirmed Unconfirmed Bugs status/needs-triage Issues which have not expressly been classified by a team member yet labels Jun 15, 2023
@webzit webzit mentioned this issue Jun 16, 2023
Closed
@michaelstingl
Copy link

https://127.0.0.1:60527/?code=authelia_ac_*************&scope=openid+offline_access+email+profile&state=*********. Only when I change https to http in the URL does the Mac desktop app open and the login works.

Not an authelia or ownCloud problem. Your reverse proxy shouldn't rewrite the OIDC redirect_uri

@james-d-elliott james-d-elliott removed the type/bug/third-party Bugs with third party software, not with Authelia itself. label Jun 16, 2023
@james-d-elliott
Copy link
Member

Thanks for the input. Should I take that as confirmation that ownCloud includes the state parameter by default and uses a reasonable length to ensure entropy? Do you happen to know the length by default?

@webzit
Copy link
Author

webzit commented Jun 16, 2023

Thank you, James.

With reference to your answer here: owncloud/ios-app#1219 (comment)

While it's true that PKCE prevents most of the same attacks that and more than the nonce or state parameters, the state parameter also may prevent spoofing of a server error response, provided the relying party verifies it. PKCE can not prevent this specific type of spoofing in the current specification as it's not required to include the code_challenge in these responses (which would effectively achieve the same goal), and don't think there is any guidance on verifying it at this stage so practically zero implementation.

This gives the state parameter a unique place in the security measures implementers choose. It should also be noted we only require it by default.

Even after setting minimum_parameter_entropy to -1 to disable the requirement for the state parameter, this does not seem to be honored. (Bug?)
When trying to authenticate, I still get the missing state parameter error. The message errFmtOIDCProviderInsecureParameterEntropy ("Configuration: openid connect provider: SECURITY ISSUE - minimum parameter entropy is configured to an unsafe value, it should be above 8 but it's configured to -1") and not "errFmtOIDCProviderInsecureDisabledParameterEntropy" appears in the logs.

[...]
identity_providers:
  oidc:
    minimum_parameter_entropy: -1
    access_token_lifespan: 1w
    authorize_code_lifespan: 1m
    id_token_lifespan: 10h
    refresh_token_lifespan: 1M
    enable_client_debug_messages: true
[...]

https://127.0.0.1:60527/?code=authelia_ac_*************&scope=openid+offline_access+email+profile&state=*********. Only when I change https to http in the URL does the Mac desktop app open and the login works.

Not an authelia or ownCloud problem. Your reverse proxy shouldn't rewrite the OIDC redirect_uri

Thank you. After commenting out the line "proxy_redirect http:// $scheme://;" in the proxy.conf snippet (https://www.authelia.com/integration/proxies/nginx/#proxyconf) authentication using the Mac Desktop client works fine.

@webzit
Copy link
Author

webzit commented Jun 16, 2023
edited

authelia/internal/configuration/validator/identity_providers.go

Lines 36 to 43 in 89ee069

switch {
case config.MinimumParameterEntropy == -1:
val.PushWarning(fmt.Errorf(errFmtOIDCProviderInsecureDisabledParameterEntropy))
case config.MinimumParameterEntropy <= 0:
config.MinimumParameterEntropy = fosite.MinParameterEntropy
case config.MinimumParameterEntropy < fosite.MinParameterEntropy:
val.PushWarning(fmt.Errorf(errFmtOIDCProviderInsecureParameterEntropy, fosite.MinParameterEntropy, config.MinimumParameterEntropy))
}

It seems as the third case is executed before the first case. I am unfortunately not versed in go to create a PR here.

@james-d-elliott james-d-elliott added the area/openid-connect OpenID Connect 1.0 / OAuth 2.0 related features/bugs label Aug 19, 2023
@ghost ghost mentioned this issue Feb 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/openid-connect OpenID Connect 1.0 / OAuth 2.0 related features/bugs priority/4/normal Normal priority items type/invalid Issues/etc that are not valid or reported correctly
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@michaelstingl @james-d-elliott @webzit