[BUG] Using opencloud app with Authentik not possible #4
Description
Steps to reproduce
- Setup Authentik as IdP for opencloud (OIDC)
- Create provider & application for mobile (and other) applications
- Try to login using Authentik inside the app.
Expected behavior
I'm using my Authentik instance to authenticate with the opencloud. It works great when using the web version. It detects the OIDC connection, and asks me to login. I'd expect the authentication to also work using the mobile app.
Actual behavior
What actually happens, is that because for Authentik, every application needs a dedicated provider (i.e. client), the mobile provider is using a different issuer path/URL then for the web application. The server however only promotes the endpoints to web application, which is missmatching the endpoint for the mobile application. (application/o/opencloud/.well-known/openid-configuration vs. application/o/opencloud-mobile/.well-known/openid-configuration)
Client
iOS version: 18.5 (beta)
OpenCloud app version: 1.0.1 (Testflight)
Device model: iPhone 16 Pro
Server configuration
Lates opencloudeu/opencloud-rolling docker image
Logs
OpenCloud App log
HTTP/1.1\nHost: my.auth.com\nContent-Length: 253\nUser-Agent: OpenCloudApp/1.0.1 (App/1; iOS/18.5; iPhone)\nX-Request-ID: 6E51CAFE-23A9-4ADB-B990-1D7823B8B8E9\nOriginal-Request-ID: 6E51CAFE-23A9-4ADB-B990-1D7823B8B8E9\nAuthorization: Basic [redacted:1]\nContent-Type: application/x-www-form-urlencoded\nAccept-Language: en\n\nclient_id=OpenCloudIOS&scope=openid%20offline_access%20email%20profile&refresh_token=aToken&client_secret=&grant_type=refresh_token\n, response: 400 BAD REQUEST\nContent-Type: application/json\nx-authentik-id: 3da77788fa3848838f5ea87b2c639bb2\nPragma: no-cache\nx-powered-by: authentik\nContent-Encoding: gzip\nServer: nginx\nreferrer-policy: same-origin\nCache-Control: no-store\nDate: Tue, 22 Apr 2025 07:31:44 GMT\nContent-Length: 176\nStrict-Transport-Security: max-age=63072000\nx-content-type-options: nosniff\nVary: Accept-Encoding, Cookie\nx-frame-options: DENY\n\n{"error": "invalid_grant", "error_description": "The provided authorization grant or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client"}\n, metrics: (null), finished: 0>, dbError=(null) [OCHTTPPipelineBackend.m:483|FULL]
Tell us what could be improved:
From what I understand, part of the issue is the hardcoded client_id which is OpenCloudIOS. That is different from the web version. I could configure the web version with WEB_OIDC_CLIENT_ID to the same client_id, but that's not really a solution for all the different clients that exist (e.g. Android app, Desktop). Making the client_id configurable in the app would be another idea, but I'm almost certain, not a good practice, as all clients would use the same client_id then.
Ideally, the client app should not look for the web configuration and instead follow its own, but I'm not sure if/how that would be possible. I'm also not sure what part PROXY_OIDC_REWRITE_WELLKNOWN plays here, since https://my.opencloud.com/.well-known/webfinger?resource=https://my.opencloud.com/ advertises only one auth endpoint & that's the wrong endpoint for all clients (only web works). So maybe the issue is with the server component of opencloud, but wanted to bring this up here as well.
There are some related issues that can be found for OCIS and/authentik, however, then common feedback is that it needs to be properly implemented by the client applications:
- Better OIDC Support (Authentik, multiple issuer) for multiple client ids owncloud/product#354
- Multiple Client IDs per OIDC Issuer? goauthentik/authentik#7251
Any insights or thoughts a much appreciated 🙏