[QA] Configured attribute preferred_username is not known

[jnweiger]

Seen with 2.2.0-rc.2 on core 10.9.1

• Setup with kopano IDP via https://github.com/owncloud/QA/blob/master/tools/hetzner-deploy/deploy_openidconnect_test.sh
• The OIDC section in config.php is according to https://doc.owncloud.com/server/10.10/admin_manual/configuration/user/oidc/kopano-setup.html#example-config-php

  'openid-connect' =>
  array (
    'provider-url' => 'https://konnect-oidc-210-20220806.jw-qa.owncloud.works',
    'client-id' => 'ownCloud',
    'client-secret' => 'XXXXXXXXXX',
    'loginButtonName' => 'Kopano',
    'autoRedirectOnLoginPage' => false,
    'redirect-url' => 'https://oc1091-oidc-210-20220806.jw-qa.owncloud.works/index.php/apps/openidconnect/redirect',
    'mode' => 'userid',
    'search-attribute' => 'preferred_username',
  ),
  

• log in user aaliyah_abernathy with the Alternative Logins - Kopano button.
• After clicking 'Allow' on the Kopano consent page, an error is shown:
  
• The documentation suggests to change several fields 'if necessary' and gives an insufficient hint '(see identity provider configuration)' without a link.
  • When editing the search-attribute to say name or email, etc. instead, the error message changes accordingly. All attributes that I tried are reported as is not known.
  • Changing 'mode' to 'email' (as hinted at in the comment) has no effect on the error message.
  • Adding a line 'scopes' => [ 'openid', 'profile', 'email', 'offline_access' ], /* seen in azure setup */ also has no effect.

The docker-compose logs has this:

caddy_1 | {"level":"info","ts":1659777243.4884381,"logger":"http.log.access","msg":"handled request","request":{"method":"POST","uri":"/signin/v1/identifier//consent","proto":"HTTP/2.0","remote_addr":"80.136.153.243:59652","host":"konnect-oidc-220rc2-20220806.jw-qa.owncloud.works","headers":{"Kopano-Konnect-Xsrf":["1"],"Content-Length":["286"],"Sec-Fetch-Mode":["cors"],"Te":["trailers"],"Referer":["https://konnect-oidc-220rc2-20220806.jw-qa.owncloud.works/"],"Origin":["https://konnect-oidc-220rc2-20220806.jw-qa.owncloud.works"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"],"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-Dest":["empty"],"Sec-Fetch-Site":["same-origin"],"Accept":["application/json, text/plain, /"],"Accept-Encoding":["gzip, deflate, br"],"Content-Type":["application/json;charset=utf-8"],"Cookie":["_Secure-KKT=eyJhbGciOiJBMjU2R0NNS1ciLCJlbmMiOiJBMjU2R0NNIiwiaXYiOiJfRzJyNFdiUUpyX1RLU1h4IiwidGFnIjoiQU90ekhUUWRNZW94MWdMN1BFdUpWZyJ9.rKiR-0Afyo5ACRIFCHYaDdLqYZs7HfYh7y1biv6rNH8.dmRt3C0gyGRjE0vr.Km863YDe92OL4vakQZCGGu4-YVxdqC0WAruWAKrZ70WZG8LNsrgc2g0ngY3qEKNXIlc4Cduw88e7vQcbH1yCiMWsaoAeNLeKRmTMwGojLUNB64LX2vTgcjGfIbX3crtkrCbN-rkNV0g5v49Lqv2GeGJQZ-Thbm1B6lg1QfQnc3CIhAQvUnsoTMLmLXt2-YoTOIWTjRmLBa6_66LDKLP7ahJ3A6_79Tvq-qQ9fTOH4G0k-mNrjwmRkO5vmWM9J9Iy50OIKIOpethiFIpL94qqGUUxw8sQPo8Hnh2angEcGKCoX1iqgA9ow.G9AgbI73uo3uuSzx_xPDVA; __Secure-KKCS=q9UYYXQu19h6QRcL482b8NMEacHHsDrgL6sG5KLzz83Y1IJH6SjDA8ym4C8YVGipKFjIe7QJuYslGYbndZu5Vpc8xVYPcsCRteHa1ja/rrirqlOldoGJXcE7xkH52j0/VLUwULN9wje3ARVlji3NYjksA3JwGTYRqFD8ngIp6kCvb7AEva5j0pf2rX9Knxpkhwq6l7GWvFL4ph2CzwwUXCFUf8LRxk3v9uxwPVI1LkVX9wFqYCld/BUWKEq4z+KUfMFtHnFDktNExa1JduvhzoIgXz3ohnBy4VpC2/c0MXS7VYhCDIDO+BwlubeUFx/5DYsGSVGdt0FnM2bYCZKL0iHb7Xg1B77o0LxQ3Q=="]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"konnect-oidc-220rc2-20220806.jw-qa.owncloud.works"}},"common_log":"80.136.153.243 - - [06/Aug/2022:09:14:03 +0000] "POST /signin/v1/identifier//consent HTTP/2.0" 200 43","duration":0.002076817,"size":43,"status":200,"resp_headers":{"Content-Type":["application/json; encoding=utf-8"],"Expires":["Thu, 01 Jan 1970 00:00:00 GMT"],"Pragma":["no-cache"],"Set-Cookie":["__Secure-KKTC-4KtQK9MIoUHi-s4W_iJzDM_Gc3F98s8wsoCMHl-GOmE=eyJhbGciOiJBMjU2R0NNS1ciLCJlbmMiOiJBMjU2R0NNIiwiaXYiOiJQdjlKSzVzNXFtSVVtX0RnIiwidGFnIjoiUW5OQzR2R3F1b2Q2MmthV1VzMlNVdyJ9.dX67FrbZhoGpj0aga409tRkaEnbdBy8aSQ_AKoHA8yo.jk1ZHxktSrRF9gfw.kSB6_cIZfYeoVBdZiYNM9rl0i-gM42Q8VZecVDt3pQIHv5b7sUe4ANW_FRSs.q3khlZ2s3lAyyUPd0ibT6g; Path=/signin/v1/identifier//; Max-Age=60; HttpOnly; Secure; SameSite=None"],"Date":["Sat, 06 Aug 2022 09:14:03 GMT"],"Server":["Caddy"],"Content-Length":["43"],"Cache-Control":["no-cache, no-store, must-revalidate"]}}
caddy_1 | {"level":"info","ts":1659777243.6890366,"logger":"http.log.access","msg":"handled request","request":{"method":"GET","uri":"/signin/v1/identifier//authorize?client_id=ownCloud&konnect=hy951f&nonce=529c2218984d3fe393dbae0f657caee2&prompt=none&redirect_uri=https%3A%2F%2Foc1091-oidc-220rc2-20220806.jw-qa.owncloud.works%2Findex.php%2Fapps%2Fopenidconnect%2Fredirect&response_type=code&scope=openid%20profile%20email%20openid&state=5e631011cfca5789ff0f205f85c03832","proto":"HTTP/2.0","remote_addr":"80.136.153.243:59652","host":"konnect-oidc-220rc2-20220806.jw-qa.owncloud.works","headers":{"Sec-Fetch-Mode":["navigate"],"Accept-Language":["en-US,en;q=0.5"],"Referer":["https://konnect-oidc-220rc2-20220806.jw-qa.owncloud.works/"],"Accept-Encoding":["gzip, deflate, br"],"Cookie":["_Secure-KKT=eyJhbGciOiJBMjU2R0NNS1ciLCJlbmMiOiJBMjU2R0NNIiwiaXYiOiJfRzJyNFdiUUpyX1RLU1h4IiwidGFnIjoiQU90ekhUUWRNZW94MWdMN1BFdUpWZyJ9.rKiR-0Afyo5ACRIFCHYaDdLqYZs7HfYh7y1biv6rNH8.dmRt3C0gyGRjE0vr.Km863YDe92OL4vakQZCGGu4-YVxdqC0WAruWAKrZ70WZG8LNsrgc2g0ngY3qEKNXIlc4Cduw88e7vQcbH1yCiMWsaoAeNLeKRmTMwGojLUNB64LX2vTgcjGfIbX3crtkrCbN-rkNV0g5v49Lqv2GeGJQZ-Thbm1B6lg1QfQnc3CIhAQvUnsoTMLmLXt2-YoTOIWTjRmLBa6_66LDKLP7ahJ3A6_79Tvq-qQ9fTOH4G0k-mNrjwmRkO5vmWM9J9Iy50OIKIOpethiFIpL94qqGUUxw8sQPo8Hnh2angEcGKCoX1iqgA9ow.G9AgbI73uo3uuSzx_xPDVA; __Secure-KKTC-4KtQK9MIoUHi-s4W_iJzDM_Gc3F98s8wsoCMHl-GOmE=eyJhbGciOiJBMjU2R0NNS1ciLCJlbmMiOiJBMjU2R0NNIiwiaXYiOiJQdjlKSzVzNXFtSVVtX0RnIiwidGFnIjoiUW5OQzR2R3F1b2Q2MmthV1VzMlNVdyJ9.dX67FrbZhoGpj0aga409tRkaEnbdBy8aSQ_AKoHA8yo.jk1ZHxktSrRF9gfw.kSB6_cIZfYeoVBdZiYNM9rl0i-gM42Q8VZecVDt3pQIHv5b7sUe4ANW_FRSs.q3khlZ2s3lAyyUPd0ibT6g; __Secure-KKCS=q9UYYXQu19h6QRcL482b8NMEacHHsDrgL6sG5KLzz83Y1IJH6SjDA8ym4C8YVGipKFjIe7QJuYslGYbndZu5Vpc8xVYPcsCRteHa1ja/rrirqlOldoGJXcE7xkH52j0/VLUwULN9wje3ARVlji3NYjksA3JwGTYRqFD8ngIp6kCvb7AEva5j0pf2rX9Knxpkhwq6l7GWvFL4ph2CzwwUXCFUf8LRxk3v9uxwPVI1LkVX9wFqYCld/BUWKEq4z+KUfMFtHnFDktNExa1JduvhzoIgXz3ohnBy4VpC2/c0MXS7VYhCDIDO+BwlubeUFx/5DYsGSVGdt0FnM2bYCZKL0iHb7Xg1B77o0LxQ3Q=="],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-User":["?1"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8"],"Te":["trailers"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"konnect-oidc-220rc2-20220806.jw-qa.owncloud.works"}},"common_log":"80.136.153.243 - - [06/Aug/2022:09:14:03 +0000] "GET /signin/v1/identifier//authorize?client_id=ownCloud&konnect=hy951f&nonce=529c2218984d3fe393dbae0f657caee2&prompt=none&redirect_uri=https%3A%2F%2Foc1091-oidc-220rc2-20220806.jw-qa.owncloud.works%2Findex.php%2Fapps%2Fopenidconnect%2Fredirect&response_type=code&scope=openid%20profile%20email%20openid&state=5e631011cfca5789ff0f205f85c03832 HTTP/2.0" 302 0","duration":0.004847763,"size":0,"status":302,"resp_headers":{"Pragma":["no-cache"],"Set-Cookie":["__Secure-KKTC-4KtQK9MIoUHi-s4W_iJzDM_Gc3F98s8wsoCMHl-GOmE=; Path=/signin/v1/identifier//; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Secure; SameSite=None","__Secure-KKBS=iku4B9Q6YAR3g35MKu1d4KOOYTwbCIlYo0ooBkmk8ys; Path=/konnect/v1/session/; Secure; SameSite=None"],"Date":["Sat, 06 Aug 2022 09:14:03 GMT"],"Server":["Caddy"],"Location":["https://oc1091-oidc-220rc2-20220806.jw-qa.owncloud.works/index.php/apps/openidconnect/redirect?code=QGPIN0QZZkT7p5RHEZ8E7IHRWuQaXtJd&scope=email%20openid%20profile&session_state=1bcd2172f212066b88ab4b45d315f8d7bf371c772c4b7561235e7501a3336462.VbEnbXWSA1hhyn7VA_nfX3FlJ9HpVdbefI2MEsNr7XM%3D&state=5e631011cfca5789ff0f205f85c03832"],"Content-Length":["0"],"X-Content-Type-Options":["nosniff"],"Cache-Control":["no-store"],"Referrer-Policy":["origin"]}}
caddy_1 | {"level":"info","ts":1659777243.893481,"logger":"http.log.access","msg":"handled request","request":{"method":"GET","uri":"/.well-known/openid-configuration","proto":"HTTP/2.0","remote_addr":"172.18.0.8:33888","host":"konnect-oidc-220rc2-20220806.jw-qa.owncloud.works","headers":{"Accept":["/"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"konnect-oidc-220rc2-20220806.jw-qa.owncloud.works"}},"common_log":"172.18.0.8 - - [06/Aug/2022:09:14:03 +0000] "GET /.well-known/openid-configuration HTTP/2.0" 200 2193","duration":0.000701362,"size":2193,"status":200,"resp_headers":{"Date":["Sat, 06 Aug 2022 09:14:03 GMT"],"Content-Type":["application/json; encoding=utf-8"],"Vary":["Origin"],"Server":["Caddy"]}}
caddy_1 | {"level":"info","ts":1659777243.9458883,"logger":"http.log.access","msg":"handled request","request":{"method":"POST","uri":"/konnect/v1/token","proto":"HTTP/2.0","remote_addr":"172.18.0.8:33890","host":"konnect-oidc-220rc2-20220806.jw-qa.owncloud.works","headers":{"Accept":["/"],"Authorization":["Basic b3duQ2xvdWQ6b3duQ2xvdWQ="],"Content-Type":["application/x-www-form-urlencoded"],"Content-Length":["189"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"konnect-oidc-220rc2-20220806.jw-qa.owncloud.works"}},"common_log":"172.18.0.8 - - [06/Aug/2022:09:14:03 +0000] "POST /konnect/v1/token HTTP/2.0" 200 2761","duration":0.032996867,"size":2761,"status":200,"resp_headers":{"Date":["Sat, 06 Aug 2022 09:14:03 GMT"],"Cache-Control":["no-store"],"Content-Type":["application/json; encoding=utf-8"],"Pragma":["no-cache"],"Vary":["Origin"],"Server":["Caddy"]}}
caddy_1 | {"level":"info","ts":1659777243.9594703,"logger":"http.log.access","msg":"handled request","request":{"method":"GET","uri":"/konnect/v1/jwks.json","proto":"HTTP/2.0","remote_addr":"172.18.0.8:33892","host":"konnect-oidc-220rc2-20220806.jw-qa.owncloud.works","headers":{"Accept":["/"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"konnect-oidc-220rc2-20220806.jw-qa.owncloud.works"}},"common_log":"172.18.0.8 - - [06/Aug/2022:09:14:03 +0000] "GET /konnect/v1/jwks.json HTTP/2.0" 200 1625","duration":0.000798937,"size":1625,"status":200,"resp_headers":{"Cache-Control":["no-cache, no-store, must-revalidate"],"Content-Type":["application/jwk-set+json"],"Server":["Caddy"],"Date":["Sat, 06 Aug 2022 09:14:03 GMT"],"Content-Length":["1625"],"X-Content-Type-Options":["nosniff"],"Pragma":["no-cache"],"Referrer-Policy":["origin"],"Vary":["Origin"]}}
caddy_1 | {"level":"error","ts":1659777243.9732246,"logger":"http.log.access","msg":"handled request","request":{"method":"GET","uri":"/index.php/apps/openidconnect/redirect?code=QGPIN0QZZkT7p5RHEZ8E7IHRWuQaXtJd&scope=email%20openid%20profile&session_state=1bcd2172f212066b88ab4b45d315f8d7bf371c772c4b7561235e7501a3336462.VbEnbXWSA1hhyn7VA_nfX3FlJ9HpVdbefI2MEsNr7XM%3D&state=5e631011cfca5789ff0f205f85c03832","proto":"HTTP/2.0","remote_addr":"80.136.153.243:59578","host":"oc1091-oidc-220rc2-20220806.jw-qa.owncloud.works","headers":{"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Site":["same-site"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"],"Accept-Language":["en-US,en;q=0.5"],"Cookie":["ocblx28z2joj=q9q5da6flhul6sb68e4p5p002h; oc_sessionPassphrase=vKrv5wlsdVRW0%2FMgMn4TyfNB%2BLldtgdzeLVicWotpkVM2j6dOb21PyV8mx%2Ftb%2FMBlVn87CG%2FwdNtSffSkY4yCNqKOFXFM5i7lJ0dtjBmLT%2FY8im%2F9095DOxW7bDWGF%2FL"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-User":["?1"],"Te":["trailers"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8"],"Accept-Encoding":["gzip, deflate, br"],"Referer":["https://konnect-oidc-220rc2-20220806.jw-qa.owncloud.works/"]},"tls":{"resumed":true,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"oc1091-oidc-220rc2-20220806.jw-qa.owncloud.works"}},"common_log":"80.136.153.243 - - [06/Aug/2022:09:14:03 +0000] "GET /index.php/apps/openidconnect/redirect?code=QGPIN0QZZkT7p5RHEZ8E7IHRWuQaXtJd&scope=email%20openid%20profile&session_state=1bcd2172f212066b88ab4b45d315f8d7bf371c772c4b7561235e7501a3336462.VbEnbXWSA1hhyn7VA_nfX3FlJ9HpVdbefI2MEsNr7XM%3D&state=5e631011cfca5789ff0f205f85c03832 HTTP/2.0" 403 8506","duration":0.143683932,"size":8506,"status":403,"resp_headers":{"Content-Type":["text/html; charset=UTF-8"],"Date":["Sat, 06 Aug 2022 09:14:03 GMT"],"X-Xss-Protection":["0"],"Strict-Transport-Security":["max-age=15552000;"],"X-Permitted-Cross-Domain-Policies":["none"],"X-Robots-Tag":["none"],"X-Frame-Options":["SAMEORIGIN"],"Server":["Caddy","Apache"],"X-Content-Type-Options":["nosniff"],"Pragma":["no-cache"],"Cache-Control":["no-store, no-cache, must-revalidate"],"Content-Security-Policy":["default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src * data: blob:; font-src 'self' data:; media-src *; connect-src *"],"X-Download-Options":["noopen"],"Expires":["Thu, 19 Nov 1981 08:52:00 GMT"]}}
owncloud_1 | 80.136.153.243 - - [06/Aug/2022:09:14:03 +0000] "GET /index.php/apps/openidconnect/redirect?code=QGPIN0QZZkT7p5RHEZ8E7IHRWuQaXtJd&scope=email%20openid%20profile&session_state=1bcd2172f212066b88ab4b45d315f8d7bf371c772c4b7561235e7501a3336462.VbEnbXWSA1hhyn7VA_nfX3FlJ9HpVdbefI2MEsNr7XM%3D&state=5e631011cfca5789ff0f205f85c03832 HTTP/1.1" 403 9147 "https://konnect-oidc-220rc2-20220806.jw-qa.owncloud.works/" "Mozilla/5.0 (X11; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0"

[jnweiger]

Same setup with released openidconnect-2.1.0 works fine.

[DeepDiver1975]

I have an idea. Definitely a regression. 😱

[jnweiger]

Reproducable in https://oc1091-oidc-220rc2-20220913.jw-qa.owncloud.works/
@DeepDiver1975 you have credentials. Enjoy.

[jnweiger]

Confirmed fixed in openidconnect 2.2.0-rc.3
Login via kopano idp now works again with both core 10.9.1 and 10.11.0