-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add WebDAV access using OIDC bearer token #99
Conversation
1b94e55
to
b0abd66
Compare
Exactly what I was looking for. Any news? Or is there any alternatives available? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry I've not had enough time to review this (huge) PR. Overall it looks good to go, though I'm not really familiar about how WebDAV works (and how many moving parts in the Nextcloud implementation etc). If you could fix the conflict then I could test locally and merge.
$storagesService = class_exists('\OCA\Files_External\Service\GlobalStoragesService') ? | ||
$container->query(\OCA\Files_External\Service\GlobalStoragesService::class) : null; | ||
} catch (Exception $e) {} | ||
return $storagesService; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm assuming returning null
here is fine
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes it is. Like before, the parameter storagesService
in the constructor of a class would then be null
as well.
@sirkrypt0 Does this also enable bearer authentication for CardDAV / CalDAV to access the contacts and calendars? |
b0abd66
to
91605b4
Compare
Yes it does :) |
I fixed the conflicts and added the newest changes from master :) |
That's awesome :-) It finally enables to integrate nextcloud as a contact/calendar resource service in a single-sign on setup! I tried this today and could in the end get it working, but some notes from my experience: No advertisement of Bearer authentication to clientsNextcloud does not advertise bearer authentication in the
It mentions bearer authentication in the response body only, but this is normally not interpreted by HTTP clients. If Bearer authentication is not advertised, it is likely that the client will not attempt it. It is required to advertise the scheme per RFC6750. Audience Mapper configuration unclearIt may be clear to someone who knows what they are doing here (which I was not), but my understanding of your instructions on configuring the client audience mapper
was that I should include the nextcloud client (in my case: roundcube). This didn't work. I found that I have to actually add nextcloud here, not the DAV client application. I think it would be clear if you wrote
instead. |
Previously, we only returned a 401 response code without setting the WWW-Authenticate header accordingly to Bearer. As some clients won't attempt Bearer authentication in that case, we explicitly advertise Bearer authentication now.
Hey, thanks for your detailed notes. I now removed the part that caused the |
I really want to use WebDav to connect my Kodi to nextcloud and its a shame I cannot use OIDC. I like idea here but I do have a few comments/requests.
Anyhow hope some of this is possible. |
Hey @mcesnik ,
The Bash script is for demonstration purposes only. It shows how the interaction with the Nextcloud with the OIDC plugin enabled works. It uses the Keycloak Direct Grant to receive an access token from Keycloak and presents that token to Nextcloud. It could very well perform any other flow such as the auth code flow to obtain an access token.
Nextcloud natively supports Basic Authentication using username and password (see here). Hence, you don't need this plugin for that if the users' credentials are stored in Nextcloud. If you want to send your credentials to the Nextcloud which then exchanges those for an access token, this would generally be possible using the
The auth code flow generally requires user interaction by requesting a certain URL of the provider which then redirects back to our application (see here). This is what already happens in this plugin (even without the changes presented in this MR). Once you enable this plugin in your Nextcloud instance, a new button will pop up on the login screen that lets users sign in. I hope that helps. This MR adds the possibility to access WebDAV by providing a previously obtained access token (e.g. by using the Thus, if Kodi is able to obtain an access token for a user, e.g. using the auth code flow, it can present that token to the Nextcloud in the |
@sirkrypt0 so my problem is I don't use the native username/password and Kodi is built on the premise of supplying them. I understand the script is an example but is the assumption that, when I call the I was kind of hoping there would be a way to take the whole request when |
Finally I found time to try this - and yes, it works :-) I hope this can be merged soon, I think it's a huge step forward for this app and a differentiating factor from the other OIDC apps. Thanks for your great work! |
This would be very helpful also for me. Any news on that? |
That's a feature requested since a long time from the Nextcloud community, this PR is actually the first one to implement it. Hope it will be merged soon too. |
Sorry for the delay. Merged, thanks! |
Hi. I run nextcloud 22.1.1 with nextcloud-oidc-login v2.1.0. I installed a functional roundcube 1.5beta with rcmcarddav 4.2.0, and I try to plug rcmcarddav to nextcloud. The OIDC server is canaille (not keycloak). The OIDC login works correctly both in roundcube and nextcloud. However it seems that rcmcarddav does not succeed to authenticate against nextcloud and I get a 401 error in the logs. This looks somewhat similar to the issue you had @mstilkerich and it seems you had a solution related to the Can you please provide a more generic documentation? Is it a carddav, nextcloud or nextcloud-oidc-login configuration error? Thank you for your help. carddav.log
carddav_http.log
nextcloud config.php 'oidc_login_provider_url' => 'https://auth.mydomain.tld',
'oidc_login_client_id' => 'xxxxx',
'oidc_login_client_secret' => 'yyyyyy',
'oidc_login_auto_redirect' => true,
'oidc_login_logout_url' => 'https://auth.mydomain.tld/logout',
'oidc_login_hide_password_form' => true,
'oidc_login_attributes' =>
array (
'id' => 'sub',
'name' => 'name',
'mail' => 'email',
'quota' => 'ownCloudQuota',
'home' => 'homeDirectory',
'ldap_uid' => 'uid',
'groups' => 'groups',
),
'oidc_login_default_group' => '',
'oidc_login_use_external_storage' => false,
'oidc_login_scope' => 'profile email groups',
'oidc_login_proxy_ldap' => false,
'oidc_login_disable_registration' => false,
'oidc_login_redir_fallback' => false,
'oidc_login_tls_verify' => true,
'oidc_login_default_quota' => '10737418240',
'oidc_create_groups' => false,
'oidc_login_webdav_enabled' => true,
'oidc_login_public_key_caching_time' => 86400,
'oidc_login_min_time_between_jwks_requests' => 10,
'oidc_login_well_known_caching_time' => 86400, carddav config.inc.php$prefs['_GLOBAL']['fixed'] = false;
$prefs['_GLOBAL']['hide_preferences'] = false;
$prefs['_GLOBAL']['pwstore_scheme'] = 'plain';
$prefs['_GLOBAL']['loglevel'] = \Psr\Log\LogLevel::DEBUG;
$prefs['_GLOBAL']['loglevel_http'] = \Psr\Log\LogLevel::DEBUG;
$prefs['Personnel'] = [
'name' => 'Personnel',
'url' => 'https://cloud.mydomain.tld/remote.php/dav/addressbooks/users/%l/contacts/',
'username' => '',
'password' => '%b',
'active' => true,
'readonly' => false,
'refresh_time' => '02:00:00',
'fixed' => [],
'require_always' => ['email'],
'hide' => false,
]; |
Hello, (From the error message you get from nextcloud, you can see that rcmcarddav supplied a bearer token for authentication, but it was subsequently rejected, so I believe chances are the above is in fact the issue you are facing). |
Thank you for the details. Is the I tuned my setup so the Now I face a new problem: I have set additional logs into the code, just here:
The token endpoint of my identity server return an By setting a debug log in rmccarddav, I can see that the Maybe it is more related to rcmcarddav and roundcube and we should continue the discussion somewhere else? |
This PR adds the ability to allow WebDAV access using an OIDC bearer token. This can be useful when using rclone WebDAV with OIDC to synchronize a users files from Nextcloud.
To avoid too much load on the OIDC provider, this PR also adds caching of the JWKs as well as the discovered OIDC configuration for a configurable amount of time.
I suggest reviewing this PR by going through the commits. I tried to make each commit a logical unit of change to aid in the review.
Testing
You can use the following script to test this functionality. To pass the tokens
audience
check in theOpenIDConnectClient.php
, you will need to configure an audience mapper in Keycloak to ensure that your client is included in theaud
property of the JWT. A hardcoded audience mapper is sufficient here. Basically follow the following steps:Client Scopes
nextcloud
.Mappers
create a new mapper of typeAudience
and ensure thatIncluded Client Audience
contains your Nextcloud client ID. Click Save.Client > your-nextcloud-client > Client Scopes
and add the newnextcloud
scope.If everything worked as expected, you should get a long XML response that looks something like this: