Hi everyone We re trying to use OwnCloud SSO via OpenID Conn Ory Community #ory-network

Hi everyone! We’re trying to use OwnCloud SSO via ...

gentle-bird-90474

02/24/2023, 1:51 PM

Hi everyone! We’re trying to use OwnCloud SSO via OpenID Connect with Ory Network. The first step that the OwnCloud UI is doing is to retrieve the

.well-known/openid-configuration

endpoint. This fails due to CORS constraints. We’ve tried to enable CORS in the Ory Console under “OAUTH2 > Configuration” but there is no UI functionality to do so. Therefore, we’ve • downloaded the config via

ory get project --format json $PROJECT_ID > $CFG_FILE

, • edited the JSON config value

serve.public.cors.enabled

, and • updated the config via

ory update oauth2-config --format json $PROJECT_ID --file $CFG_FILE

Ory Console still shows it CORS being disabled and doing a simple

curl

to the

.well-known/openid-configuration

does not show any

Access-Control-Allow-Origin

headers. Could you help?

gentle-bird-90474

02/24/2023, 1:53 PM

We’ve come across this thread https://ory-community.slack.com/archives/C02MR4DEEGH/p1677242449844509?thread_ts=1674065982.729289&cid=C02MR4DEEGH, but the answers are older than 90 days and therefore we can’t read them anymore.

high-optician-2097

02/24/2023, 1:56 PM

Have you tried setting the custom domain cors?

gentle-bird-90474

02/24/2023, 1:58 PM

Yes, it’s activated.

gentle-bird-90474

02/24/2023, 1:59 PM

You can check yourself:

Copy code

curl -v <https://auth.project-holi.org/.well-known/openid-configuration>

high-optician-2097

02/24/2023, 2:00 PM

What did you configure for that endpoint?

high-optician-2097

02/24/2023, 2:00 PM

Sorry let me rephrase, I mean what’s your cors setting

gentle-bird-90474

02/24/2023, 2:08 PM

Ah, it seems to work when I add the new domain for OwnCloud. This setting only had the other domains listed. I was assuming to see the

Access-Control-Allow-Origin

headers just with the

curl

command above but it seems those headers depend on the concrete query sent to Ory.

gentle-bird-90474

02/24/2023, 2:08 PM

Nice. Thanks again @high-optician-2097 😉

high-optician-2097

02/24/2023, 2:10 PM

Perfect, glad this worked!

gentle-bird-90474

02/24/2023, 2:31 PM

@high-optician-2097 We’re having a follow up problem that doesn’t make sense to me (yet), maybe you immediately know an answer. Login now works, we’re presented with login and consent screen for e.g. email, are being redirected to OwnCloud as it should be. Then, OwnCloud fails to validate the token that was previously retrieved from the

/oauth2/token

endpoint. Checking the token, it does in fact seems like it has an invalid signature. Any idea?

high-optician-2097

02/24/2023, 2:37 PM

not sure, I don’t know owncloud unfortunately. the signature is valid if it was issued by ory, but maybe you have the wrong format (opaque vs jwt?)

gentle-bird-90474

02/24/2023, 2:42 PM

Theoretically speaking, if I use the

id_token

from the response and paste it into jwt.io, it should show me that the signature is valid, right?

gentle-bird-90474

02/24/2023, 2:43 PM

Not sure what you mean by opaque vs jwt, though

gentle-bird-90474

02/24/2023, 2:44 PM

Oh, I just see OwnCloud tells me

failed to verify access token: token contains an invalid number of segments

gentle-bird-90474

02/24/2023, 3:02 PM

Not sure what you mean by opaque vs jwt, though

Ah, I see. No, the token we receive definitely is (or claims to be) a JWT token. I can decode it:

Copy code

$ jq -R 'split(".") | .[0],.[1] | @base64d | fromjson' <<< $TOKEN
{
  "alg": "RS256",
  "kid": "eb5753b3-fc18-4142-a734-c5584be8bac3",
  "typ": "JWT"
}
{
  ... (sensible data)
}

high-optician-2097

02/24/2023, 3:07 PM

hm, strange

gentle-bird-90474

02/24/2023, 3:53 PM

We just found out that OwnCloud uses the

access_token

from the response, NOT the

id_token

. It fails parsing it as a JWT token, because, in fact, it is no JWT token but a string starting with

ory_at_2ChNVZud….

gentle-bird-90474

02/24/2023, 4:06 PM

Fixed that issue, changed hydra strategy to `jwt`: https://www.ory.sh/docs/hydra/guides/jwt

gentle-bird-90474

02/24/2023, 4:36 PM

@high-optician-2097 We have found a follow up problem for which we don’t know a solution yet. OwnCloud now successfully receives a JWT

access_token

. It now fails the validation due to the

iss

field being set to `flamboyant-hopper-h35q…`(the project slug) while OwnCloud is expecting the custom domain (

<http://auth.project-holi.org|auth.project-holi.org>

). The problem is: we can only use

<http://auth.project-holi.org|auth.project-holi.org>

because only for the custom domain CORS works. Using the project slug-based domain, CORS stops working and therefore the whole SSO process doesn’t even start. Is there a way to e.g. have the custom domain in the

iss

field of the token? Couldn’t find anything in the documentation.

gentle-bird-90474

02/24/2023, 4:38 PM

Alternatively, also having CORS on the project slug domain could solve the issue equally.

high-optician-2097

02/24/2023, 5:37 PM

🙈

high-optician-2097

02/24/2023, 5:38 PM

i will check if you can override it

high-optician-2097

02/24/2023, 5:38 PM

yeah looks like you can

high-optician-2097

02/24/2023, 5:39 PM

ory patch oauth2-config --replace '/urls/self/issuer="<https://yourcname>"'

high-optician-2097

02/24/2023, 5:39 PM

i think

gentle-bird-90474

02/24/2023, 6:29 PM

Works! Awesome! Thanks! Have a nice weekend 🙂

👍 1

3 Views

Open in Slack

Previous Next