Problem
Linux Desktop client (3.0.3) gets stuck in a webfinger discovery loop
when using OpenCloud 6.1.0 with Authentik as external IdP, even after
applying the workaround from #246 (consolidated single Authentik
provider for all client types).
Setup
- OpenCloud 6.1.0 (Server)
- Authentik with Same Identifier Mode (single global issuer
https://auth.example.com/)
- Single Authentik provider "OpenCloudDesktop" with consolidated
redirect URIs:
- Configuration via
OC_OIDC_CLIENT_ID=OpenCloudDesktop
(global fallback, no per-platform WEBFINGER_*_OIDC_CLIENT_ID set)
- Web client and Android client work correctly with this setup
- Linux Desktop client (3.0.3 git build, also tested AppImage) does
NOT work
Symptoms
Login dialog flickers. Can't click "open browser" and/or "copy URL".
Root Cause Analysis
Desktop log shows repeated WebFingerInstanceLookupJob calls with:
"skipping invalid link 'https://auth.example.com/' with
rel 'http://openid.net/specs/connect/1.0/issuer'"
Server-side webfinger response (unauthenticated) returns only the OIDC
issuer rel, not the server-instance rel:
{
"subject": "acct:any@cloud.example.com",
"links": [{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://auth.example.com/"
}]
}
The desktop client appears to require the
'http://webfinger.opencloud/rel/server-instance' link before
authentication, but per OpenCloud server design this link is only
provided for authenticated requests (security feature documented as
"Authentication is necessary to prevent leaking information about
existing users").
Logs / Configuration
oc-version.txt
oc-issue.log
oc-webfinger-response.json
Related
EDIT:
Same with the Windows Client
Problem
Linux Desktop client (3.0.3) gets stuck in a webfinger discovery loop
when using OpenCloud 6.1.0 with Authentik as external IdP, even after
applying the workaround from #246 (consolidated single Authentik
provider for all client types).
Setup
https://auth.example.com/)
redirect URIs:
/oidc-silent-redirect.html
OC_OIDC_CLIENT_ID=OpenCloudDesktop(global fallback, no per-platform WEBFINGER_*_OIDC_CLIENT_ID set)
NOT work
Symptoms
Login dialog flickers. Can't click "open browser" and/or "copy URL".
Root Cause Analysis
Desktop log shows repeated WebFingerInstanceLookupJob calls with:
"skipping invalid link 'https://auth.example.com/' with
rel 'http://openid.net/specs/connect/1.0/issuer'"
Server-side webfinger response (unauthenticated) returns only the OIDC
issuer rel, not the server-instance rel:
{
"subject": "acct:any@cloud.example.com",
"links": [{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://auth.example.com/"
}]
}
The desktop client appears to require the
'http://webfinger.opencloud/rel/server-instance' link before
authentication, but per OpenCloud server design this link is only
provided for authenticated requests (security feature documented as
"Authentication is necessary to prevent leaking information about
existing users").
Logs / Configuration
oc-version.txt
oc-issue.log
oc-webfinger-response.json
Related
https://github.com/opencloud-eu/opencloud/blob/main/docs/adr/0003-oidc-client-config-discovery.md
EDIT:
Same with the Windows Client