Replies: 12 comments
-
Hello, from my understanding of the OAUTH2 and OIDC specs:
From the keycloak setup described by the nextcloud-oidc-login, the ID token will not contain the nextcloud client ID in the intended audience, but the access token will. For your reference, I have added samples of an access token and an ID token below. So to my understanding, it is correct to use the access token to authenticate with the resource server, not the ID token. You should add the nextcloud client ID to the intended audience of the access token, not the ID token. Access Token{
"acr" : "1",
"allowed-origins" : [
"https://forge.mike2k.de"
],
"aud" : [
"owncloud",
"nextcloud",
"account"
],
"auth_time" : 1633095894,
"azp" : "roundcube",
"email" : "[email protected]",
"email_verified" : false,
"exp" : 1633096195,
"family_name" : "Bar",
"given_name" : "Foo",
"iat" : 1633095895,
"iss" : "http://localhost:8080/auth/realms/forge",
"jti" : "64eb4d9e-8b90-425e-9cf6-bcaa95d55135",
"name" : "Foo Bar",
"preferred_username" : "foo",
"realm_access" : {
"roles" : [
"default-roles-forge",
"offline_access",
"uma_authorization"
]
},
"resource_access" : {
"account" : {
"roles" : [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope" : "openid owncloud nextcloud email profile",
"session_state" : "d6b47813-b6ac-4aa3-9841-2f3ba5fa8c04",
"sub" : "61a81d0e-e273-4153-8bc9-29424bc70006",
"typ" : "Bearer"
} ID Token "acr" : "1",
"at_hash" : "xyz",
"aud" : "roundcube",
"auth_time" : 1633097065,
"azp" : "roundcube",
"email" : "[email protected]",
"email_verified" : false,
"exp" : 1633097365,
"family_name" : "Bar",
"given_name" : "Foo",
"iat" : 1633097065,
"iss" : "http://localhost:8080/auth/realms/forge",
"jti" : "1f21761f-3f27-4d6a-8aaa-e5d85d6db1b2",
"name" : "Foo Bar",
"preferred_username" : "foo",
"session_state" : "9571afec-4659-45d2-97b9-bfd1a7f8d269",
"sub" : "61a81d0e-e273-4153-8bc9-29424bc70006",
"typ" : "ID"
} |
Beta Was this translation helpful? Give feedback.
-
Concerning the second part of your question: Yes, keycloak provides a JWT also for the access token (see above). In case of an opaque access token like in your case, the resource server would have to check with the userinfo introspection endpoint to acquire the needed information on the token, particularly the scope / audience in this case. |
Beta Was this translation helpful? Give feedback.
-
I think this is the source of the misunderstanding. The So I think the safe behavior would be to expect access token NOT being JWT, as it is not required by the specifications, and other identity provider does not necessarily generate JWT access tokens. As nextcloud-oidc-login expects a JWT to authenticate users, I think rcmcarddav should just try to authenticate with the
👍
This is my understanding too. ID token can be used for three purposes:
Ok with that. But as I said earlier, token payloads and claims (including
Ok, but nextcloud is both a client and a resource service, ain't it? A client because it has its own client ID and authenticate users against the server, and a resource service because it knows about users addressbooks, and can be requested by others clients for those information.
Ok, but as I just said, this should not make a difference here. So what would you think of trying both |
Beta Was this translation helpful? Give feedback.
-
I understand that OAUTH2 does not define any semantics concerning the token. I posted the keycloak tokens as a confirmation to your assumption that keycloak provides an access token as a JWS, and to show details on the aud claims contained in id token and access token. However, with an opaque access token, the resource server has to perform validation of the token by talking to the auth server (here: OIDC provider), either by some proprietary mechanism or using the token introspection endpoint (RFC7662). In case of a JWT, the resource server has the additional option to perform local validation by verification of the JWT signature and content. Concerning the WebDAV API, the role of nextcloud is that of a resource server. In other constellations, particularly when logging into the nextcloud Web UI, nextcloud would indeed take the role of a client, but not when serving as CardDAV service to a roundcube client. The original supported use case of the nextcloud-oidc-login app was the latter - in that case, it is valid for the app to assume retrieving an ID token in JWT format. However, with the WebDAV API and its role as a resource server, I think it is wrong to expect the access token to be in JWT format. So IMO the solution would be in the nextcloud-oidc-login app - in case it detects that the provided token is not a valid JWT, it should fall back to querying the token introspection endpoint to retrieve information on the user and verify the validity of the provided token. The used library I'm a bit uneasy concerning the use of the id token for authentication with the CardDAV service just because it works, because I'm not sure about the security implications. The spec says the access token is meant as a means of authorization evidence with the resource servers. Googling for that topics yields answers from "don't use the ID token for auth" to "I think it's okay if the resource server and the client belong to the same realm of trust / are operated by the same party". Concrete concerns I found are related to confidentiality of personal data within the ID token that the resource server might not be authorized to see. Therefore, I would rather not forward the ID token, unless I understand it is a sane thing to do, ideally from official documentation / specs. Making a configuration option for the end user would shift responsibility, but it also complicates configuration - I guess many end users won't know the difference between the two types of tokens. Also with keycloak, the ID token would not work as the target audience check would fail on the resource server side. |
Beta Was this translation helpful? Give feedback.
-
I submitted a patch to nextcloud-oidc-login that allows WebDAV authentication with regular access tokens. For the debugging I tried to use the |
Beta Was this translation helpful? Give feedback.
-
Hello, yes, as long as you are logged into roundcube via oauth, rcmcarddav can use the access token. It has no other way to authenticate with the Carddav server. If you turn on http debug logging, you can observe the requests in the carddav_http.log |
Beta Was this translation helpful? Give feedback.
-
When I submitted the preference panel form, in carddav_http.log I can see this kind of messages. |
Beta Was this translation helpful? Give feedback.
-
There is no need for a configuration option, it is supposed to work. You should get an error message if it does not. In the logs, can you check that the request leading to the "No Authorization header found" response is not followed by the same request again, this time with the proper Authorization header? It is normal that there will be a 401 first, to negotiate the supported Auth schemes with the server. But in the next request, rcmcarddav should try with the propere authentication. |
Beta Was this translation helpful? Give feedback.
-
I guess this issue can be closed then? If there is something left, please reopen. |
Beta Was this translation helpful? Give feedback.
-
Hi. However now I find my identity server receive a lot of requests, and among others, on the introspection endpoint. Using the roundcube/roundcubemail#8214 has been fixed in roundcube 1.5.2 so the
Is the upstream answer reassuring to you?
I suggest keeping the current behavior by default, but let advanced users configure this. The I am still interested in providing a patch. What do you think? |
Beta Was this translation helpful? Give feedback.
-
Hi, My stance on thisMy understanding (from reading the OAUTH2/OIDC spec) is that what OIDC adds on top of OAUTH2 is primarily concerned with providing identity information to the client. This profile information contains extended user information (email address, phone number, address) that is not normally needed by the backend servers and therefore should not be passed. On the other hand, we have an access token from OAUTH2, which is meant to enable the client to access the granted subset of the user's resources and the resource servers on behalf of the user. Which resources and backend services the access token provides access to can be restricted based on aud and scope claims in the access token. I see that it is possible to put all claims (e.g. aud/scope) needed for a token to be accepted as an access token by a resource server into the ID token, and therefore use it as an access token. But still I believe this is not the way the tokens are meant to be used. At least, we disclose more information than needed on the personal data of the user to the resource servers. So I think the proper solution to achieve what you want (avoid token introspection by the resource servers) is to use JWT also for the access token. I understand that your ID server implementation appear to not allow that, but IMO this is what should be addressed, using the ID token to gain access to resources seems like a workaround. Personally, I wonder why the decision was made to use something else than a JWT for the access token representation when you have all the infrastructure / code needed for it already in place for issuing ID tokens. Anyway, in keycloak it is possible to define very precisely the claims contained in an access token issues to a client. Using a JWT for the access token is not moving away from the OAUTH2 specs, since they make no definition of the access token representation. But the JWT specs (RFC 7519) could be used here for the representation of the access token, so I would not see this as the ecosystem adapting to a famous implementation. Thoughts on your setupWhy are you so focused on rcmcarddav concerning the request load? Depending on the configured refresh time (you can define this as an admin in the config), there should only be occasional communication to the CardDAV server from roundcube. I would expect a lot more communication between roundcube and the IMAP server, and there also roundcube will use the access token and not the id token for authentication. Thoughts on an option in rcmcarddavWhile it is now possible for rcmcarddav to access to ID token, it is not as simple as using the access token. Roundcube keeps the access token in the session, so rcmcarddav can access it whenever needed. The ID token is not kept in the session but only provided to the plugin when the token is acquired from the ID server. So rcmcarddav would have to take care of storing the token somewhere itself. Apart from that, I am frankly reluctant to add new configuration options to the code base, which I am trying to move to a state where pretty much all of the features are also tested. This would be a feature requiring a special test setup in the test environment. So all in all, it would be a lot of work for what I believe is a workaround for the inability of your ID server to use JWT for the access token, which is what you should have if you want to use localized token validation. |
Beta Was this translation helpful? Give feedback.
-
The recent RFC9068 seems to go in your direction, as it defines JWT access tokens. |
Beta Was this translation helpful? Give feedback.
-
Hi. We can see in the following piece of code that rcmcarddav uses the
access_token
provided by identity servers to authenticate users against the carddav server:rcmcarddav/src/Config.php
Lines 149 to 153 in 512bcb6
However some carddav server authentications services, like nextcloud-oidc-login need a JWT so it can check the
aud
claim that would be expected to find inid_token
. Given what you say here I suppose Keycloak set a JWT in theaccess_token
token endpoint response, so your setup works well (Do you confirm?). However canaille set a regular token inaccess_token
(and not a JWT), thus rcmcarddav gives nextcloud a token it cannot read. This seems to be the regular way to do, as the OIDC specification shows.I suggest detecting the presence of
id_token
in$_SESSION['oauth_token']
and if present, use it instead ofaccess_token
.Currently roundcube is not ready for this, but I have opened a discussion there: roundcube/roundcubemail#8214
I volunteer to provide a patch if it is OK with you.
Beta Was this translation helpful? Give feedback.
All reactions