Login not possible via OIDC when using LE cert for key signing

derchris · July 12, 2023, 11:08pm

Nextcloud version (eg, 20.0.5): 27.0.0
Operating system and version (eg, Ubuntu 20.04): NixOS 23.05
Apache or nginx version (eg, Apache 2.4.25): nginx 1.24.0
PHP version (eg, 7.4): 8.2.7

The issue you are facing:

Currently using OIDC auth on the Nextcloud instance, with user_oidc, and authentik - https://goauthentik.io/
In authentik, we have a self signed RSA cert, and LE elliptic curve cert.
The algo used for the RSA cert is RS256, for the EC ES256.
When using the RSA key, login is working fine.
However, when using the EC key, we are faced with the following error:

No supported algorithms found in JWK Set

We checked the Firebase JWT source, and both Algo are in there.
Furthermore, when we set the following settings for the user_oidc plugin:

'userinfo_bearer_validation' => false,
'selfencoded_bearer_validation' => false,

to disable validation, we see a different error:

"kid" invalid, unable to lookup correct key

Any idea what the problem could be?

Thanks,
derchris

tflidd · July 13, 2023, 8:21am

I found this bug report on the bug tracker:

derchris · July 13, 2023, 9:09am

Looking at the JWT plugin, both are supported:

github.com

firebase/php-jwt/blob/main/src/JWT.php#L55


      
           * Useful for fixing a value within unit testing.
           * Will default to PHP time() value if null.
           *
           * @var ?int
           */
          public static $timestamp = null;
          
          
/**
           * @var array<string, string[]>
           */
          public static $supported_algs = [
              'ES384' => ['openssl', 'SHA384'],
              'ES256' => ['openssl', 'SHA256'],
              'ES256K' => ['openssl', 'SHA256'],
              'HS256' => ['hash_hmac', 'SHA256'],
              'HS384' => ['hash_hmac', 'SHA384'],
              'HS512' => ['hash_hmac', 'SHA512'],
              'RS256' => ['openssl', 'SHA256'],
              'RS384' => ['openssl', 'SHA384'],
              'RS512' => ['openssl', 'SHA512'],
              'EdDSA' => ['sodium_crypto', 'EdDSA'],

tflidd · July 13, 2023, 1:31pm

When I install the current version of OIDC, it comes with a new version of JWT that supports ES256. The app for me is called “OIDC Identity Provider” and is installed under apps/oidc.
Here you see the changelog of JWT version and what was added recently: apps/oidc/vendor/firebase/CHANGELOG.md

If it is not the library, then somewhere in the app it is blocked or filtered. But in such cases, you need to check with the already linked bug report. They know best why it is not working, if it can be easily added or if there might other problems.