User_oidc and django-oidc-provider do not work together

ℹ️ Support
, , ,
1
Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version: 28.0.3 (docker image)
Operating system and version: Debian 12
Apache or nginx version: Apache 2.4.57
PHP version: 8.2.16

The issue you are facing:
After successful authentication to Django based IDP provider, NextCloud displays the error “Access Forbidden, Failed to contact the OIDC provider token endpoint”

Error message seems to be reasonable because user_oidc sends to identity provider’s token endpoint GET request instead of POST and receives HTTP stastus 405 what finally causes the error I mentioned above.

As I don’t believe I’m the first person worldwide trying this kind of integration I think I must be wrong somewhere and am looking for some hints.

Is this the first time you’ve seen this error? : Y

Steps to replicate it:

  1. Install required components
  2. Configure OIDC client
  3. Start authentication process

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

This module has it's own configguration outside of the config.php (I think)

Thank you in advance.

2

hi @dleonarski welcome to the forum :handshake:

I hit the same issue with zitadel IdP after upgrading to 28.0.2 and user_oidc-app 1.3.6 and created following Github issue: PKCE doesn't work after upgrade to NC28.0.2 and user_oidc 1.3.6 · Issue #806 · nextcloud/user_oidc · GitHub. If I’m not wrong the root cause is PKCE is disabled by default now and as workaround you can fallback to client secret (confidential client?). Would be great you add your observations to this issue.

3

Hi, WWE.

Thank you for your activity here. I will undoubtedly pursue this topic further.
Unfortunately, it’s getting late in “Europe/Warsaw” so I will return here ASAP.

BTW, I think PKCE is disabled on IDP site and client is marked as confidential already but looks like I have to do my homework.

BTW 2, user_oidc=5.0.1

Regards, Dariusz

4

My fault: .well-known/openid-configuration/ contained links in the form “http://” causing redirection to “https://…” and forcing GET method instead of POST.

Fortunately, I’m a step further and still fighting.

Will let you know.

5

WOW :crazy_face: looks somebody had sleepless nights… bringing the version from 1.3.6 to 5.0.1 within days!!!

image
image144×831 14.7 KB

but yes in fact my version now is 5.0.1… and I have to upgrade my production system as well… look there is no way to use PCKE so far but works good using client secret