Use webfinger for OIDC parameter discovery by kaivol · Pull Request #847 · opencloud-eu/desktop

kaivol · 2026-03-17T22:06:47Z

Closes #811.

Client side implementation of the changes described in https://github.com/opencloud-eu/opencloud/blob/main/docs/adr/0003-oidc-client-config-discovery.md.

Based on #776.

RichardFevrier · 2026-04-28T11:20:27Z

Did this PR worked for you @kulmann ?

Just tried it without success on my side, when both web + iOS are working perfectly.

I have tested the webfinger with:

curl -L cloud.mydomain.com/.well-known/webfinger?resource=https://cloud.opencloud.test&rel=http://openid.net/specs/connect/1.0/issuer&platform=desktop | jq
  % Total    % Received % Xferd  Average Speed  Time    Time    Time   Current
                                 Dload  Upload  Total   Spent   Left   Speed
  0      0   0      0   0      0      0      0                              0
100    305 100    305   0      0   2324      0                              0
{
  "subject": "https://cloud.opencloud.test",
  "properties": {
    "http://opencloud.eu/ns/oidc/client_id": "OpenCloudDesktop",
    "http://opencloud.eu/ns/oidc/scopes": [
      "openid",
      "profile",
      "email",
      "groups",
      "offline_access"
    ]
  },
  "links": [
    {
      "rel": "http://openid.net/specs/connect/1.0/issuer",
      "href": "https://auth.mydomain.com"
    }
  ]
}

Which returns groups that is mandatory on my setup since Authelia groups binds to OpenCloud roles.

But when the Authelia page appears I can see that groups are not part of the request.

Edit:
debugged it further:

26-04-28 13:38:21:512 [ debug sync.credentials.oauth ]  [ OCC::OAuth::openBrowser ]:    opening browser
26-04-28 13:38:21:512 [ debug sync.credentials.oauth ]  [ isUrlValid ]: Checking URL for validity: QUrl("https://auth.mydomain.com/api/oidc/authorization?response_type=code&client_id=OpenCloudDesktop&redirect_uri=http://127.0.0.1:32979&code_challenge=Kgkj2cHF9MwXPDyTkZETDhc4Pv07hAXBxgSV8DfBhCI&code_challenge_method=S256&scope=openid offline_access email profile&prompt=consent select_account&state=c5bNXSEMgYIazaZ3aMqJjz3mI7SfpbP00YlzmVl-Q2w%3D")
[2] Sandbox: CanCreateUserNamespace() clone() failure: EPERM

You can see that scopes (scope=openid offline_access email profile) doesn't contain groups.

kaivol · 2026-04-29T19:16:09Z

@RichardFevrier thanks for testing the PR!
I made some changes, so it should work now.

~~I also bumped the C++ standard version to 23, i hope this is fine.~~

RichardFevrier · 2026-04-29T22:32:14Z

Thanks for your work @kaivol I'll test that tomorrow! 🤩

guruz · 2026-05-07T05:47:13Z

@RichardFevrier Have you tested this PR? :)

guruz · 2026-05-07T07:16:46Z

@kaivol FYI CI ^ says this:

/Users/runner/work/desktop/desktop/src/libsync/creds/oauth.cpp:622:35: error: no member named 'join_with' in namespace 'std::__1::ranges::views'
  622 |                     | std::views::join_with(QStringLiteral(" "))
      |                       ~~~~~~~~~~~~^

Might be related to

I also bumped the C++ standard version to 23, i hope this is fine.

I can't say anything to this topic specifically, if it's easier to keep a lower C++ standard or check if all our platforms would support 23.
CC @TheOneRing

kaivol · 2026-05-07T19:21:15Z

@guruz Thanks for bringing that up.
I got rid of the join_with call and implemented the logic in a good ol' loop: diff

guruz · 2026-05-08T15:44:54Z

@kaivol one more failure :) ^

@TheOneRing FYI, i can't seem to be able to ask macos and windows to re-run if linux already failed ^

kaivol · 2026-05-08T17:54:18Z

I'm a little confused, the CI error seems to be in the OpenVFS plugin, not at all related to my changes 😕
A quick look at the CI overview shows that builds are failing for some time already.

guruz · 2026-05-09T08:42:32Z

@kaivol You're right, sorry!
Could you re-base on current main branch, it should be green now for Linux.
https://github.com/opencloud-eu/desktop/commits/main/

guruz · 2026-05-09T11:28:24Z

^ OAuth test fails

kaivol · 2026-05-09T18:23:05Z

Okay, I adjusted the OAuth test and added a response for the .well-known/webfinger request.

Let me know if you agree with the changes.

Override openIdConnectScopes() in OpenCloudTheme to include the "groups" scope alongside the default openid/offline_access/email/profile set. IDPs that scope-gate their group claim (Authelia, Keycloak and Authentik in default config) only emit it when the corresponding scope is requested in the authorization request. Without it, server-side role mapping via PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM=groups fails with "no roles in user claims" and login dies on the post-OAuth user-info step with "Failed to get user info from server". Stopgap until opencloud-eu#847 (webfinger-based OIDC parameter discovery) lands upstream. Refs opencloud-eu#217. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

guruz · 2026-06-06T09:20:13Z

I can confirm this PR works, I'm logged in a test server with a different client_id and additional scopes.

I'll post my review comments later, it's only small stuff I think.

Thank you for the PR @kaivol

By the way I see this in log:

26-06-06 11:18:37:232 [ warning sync.credentials.manager ]:	set "OpenCloud_credentials:(REMOVED).opencloud.rocks:f6fc19c6-aad5-43ba-a244-191f75967795:http/oauthtoken" has not yet finished. duration(0h, 3min, 45s, 491ms)

guruz · 2026-06-08T07:27:56Z

Here in code before, it differs in error signal emission if it's about refresh token or not:
https://github.com/kaivol/opencloud-desktop/blob/b7e471209a0ede21fb12b59bd22aba26bfbad19e/src/libsync/creds/oauth.cpp#L646

While your new code does not:
https://github.com/kaivol/opencloud-desktop/blob/b7e471209a0ede21fb12b59bd22aba26bfbad19e/src/libsync/creds/oauth.cpp#L556
(and following emissions)

Maybe you could just always emit both in your added code (would need to be checked and tested if really only one is connected)?
Q_EMIT result(Error);
Q_EMIT refreshError(Error);
Or of course check if (_isRefreshingToken) and only emit one of them.

kaivol · 2026-06-08T21:44:06Z

I took a look at the current OAuth::fetchWellKnown function and now I'm a little confused about the emitted signals:

On network error, we emit result(Error) (or refreshError(...) if _isRefreshingToken)
If the JSON value is illegal we emit fetchWellKnownFinished()
On any other JSON related issue we emit both result(Error) and fetchWellKnownFinished()

Also, the _wellKnownFinished variable is set to true before a signal is emitted.

Could you please clarify the meaning of _wellKnownFinished and the different signals, in particular which signals should be emitted under which conditions?

guruz · 2026-06-09T09:56:31Z

I was more talking about the lack of refreshError being emitted.

This is about the refresh token:
https://github.com/kaivol/opencloud-desktop/blob/b7e471209a0ede21fb12b59bd22aba26bfbad19e/src/libsync/creds/httpcredentials.cpp#L264

Signal refreshError (but not error) is connected a few lines above:
https://github.com/kaivol/opencloud-desktop/blob/b7e471209a0ede21fb12b59bd22aba26bfbad19e/src/libsync/creds/httpcredentials.cpp#L246

So _oAuthJob->refreshAuthentication(_refreshToken) is called.
Which then here https://github.com/kaivol/opencloud-desktop/blob/b7e471209a0ede21fb12b59bd22aba26bfbad19e/src/libsync/creds/oauth.cpp calls fetchWellKnown() (from restored()) ..
Which (...) then sends a webfinger request https://github.com/kaivol/opencloud-desktop/blob/b7e471209a0ede21fb12b59bd22aba26bfbad19e/src/libsync/creds/oauth.cpp#L552
When then here
https://github.com/kaivol/opencloud-desktop/blob/b7e471209a0ede21fb12b59bd22aba26bfbad19e/src/libsync/creds/oauth.cpp#L556 and https://github.com/kaivol/opencloud-desktop/blob/b7e471209a0ede21fb12b59bd22aba26bfbad19e/src/libsync/creds/oauth.cpp#L563 and https://github.com/kaivol/opencloud-desktop/blob/b7e471209a0ede21fb12b59bd22aba26bfbad19e/src/libsync/creds/oauth.cpp#L573 (... etc following)
doesn't emit refreshError but just error.
So it gets stuck here (in error case) while refreshing token.

On network error, we emit result(Error) (or refreshError(...) if _isRefreshingToken)

No you're not for the webfinger stuff, see my links ^
Only the code for the later req.setUrl(oidcWellKnownUrl); does (partly, hmmm)

Could you please clarify the meaning of _wellKnownFinished and the different signals, in particular which signals should be emitted under which conditions?

I cannot, I'm not versed with this code :) I was only wondering about the error vs refreshError.

guruz · 2026-06-15T13:56:27Z

@kaivol Do you need any help? Do you want me to do the commit on top of your changes?

Other than that, I think your PR could be merged...

(if @TheOneRing @dragotin don't disagree)

guruz · 2026-06-15T17:56:51Z

@kaivol I did it here: c4c9e91

If you agree with the code, do you want to cherry-pick it into your PR here?

Otherwise I can also add it as new PR if necessary.

For opencloud-eu#847

kaivol · 2026-06-18T20:55:30Z

+                        Q_EMIT refreshError(QNetworkReply::NoError, QStringLiteral("Could not parse OIDC discovery response: %1").arg(err.errorString()));
+                    } else {
+                        Q_EMIT result(Error);
+                    }


Should there be a return after emitting the error signal?

Probably yes, although there was not in original code!? https://github.com/opencloud-eu/desktop/pull/847/changes/BASE..52d360a904a9ee83fd8daec331a7b0e9ece1330a#diff-030afc7423b8921f965c6ffa0af5f7312a2e7aa06e1046628ddbde8e6394ac50L599

Maybe check what happens in fetchWellKnownFinished slot what would happen in this path if it is called in that case?

kaivol · 2026-06-18T21:00:39Z

@@ -689,7 +713,11 @@ void OAuth::fetchWellKnown()
                    qCDebug(lcOauth) << u"failed to parse .well-known reply as JSON, server might not support OIDC";


While we're at it: Is it correct, that this particular JSON error is handled differently than all other JSON errors?

Legacy code, might be from long time ago from servers before OIDC? Would need to git blame and git deep to find out this one...
Could still happen with a mis configured server or proxy?

But now I see what you mean, there is no error emission there either... weird. Should probably also emit error adn return?!

kaivol · 2026-06-18T21:20:59Z

@guruz Thanks for the detailed explanation!
I’ve been pretty busy the last few days, so it took me a while to fully understand everything.

I cherry-picked your commit, and also added two comments you might want to take a look at.

….well-known/openid-configuration`

…oud#2072)

For opencloud-eu#847

kaivol · 2026-06-20T20:49:44Z

I did some more changes to the error handling, trying to keep your comments in mind.
Let me know if you agree.

kaivol force-pushed the use-webfinger-for-oidc-parameter-discovery branch from b345a3c to 063efde Compare April 7, 2026 10:21

kaivol marked this pull request as ready for review April 7, 2026 10:22

budimanjojo mentioned this pull request Apr 14, 2026

Use webfinger for OIDC parameter discovery #811

Open

kulmann requested a review from dragotin April 28, 2026 07:15

kaivol force-pushed the use-webfinger-for-oidc-parameter-discovery branch from 063efde to 01406ed Compare April 29, 2026 19:03

guruz requested review from TheOneRing and guruz May 7, 2026 05:59

kaivol force-pushed the use-webfinger-for-oidc-parameter-discovery branch from 01406ed to 5e7ecb7 Compare May 7, 2026 19:07

kaivol force-pushed the use-webfinger-for-oidc-parameter-discovery branch from 5e7ecb7 to e259baa Compare May 8, 2026 17:27

kaivol force-pushed the use-webfinger-for-oidc-parameter-discovery branch from e259baa to dbeb743 Compare May 9, 2026 08:51

kaivol force-pushed the use-webfinger-for-oidc-parameter-discovery branch from a83044a to b7e4712 Compare May 9, 2026 18:22

KaroUniform mentioned this pull request May 26, 2026

fix(theme): request 'groups' OIDC scope in OpenCloud theme KaroUniform/desktop#1

Merged

4 tasks

This comment was marked as off-topic.

Sign in to view

guruz added the Type:Feature label Jun 7, 2026

kaivol pushed a commit to kaivol/opencloud-desktop that referenced this pull request Jun 18, 2026

Webfinger: Also emit refreshError

52d360a

For opencloud-eu#847

kaivol commented Jun 18, 2026

View reviewed changes

kaivol force-pushed the use-webfinger-for-oidc-parameter-discovery branch from 79380d7 to fb59aba Compare June 20, 2026 13:56

kaivol and others added 6 commits June 20, 2026 16:00

remove unnecessary webfinger query

de9e7c3

query WebFinger for the current OIDC issuer everytime we fetch the `/…

07584c7

….well-known/openid-configuration`

discover OIDC parameters from WebFinger (based on opencloud-eu/opencl…

9e0259c

…oud#2072)

add response to .well-known/webfinger in testoauth so that tests pass

584d723

Webfinger: Also emit refreshError

8cd3cfc

For opencloud-eu#847

simplify error handling in OAuth::fetchWellKnown

b625d9f

kaivol force-pushed the use-webfinger-for-oidc-parameter-discovery branch from fb59aba to b625d9f Compare June 20, 2026 14:00

		@@ -689,7 +713,11 @@ void OAuth::fetchWellKnown()
		qCDebug(lcOauth) << u"failed to parse .well-known reply as JSON, server might not support OIDC";

Conversation

kaivol commented Mar 17, 2026

Uh oh!

RichardFevrier commented Apr 28, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

kaivol commented Apr 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

RichardFevrier commented Apr 29, 2026

Uh oh!

guruz commented May 7, 2026

Uh oh!

guruz commented May 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

kaivol commented May 7, 2026

Uh oh!

guruz commented May 8, 2026

Uh oh!

kaivol commented May 8, 2026

Uh oh!

guruz commented May 9, 2026

Uh oh!

guruz commented May 9, 2026

Uh oh!

kaivol commented May 9, 2026

Uh oh!

guruz commented Jun 6, 2026

Uh oh!

This comment was marked as off-topic.

guruz commented Jun 8, 2026

Uh oh!

kaivol commented Jun 8, 2026

Uh oh!

guruz commented Jun 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

guruz commented Jun 15, 2026

Uh oh!

guruz commented Jun 15, 2026

Uh oh!

kaivol Jun 18, 2026

Choose a reason for hiding this comment

Uh oh!

guruz Jun 19, 2026

Choose a reason for hiding this comment

Uh oh!

kaivol Jun 18, 2026

Choose a reason for hiding this comment

Uh oh!

guruz Jun 19, 2026

Choose a reason for hiding this comment

Uh oh!

guruz Jun 19, 2026

Choose a reason for hiding this comment

Uh oh!

kaivol commented Jun 18, 2026

Uh oh!

kaivol commented Jun 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

RichardFevrier commented Apr 28, 2026 •

edited

Loading

kaivol commented Apr 29, 2026 •

edited

Loading

guruz commented May 7, 2026 •

edited

Loading

guruz commented Jun 9, 2026 •

edited

Loading