Cannot enable “Allow OpenID Connect”
-
WP OAuth Server version: 4.2.3
Client: OpenID Connect Nextcloud appWhen attempting to use OpenID Connect with WPOAuth Server, the client throws an error: Undefined array key “id_token”.
That would likely go away if I could enable “Allow OpenID Connect”, but I can’t, because the checkbox is disabled.
Is this a Pro feature?
-
Hi,
Sorry for the issues. Please allow me some time to look into the code and see what the possibilities could be that is causing the issue.
Can you share with me the platform if any that you are using OpenID Connect with?
Thanks
Hi Justin,
This is a lot more information than you asked for, but you can just ignore what you don’t need:
I’m running WP OAuth Server – CE (4.2.3), with WordPress 6.1.1 and PHP Version 8.0.22 on Ubuntu 20.04.4. OAuth Server is the only active plugin.
I am attempting to connect to the OAuth Server using OpenID Connect, an add-on app for Nextcloud 24.0.7.
—-
On the OAuth Server side, I have created a client. On the Create/Edit Client screen, there are four checkboxes on the left side. Only the top checkbox, “Authorization Code” is enabled; the others are unchecked and disabled.
The client has an ID and Secret, and the Redirect URI is set to “https://mycloud.example.ca/index.php/apps/user_oidc/code”.
Still on the OAuth Server side, on the General Settings screen, the OAuth Server has been enabled and the other checkboxes are unchecked. On the Advanced Configuration screen, “Use JSON Web Tokens (JWT)” can be on or off with no difference.
But under “OpenID Connect 1.0a (Global)”, I cannot enable “Allow OpenID Connect” nor can I change the “ID Token Lifetime”.
—-
On the Nextcloud (client) side, I have created a “Registered Provider” and added the Client ID and Client Secret from the OAuth Server. For the “Discovery endpoint”, I used “https://mywordpress.example.com/wptest/.well-known/openid-configuration/”. There are a few other configurable settings, but none really pertain to this discussion.
When I attempt to log in to mycloud.example.ca, I do get the option to login using mywordpress.example.com and it takes me to a new WordPress login screen. I enter my credentials, click “Log in” and am shown a Nextcloud “Internal Server Error” screen.
Checking the Nextcloud error log, I see:
Error: Undefined array key “id_token” at /usr/local/www/nextcloud-20.0.4/apps/user_oidc/lib/Controller/LoginController.php#373
—-
Note that .well-known/openid-configuration/ does include the line
jwks_uri “https://mywordpress.example.com/wptest/.well-known/keys/”
and .well-known/keys/ does include the following line:
kid “1669071542”
—-
So, would being able to enable “Allow OpenID Connect” on the OAuth Server’s Advanced Configuration screen make any difference, or is there something else going on?
After some verification, the CE version does support OpenID out of the box. The option for the global check is to force OpenID for normal OAuth 2.0 requests.
I am not familiar with Nextcloud or the OpenID setup that they use.
Looking at the error, it is looking for an array index of “id_token” it is not seeing it. They should be checking for the variable gracefully displaying an error message.
One thing I can think of is to make sure the scope for the client in WP OAuth Server is “openid”. This may help but not 100% confident since I can’t really test and debug for myself.
Is there a way to return the response from WP OAuth Server where the error is happening? This will help track down
what is being presented so we can compare it to what is expected.Justin,
I’ve been working away at this for the past couple of weeks with limited success. At this point, unless you have some brilliant insight based on the information below, I’ve decided to abandon the project and take a whole different path.
In addition to your plugin, I have also tried the “miniOrange OAuth / OpenID Connect Server”, which is also a WordPress plugin. Results were similar (although not identical).
I also installed Keycloak, a standalone OpenID Connect and SAML identity provider. With Keycloak, I was able to log in to my Nextcloud server. This tells me that the Nextcloud OpenID Connect client (which is a Nextcloud extension/plugin/app) is operating “properly”.
I have tried many different settings in your plugin, in the miniOrange plugin, and in the connect client in Nextcloud. Results are the same in all cases.
As for the error that occurs when I use your plugin, it happens after I submit the WordPress login form which redirects to the Nextcloud client (step 7, below). I have included the step-by-step data flow below (which, again, is probably much more than you need, or may not be at all what you were asking for…).
As I said above, I’m ready to move on to other projects, but if you can come with other tests that you think I should attempt, I’m quite willing to do that.
LOGIN ATTEMPT from Nextcloud (service provider) to WP OAuth Server (IdP):
(apologies if the spacing gets botched…)1. CLIENT (Nextcloud) LOGIN HTML Login with mywordpress ----- 2. REQUEST GET https://mycloud.example.ca/index.php/apps/user_oidc/login/7 RESPONSE Status: 303 See Other Location: https://mywordpress.example.com/wptest/oauth/authorize/? client_id=L3aWkauc1hQrjsg42RoDFd35Q1hX9hgM2dhyCsSJ& response_type=code& scope=openid+basic& redirect_uri=https://mycloud.example.ca/index.php/apps/user_oidc/code& claims={"id_token":{"email":null,"name":null,"quota":null}, "userinfo":{"email":null,"name":null,"quota":null}}& state=FQFCA9XW9G4IBEAMQCWORPM8MNXNR5H8& nonce=0GVYVPX3NMZ0RZRGLGUKGJ5AEYQYPJZ7 ----- 3. REQUEST GET https://mywordpress.example.com/wptest/oauth/authorize/?... RESPONSE Status: 302 Found Location: https://mywordpress.example.com/wptest/wp-login.php? redirect_to=https://mywordpress.example.com/wptest/oauth/authorize?client_id=L3aWkauc1hQrjsg42RoDFd35Q1hX9hgM2dhyCsSJ& response_type=code& scope=openid+basic& redirect_uri=https://mycloud.example.ca/index.php/apps/user_oidc/code& claims={\"id_token\":{\"email\":null,\"name\":null,\"quota\":null}, \"userinfo\":{\"email\":null,\"name\":null,\"quota\":null}}& state=FQFCA9XW9G4IBEAMQCWORPM8MNXNR5H8& nonce=0GVYVPX3NMZ0RZRGLGUKGJ5AEYQYPJZ7 ----- 4. REQUEST GET https://mywordpress.example.com/wptest/wp-login.php?... RESPONSE Status: 200 OK ----- 5. SERVER (WordPress - WP OAuth Server) LOGIN HTML <form name="loginform" id="loginform" action="https://mywordpress.example.com/wptest/wp-login.php" method="post"> <input type="text" name="log" id="user_login" > <input type="password" name="pwd" id="user_pass"> <input type="submit" value="Log In"> <input type="hidden" name="redirect_to" value=(as shown in step 3)> </form> ----- 6. REQUEST POST https://mywordpress.example.com/wptest/wp-login.php RESPONSE Status: 302 Found Location: https://mywordpress.example.com/wptest/oauth/authorize/? client_id=L3aWkauc1hQrjsg42RoDFd35Q1hX9hgM2dhyCsSJ& response_type=code& scope=openid basic& redirect_uri=https://mycloud.example.ca/index.php/apps/user_oidc/code& claims=id_token:email:null,name:null,quota:null,userinfo:email:null,name:null,quota:null& state=FQFCA9XW9G4IBEAMQCWORPM8MNXNR5H8& nonce=0GVYVPX3NMZ0RZRGLGUKGJ5AEYQYPJZ7 ----- 7. REQUEST GET https://mywordpress.example.com/wptest/oauth/authorize/?... RESPONSE Status: 302 Found Location: https://mycloud.example.ca/index.php/apps/user_oidc/code? code=904dan41tfumw3kso1lq9gniwqyehpwchim5xdgw& state=FQFCA9XW9G4IBEAMQCWORPM8MNXNR5H8& iframe=break ----- 9. REQUEST GET https://mycloud.example.ca/index.php/apps/user_oidc/code? code=904dan41tfumw3kso1lq9gniwqyehpwchim5xdgw& state=FQFCA9XW9G4IBEAMQCWORPM8MNXNR5H8& iframe=break RESPONSE Status: 500 Internal Server Error ----- 10. CLIENT (Nextcloud) LOG FILE [PHP] Error: Error: Undefined array key "id_token" at /path/to/nextcloud/apps/user_oidc/lib/Controller/LoginController.php#373 at <<closure>> GET /index.php/apps/user_oidc/code?code=g5s7on38xlbszgq7i144njkkpw90gogtuen293wj&state=AFGHIPAKG7WHETWX0368BFS1BWMPMSFL&iframe=break from 123.45.67.89 at 2022-12-06T20:05:06+00:00
- The topic ‘Cannot enable “Allow OpenID Connect”’ is closed to new replies.
