panic / 502 Bad Gateway in authenticated webfinger

[kulmann]

Describe the bug

An authenticated request to .well-known/webfinger where the webfinger service runs as part of ocis (I did not test standalone) causes a panic in the Oidc middleware.

Steps to reproduce

Steps to reproduce the behavior:

1. Start e.g. oCIS single binary or keycloak deployment example (= webfinger service running alongside ocis)
2. Obtain an access token
3. Use the access token to make an authenticated request to .well-known/webfinger?resource=<issuerUrl>

Expected behavior

Webfinger service behaves as documented in https://owncloud.dev/services/webfinger/ - i.e. gives a response including the ocis instances the user has access to.

Actual behavior

Request terminates with a 502 Bad Gateway.

Setup

Single binary or keycloak deployment example

Initial findings

Running ocis with a debugger I found out that there is a panic happening in the oidc middleware:
http: panic serving 127.0.0.1:48434: runtime error: invalid memory address or nil pointer dereference

Set a breakpoint here:

ocis/ocis-pkg/middleware/oidc.go

Line 41 in 0862ff6

return goidc.NewProvider(

and step into NewProvider. The doRequest call will run into a CertificateVerificationError for an ocis with self signed certificate. Unfortunately I don't know how to make use of OCIS_INSECURE=true here....

The error then gets swallowed into nirvana here:

ocis/ocis-pkg/middleware/oidc.go

Line 59 in 0862ff6

return

Finally running into a nil dereference here:

ocis/ocis-pkg/middleware/oidc.go

Line 67 in 0862ff6

userInfo, err := provider.UserInfo(

when calling provider.UserInfo.

[dragonchaser]

It seems like, when using an internal IDP querying the oidc .well-knows an error gets thrown, resulting in an empty in

ocis/ocis-pkg/middleware/oidc.go

Line 57 in 0862ff6

provider, err = providerFunc()

.