Authelia 4.38.9 and OCIS 6.1.0 (any version really) - fails - "Could not get user roles"

[mwinters-stuff]

Describe the bug

Authelia 4.38.9 Configured with the following:

                        - client_id: owncloud-ocis-web
                          client_name: ownCloud web client
                          public: true
                          scopes:
                            - openid
                            - groups
                            - profile
                            - email
                            - offline_access
                          redirect_uris:
                            - https://test.someplace.org.nz/
                            - https://test.someplace.org.nz/oidc-callback.html
                            - https://test.someplace.org.nz/oidc-silent-redirect.html
                        - client_id: xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69
                          client_name: ownCloud desktop client
                          # Well-known secret hashed
                          client_secret: $pbkdf2-sha512$310000$.z/6sV7qQSx1.5zPetVVCQ$JIEPOTFTSokJjDNVhlMLq7tYnHd/E17wSHW.GYXQA0QjfTPqTosyRr7qSHxSiPmXympfTbGF6FmnnX9on.uQng
                          scopes:
                            - openid
                            - groups
                            - profile
                            - email
                            - offline_access
                          redirect_uris:
                            - http://127.0.0.1
                            - http://localhost
                          allow_multiple_auth_methods: true
                          grant_types:
                            - refresh_token
                            - authorization_code
                          response_types:
                            - code
                        - client_id: e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD
                          client_name: ownCloud Android app
                          # Well-known secret hashed
                          client_secret: $pbkdf2-sha512$310000$Grnc1pW0blLl.2B1aEfEvg$JWW3s83SXkgSvoykJ5yD4i11gfrxBOEEGrKXjbyAh.PmVc14FDwSAzxVn7JFXjvO0B0V2RxFsrUT4RZoBK93ug
                          scopes:
                            - openid
                            - groups
                            - profile
                            - email
                            - offline_access
                          redirect_uris:
                            - oc://android.owncloud.com
                          allow_multiple_auth_methods: true
                          grant_types:
                            - refresh_token
                            - authorization_code
                          response_types:
                            - code

OICS, configured via Kubernetes, using a docker container I had to create for 6.1:

deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
    annotations:
        owncoud-ocis: https://github.com/owncloud/ocis
    labels:
        app: owncloud-ocis-test
    name: owncloud-ocis-test
    namespace: web-apps
spec:
    replicas: 1
    selector:
        matchLabels:
            app: owncloud-ocis-test
    strategy:
        type: Recreate
    template:
        metadata:
            annotations:
                owncoud-ocis: https://github.com/owncloud/ocis
            labels:
                app: owncloud-ocis-test
        spec:
            containers:
                - name: owncloud-ocis
                  image: ghcr.io/mwinters-stuff/ocis:6.1.0
                  ports:
                    - containerPort: 9200
                  resources:
                    limits:
                        cpu: "2"
                        memory: 1Gi
                    requests:
                        cpu: "1"
                        memory: 500Mi
                  env:
                    - name: OCIS_SERVICE_ACCOUNT_ID
                      value: d7d39653-585e-46e6-8564-52cee1a1e0d9
                    - name: OCIS_SERVICE_ACCOUNT_SECRET
                      value: A&tEKT$vYbNtGADmj0SK7A$s$Sm4A@kd
                    - name: OCIS_URL
                      value: https://test.someplace.org.nz
                    - name: PROXY_HTTP_ADDR
                      value: 0.0.0.0:9200
                    - name: PROXY_TLS
                      value: "false"
                    - name: OCIS_INSECURE
                      value: "true"
                    - name: OCIS_LOG_LEVEL
                      value: debug
                    - name: OCIS_CONFIG_DIR
                      value: /ocis-config
                    - name: OCIS_BASE_DATA_PATH
                      value: /ocis-data
                    # - name: OCIS_RUN_SERVICES
                    #   value: app-registry,app-provider,audit,auth-basic,auth-machine,frontend,gateway,graph,groups,idp,idm,nats,notifications,ocdav,ocs,proxy,search,settings,sharing,storage-system,storage-publiclink,storage-shares,storage-users,store,thumbnails,users,web,webdav
                    - name: OCIS_OIDC_ISSUER
                      value: https://auth.someplace.org.nz
                    - name: WEB_OIDC_CLIENT_ID
                      value: owncloud-ocis-web
                    - name: PROXY_OIDC_REWRITE_WELLKNOWN
                      value: "true"
                    - name: PROXY_AUTOPROVISION_ACCOUNTS
                      value: "true"
                    - name: PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD
                      value: none
                    - name: PROXY_ROLE_ASSIGNMENT_DRIVER
                      value: oidc
                    - name: OCIS_ADMIN_USER_ID
                      value: bob
                    - name: PROXY_CSP_CONFIG_FILE_LOCATION
                      value: /etc/ocis/csp.yaml
                    - name: GRAPH_LDAP_SERVER_WRITE_ENABLED
                      value: "true"
                    - name: PROXY_AUTOPROVISION_CLAIM_GROUPS
                      value: groups

                    # - name: PROXY_USER_OIDC_CLAIM
                    #   value: preferred_username
                    # - name: PROXY_USER_CS3_CLAIM
                    #   value: username
                    - name: OCIS_EXCLUDE_RUN_SERVICES
                      value: idp
   
                  volumeMounts:
                    - mountPath: /ocis-config
                      name: ocis-config
                    - mountPath: /ocis-data
                      name: ocis-data
                    - mountPath: /etc/ocis/
                      name: ocis-config-map
            restartPolicy: Always
            volumes:
                - name: ocis-data
                  persistentVolumeClaim:
                    claimName: nfs-ocis-data-test-web-apps-pvc
                - name: ocis-config
                  persistentVolumeClaim:
                    claimName: nfs-ocis-config-test-web-apps-pvc
                - name: ocis-config-map
                  configMap:
                    name: ocis-config

config.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: ocis-config
  namespace: web-apps
data:
  csp.yaml: |-
    directives:
      child-src:
        - '''self'''
      connect-src:
        - '''self'''
        # In contrary to bash and docker the default is given after the | character
        - 'https://auth.someplace.org.nz/'
      default-src:
        - '''none'''
      font-src:
        - '''self'''
      frame-ancestors:
        - '''none'''
      frame-src:
        - '''self'''
        - 'blob:'
        - 'https://embed.diagrams.net/'
      img-src:
        - '''self'''
        - 'data:'
        - 'blob:'
      manifest-src:
        - '''self'''
      media-src:
        - '''self'''
      object-src:
        - '''self'''
        - 'blob:'
      script-src:
        - '''self'''
        - '''unsafe-inline'''
      style-src:
        - '''self'''
        - '''unsafe-inline'''

result

1. Browser app returns to "Access Denied"
2. Log for oics,

{"level":"debug","service":"proxy","role":"user-light","id":"38071a68-456a-4553-846a-fa67bf5596cc","time":"2024-07-15T02:58:42Z","line":"/ocis/services/proxy/pkg/userroles/oidcroles.go:217","message":"Got Role"}
{"level":"debug","service":"proxy","role":"admin","id":"71881883-1768-46bd-a24d-a356a2afdf7f","time":"2024-07-15T02:58:42Z","line":"/ocis/services/proxy/pkg/userroles/oidcroles.go:217","message":"Got Role"}
{"level":"debug","service":"proxy","role":"spaceadmin","id":"2aadd357-682c-406b-8874-293091995fdd","time":"2024-07-15T02:58:42Z","line":"/ocis/services/proxy/pkg/userroles/oidcroles.go:217","message":"Got Role"}
{"level":"debug","service":"proxy","role":"user","id":"d7beeea8-8ff4-406b-8fb6-ab2dd81e6b11","time":"2024-07-15T02:58:42Z","line":"/ocis/services/proxy/pkg/userroles/oidcroles.go:217","message":"Got Role"}
{"level":"debug","service":"proxy","roleMap":{"admin":"71881883-1768-46bd-a24d-a356a2afdf7f","spaceadmin":"2aadd357-682c-406b-8874-293091995fdd","user":"d7beeea8-8ff4-406b-8fb6-ab2dd81e6b11","user-light":"38071a68-456a-4553-846a-fa67bf5596cc"},"time":"2024-07-15T02:58:42Z","line":"/ocis/services/proxy/pkg/userroles/oidcroles.go:220","message":"Role Name to role ID map"}
{"level":"error","service":"proxy","request-id":"d467af1f-b2dd-4591-ada7-f55bcff20fbe","userid":"09baece4-9daf-47ac-856e-e90c26566e59","error":"no roles in user claims","time":"2024-07-15T02:58:42Z","line":"/ocis/services/proxy/pkg/userroles/oidcroles.go:84","message":"Error mapping role names to role ids"}
{"level":"error","service":"proxy","error":"no roles in user claims","time":"2024-07-15T02:58:42Z","line":"/ocis/services/proxy/pkg/middleware/account_resolver.go:170","message":"Could not get user roles"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"d467af1f-b2dd-4591-ada7-f55bcff20fbe","traceid":"2d217643f2aab8c248aed2d0b2d690be","remote-addr":"192.168.1.121","method":"GET","status":500,"path":"/ocs/v1.php/cloud/capabilities","duration":897.077399,"bytes":0,"time":"2024-07-15T02:58:42Z","line":"/ocis/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}
{"level":"debug","service":"gateway","pkg":"rgrpc","traceid":"fbe248e6663859386bdcaf99d0d6a02e","method":"/cs3.gateway.v1beta1.GatewayAPI/AddAppProvider","time":"2024-07-15T02:58:46Z","line":"/ocis/vendor/github.com/cs3org/reva/v2/internal/grpc/interceptors/auth/auth.go:122","message":"skipping auth"}
{"level":"debug","service":"app-registry","pkg":"rgrpc","traceid":"fbe248e6663859386bdcaf99d0d6a02e","method":"/cs3.app.registry.v1beta1.RegistryAPI/AddAppProvider","time":"2024-07-15T02:58:46Z","line":"/ocis/vendor/github.com/cs3org/reva/v2/internal/grpc/interceptors/auth/auth.go:122","message":"skipping auth"}

Expected behavior

I expect to be able to login.

Actual behavior

I can not login.

Setup

Please describe how you started the server and provide a list of relevant environment variables or configuration files.

Additional context

I am currently using keycloak, but only having 1 service on keycloak and everything else under authelia and reading what is now available I should be able to use authelia to authenticate.

[micbar]

@mwinters-stuff
Thanks for your report.

This is interesting because for me it is not clear what your expectations are.

1. Are you using authelia as the source of your users?
2. If yes, do you want to manage the roles in authelia?
3. If yes, then we have a problem.

Authelia has currently no "roles" claim. Some people from our team tried to use the "groups" claim (@kulmann and @TheOneRing ) After creating a new role mapping config https://owncloud.dev/services/proxy/#automatic-role-assignments it starts working for the Web Client. On the desktop client, we debugged that authelia has currently no way to assign default scopes to a client. So the "groups" claim is always empty when the desktop client tries to login. That needs to be clarified with upstream authelia a) if this is possible b) or on the roadmap?

Possible solution

Manage the role assignment in the oCIS Admin UI.

To do that, you need to set PROXY_ROLE_ASSIGNMENT_DRIVER=default.

[mwinters-stuff]

Ok, yes using Authelia as the user source, and using the comment from the 6.1.0 release

Enhancement - Autoprovision group memberships: #9458

When PROXY_AUTOPROVISION_ACCOUNTS is enabled it is now possible to automatically
maintain the group memberships of users via a configurable OIDC claim

Then I was under the assumption that the OIDC groups would work for the roles, this appears to be limited in some manner by authelia still.

I will see if the role assignment using OCIS is possible.

[mwinters-stuff]

Ok fantastic, I can log-in with Authelia.. thats a big change from before...

Now, though I am not able to become the admin user - even though OCIS_ADMIN_USER_ID=mathew and my username is "mathew'
I have re-enabled idp but no admin user? Any tips? Would like to be able to create Spaces.

[micbar]

You do not need the idp service.

the admin user can be defined with the variable you use but you need to use the uuid from the ocis user. That can be seen in the browser network tab when the webUI fetches information from graph/user

[mwinters-stuff]

Excellent, got it working!
Thanks. I will try to create a "working" example somewhere.

[mwinters-stuff]

Re-Opened.
Have got to trying the web client and android client, both fail to login. The URL becomes.

http://127.0.0.1:41385/?error=invalid_request&error_description=The+request+is+missing+a+required+parameter%2C+includes+an+invalid+parameter+value%2C+includes+a+parameter+more+than+once%2C+or+is+otherwise+malformed.+Used+unknown+value+%27%5Bselect_account+consent%5D%27+for+prompt+parameter&iss=https%3A%2F%2Fauth.example.org.nz&state=yrFE6W--X-HEHd4FIb1YPSKjrDGJ_dGdR-ZdL6lk1m0%3D

Which decoded by the browser, has the parameters

error: invalid_request
error_description: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Used unknown value '[select_account consent]' for prompt parameter
iss: https://auth.example.org.nz
state: yrFE6W--X-HEHd4FIb1YPSKjrDGJ_dGdR-ZdL6lk1m0=

Any more ideas? Thanks.

[rhafer]

Hm, the owncloud client does currently always sents prompt=select_account consent query parameter with the authorization request. Authelia does not have support for the select_account value and therefor rejects the request.

AFAIK the ownclient client master already has some support for evaluationg the prompt_values_supported setting returned by the authelia IDP (owncloud/client#11729). But I don't know, when that will be baked into a release.

It might be possible to add some clever rewriting rules to the traefik proxy to remove the prompt parameter from the request as a workaround.