[FEATURE REQUEST] OIDC Dynamic Client Registration support

[felix-schwarz]

Background

This issue tracks support for OIDC Dynamic Client Registration support, which is provided via the SDK (in commit owncloud/ios-sdk@85e09cb) and already available in milestone/11.5 (#779).

Spec

• https://tools.ietf.org/html/rfc7591
• https://openid.net/specs/openid-connect-registration-1_0.html

Testing

OIDC Dynamic Client Registration is available on ocis.owncloud.works. You should see log messages tagged with ClientRegistration when creating a bookmark with that target.

Tested successfully:

• Create a new bookmark
• Use Diagnostics to remove the authentication data, then open the bookmark to restore it
• Use Diagnostics to replace the tokens with random UUIDs, then open the bookmark to restore it

PR

#779

Related

• OIDC Dynamic Client Registration support in Phoenix: https://github.com/owncloud/web/pull/4286/files

[jesmrec]

Don't working properly after expiring of client id / secret id

Request to konnect/v1/token returns 401 because an unknown client id

"error": "access_denied",
"error_description": "unknown client_id: dyn.eyJhbGciOiJQUzI...

Logs caught in iOS app:

ownCloud_21_Jan_2021_at_17_45_31.log.txt

iPhoneXR v14.2
app commit 54d9abca

[felix-schwarz]

Thanks for the log! What seems to have happened is that the client_id/client_secret was refreshed, then used with the refresh_token that was originally registered with the previous client_id/client_secret pair.

I've now made changes so that the token refresh request will now:

• use the client_id/client_secret pair used for the request that returned the refresh_token in the Authorization header of the token refresh request
• use the latest valid/refreshed client_id/client_secret as parameters in the token refresh request's POST body

Please check if the issue is solved in the updated milestone/11.5.

[jesmrec]

Last check with commit 7a7e8254 did not solve the problem. Token endpoint answered with

{ "error": "access_denied", "error_description": "unknown client_id: dyn.eyJhbGciOiJ... }

Something similar happening in desktop client (owncloud/client#8402) and in Android. All teams will need some allignment

New logs:

ownCloud_1_Feb_2021_at_13_59_37.log.txt

[jesmrec]

These logs were caught against ocis.owncloud.works, with same result as the ones above:

ownCloud_2_Feb_2021_at_09_22_59.log.txt

[felix-schwarz]

Thanks! So here's what I learnt:

• when sending the refresh_token together with the client_id/ client_secret with which is was retrieved, before the client_id has expired: all is fine.

• when sending the refresh_token together with the client_id/ client_secret with which is was retrieved, but after the client_id has expired:

{
  "error": "access_denied",
  "error_description": "unknown client_id: dyn.eyJhbGciOiJQ…"
}

• when sending the refresh_token together with a freshly issued client_id/ client_secret at the time of sending the refresh request to the token endpoint:

{
  "error": "invalid_grant",
  "error_description": "client_id mismatch"
}

The id_token sent alongside the original access_token looked like an escape hatch at first, but looking at the internals of that JWT, it also expires after 1 hour:

{
  "aud": "dyn.eyJhbGciOiJQUzI1NiIsImtpZCI6Imtvbm5lY3RkX3ByaXZhdGUiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjE2MTEyNTExNDksImlhdCI6MTYxMTI0NzU0OSwic3ViIjoiTHBfT3c1cjFLZnB2a0poQ2NrWEdCeXk1N0hoaW4zbXJfanVaVHBwOUxHUlhBQ1NRN1FUa2VBbElwc18yVHF4UWMyalNDYjJFeE9TbkpxYUVqdk5PcFEiLCJuYW1lIjoib3duQ2xvdWQvaU9TIDExLjUiLCJncmFudF90eXBlcyI6WyJhdXRob3JpemF0aW9uX2NvZGUiXSwiYXBwbGljYXRpb25fdHlwZSI6Im5hdGl2ZSIsInJlZGlyZWN0X3VyaXMiOlsib2M6Ly9pb3Mub3duY2xvdWQuY29tIl0sImlkX3Rva2VuX3NpZ25lZF9yZXNwb25zZV9hbGciOiJSUzI1NiIsInRva2VuX2VuZHBvaW50X2F1dGhfbWV0aG9kIjoiY2xpZW50X3NlY3JldF9iYXNpYyJ9.vrVtDt4XdLkQ7j_h_OPlKsNn7EJsplvsqKOiK7YMbfcEMTUew8eNqkthfLzzD3BOJhkcUsMEJVWO8IWbxtEcZfgAZdvkLOtzS4F0Ku3B1KXGwogcHz3MxjJVZnOVtYeNjbZQTAm-iSdiUzgq6faTQ1BEQImAuH57L8ctmaiqIMqMPm0n7uCu0UDdRjpi-qFHOvau0TrcGyMW8zK_iwIGCXKfpakwlbrnBPvInGWSHtl8Iim-UKWoOAkVh3rDkZrtM8JLuq4bGps89Lzfft6XDSkIE83HmWV5fIxl8tRPCQcaUd4bwQITmwRoXcPRWqfFKLPFVExUJIJehbEHflINsw",
  "exp": 1611251163,
  "iat": 1611247563,
  "iss": "https://ocis.owncloud.works/",
  "sub": "XtSi_miyWSB-pkvGnxPoC5A4flih0UCLgvU7cLwjmjCKX7FYn2HWk6rRCEuy2G5qAy_yMQc_FK9aNFhUMrX2pQ@konnect",
  "at_hash": "yoFapjaziVILSjfmsQTYog",
  "sid": "pMSeThLUTNxZA2pxWCqDZjoqvuskdt7iBWoVL0RdRiE="
}

So from my side, it seems impossible to fix this issue. At this point it certainly looks like it will need changes on the server side to use dynamic client ID together with a refresh_token.

[felix-schwarz]

Per owncloud/openidconnect#142 the iOS client sticks to the standards and the need for reauthentication by the user is a consequence of the expiry of the client_id.

The solution likely will be client_ids that don't expire, which I just added support for in milestone/11.5 via the SDK.