Hello Forum,
I am trying to use Nextcloud as an OpenID provider for XWiki. The XWiki is requesting the .”well-known/openid-configuration” from nextcloud and tries to authenticate with the returned endpoints with nextcloud. But the following error occurs:
xwiki-mysql-tomcat-web | Caused by: com.nimbusds.oauth2.sdk.GeneralException: The returned issuer doesn't match the expected: https://nextcloud.my-domain.eu
xwiki-mysql-tomcat-web | at com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata.resolve(OIDCProviderMetadata.java:1996)
xwiki-mysql-tomcat-web | at com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata.resolve(OIDCProviderMetadata.java:1934)
in the xwiki.properties I have configured the following provider
oidc.provider=https://nextcloud.my-domain.eu/index.php
Where can I configure the Issuer that XWiki is expecting in the response.
Kind Regards.
ixtrader
What the OpenID Connect SDK library is calling the “issuer” is what is configured as oidc.provider, and apparently what you indicated does not seem to match what’s returned by the provider itself (https://nextcloud.my-domain.eu/index.php vs https://nextcloud.my-domain.eu).
Have you tried with oidc.provider=https://nextcloud.my-domain.eu ?
Good point. When I use https://nextclodud.my-domain.eu I am getting a redirect error 301. with the Redirect address: https://nextclodud.my-domain.eu/index.php
Caused by: java.io.IOException: Couldn't download OpenID Provider metadata from https://nextcloud.my-domain.eu/.well-known/openid-configuration: Status code 301
xwiki-mysql-tomcat-web | at com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata.resolve(OIDCProviderMetadata.java:1988)
OK, so you get the redirect for https://nextcloud.my-domain.eu/.well-known/openid-configuration, which is the standard endpoint to get the configuration of an OIDC provider which issuer is “https://nextcloud.my-domain.eu”.
I did not check the specification to see if a redirect at this location is supposed to be followed, but the library we are using certainly does not seem to think so, and I tend to trust it.
The provider/issuer configuration helper is not mandatory (but it can be required for some aspects, depending on what the provider send), so you could try commenting it and setting the various endpoints yourself (you should find them in https://nextclodud.my-domain.eu/index.php I guess).
hello tmortagne,
thank you verry much! you are a magician! this was a great Tip!
To solve this problem took me about 16 hours.
by deactivating the:
\# oidc.provider=https://nextcloud.my-domain.eu
setting and using the dedicated settings:
oidc.endpoint.authorization=https://nextcloud.my-domain.eu/index.php/apps/oidc/authorize
oidc.endpoint.token=https://nextcloud.my-domain.eu/index.php/apps/oidc/token
oidc.endpoint.logout=https://nextcloud.my-domain.eu/index.php/apps/oidc/logout
oidc.endpoint.userinfo=https://nextcloud.my-domain.eu/index.php/apps/oidc/userinfo?format=json
the authentication is working like a charm.
Kind regards
iX