nextcloud
Claims query parameter with Google authentication breaks login
I have configured OIDC provider through configuration with Google.
Discovery endpoint: https://accounts.google.com/.well-known/openid-configuration Scope: openid email profile User ID mapping: email
When logging in, user gets redirected to authentication endpoint https://accounts.google.com/o/oauth2/v2/auth?client_id=... and query parameter claims is appended claims: {"id_token":{"email":{"essential":true},"name":null,"quota":null,"groups":null},"userinfo":{"email":{"essential":true},"name":null,"quota":null,"groups":null}} which results in error page on Google login
Invalid parameter value for claims: Invalid claims: claims must have a single object value "id_token" [Learn more about this error](https://developers.google.com/identity/protocols/oauth2)
If you are a developer of ... , see [error details](https://accounts.google.com/).
Error 400: invalid_request
If claims parameter is removed, then authentication goes through. Should there be a parameter to avoid claims parameter to be passed?
Thanks for reporting this. Could you try to delete lines 263->268, 273 and 281 of apps/user_oidc/lib/Controller/LoginController.php?
https://github.com/nextcloud/user_oidc/blob/main/lib/Controller/LoginController.php#L263-L268 https://github.com/nextcloud/user_oidc/blob/main/lib/Controller/LoginController.php#L273 https://github.com/nextcloud/user_oidc/blob/main/lib/Controller/LoginController.php#L281
Google's response says it would work with just having the id_token attribute in the claim GET param.
Thanks for reporting this. Could you try to delete lines 263->268, 273 and 281 of
apps/user_oidc/lib/Controller/LoginController.php?https://github.com/nextcloud/user_oidc/blob/main/lib/Controller/LoginController.php#L263-L268 https://github.com/nextcloud/user_oidc/blob/main/lib/Controller/LoginController.php#L273 https://github.com/nextcloud/user_oidc/blob/main/lib/Controller/LoginController.php#L281
Google's response says it would work with just having the
id_tokenattribute in the claim GET param.
I just tracked down this exact same issue. I can confirm that it works with just the id_token in claims, but not with userinfo.
Removing those lines you specify in LoginController.php fixes it!
(side note all my google searching yielded nothing, I did not find this issue until I tracked down this specific repo and searched for "userinfo" after determining it was the difference in the request)
Admittedly, it is only a workaround, but I hesitate to change anything if it only breaks Google authentication and nothing else. If it happens with other providers, then we can certainly reopen this issue.
Would be complex to implement a select box where I chose or not the parameters to send? Although it might be just with Google, is a no go for my company my company and probably others that uses Google as their identy provider. Imagine every new version of Nextcloud released I have patch these files? Not practical.
Well I checked more and found this https://github.com/nextcloud/user_oidc/blob/main/README.md#disable-default-claims
I didn't tested yet, but I think someone has though a way to do exactly what I said .