-
Notifications
You must be signed in to change notification settings - Fork 669
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCHTTPStatusErrorDomain because new generic KeyCloak Client is being created for each login from Desktop/iOS/Android #11940
Comments
Have you tried to disable dynamic registration and to register the client id and secret hard-coded into the client, with keycloak? |
We have the same problem and it doesn't matter if a client with ID and secret is setup correctly, a new client is always being created for each login. |
Your idp well-known has a |
Please disable dynamic client registration on your keycloak if you want to use the public client id and secret. Do you know how to do it? |
Some background https://www.keycloak.org/securing-apps/client-registration |
AFAICT dynamic client registration should create a new client on the first authentication. That works as designed. The client should not register a new client until the refresh token expires and the IDP forces the user to reauthenticate. If that was the case I'd see it as a bug. Otherwise ... see if we misunderstood https://openid.net/specs/openid-connect-registration-1_0.html |
It could be a bug but I'd like to try if the method with disabling dynamic client registration works, do you remember how you did it @micbar? I've looked under "Client registration" under "Client" or "Client policies" under "Realm Settings" but no settings seems obvious but it could just be non-intuitive like you said :) |
I think I achieved my goal by blocking the redirect url of the client in „client policies“. |
Do you know if Keycloak still tries to access url even though it's blocked? Why I'm asking is because we have limited the number of Clients that are allowed to be created in Keycloak as a temporary solution for this issue but Keycloak still sends our WAF a 403 error every 4-5 minutes for each client and user resulting in IP blocks and filling logs with false positives which is not a good solution. |
We’d like to try the proposed solution disabling dynamic client registration. Looking over docs it’s definitely not straight forward as also mentioned above. Any guidance on how to approach this would be greatly appreciated. |
This issue was marked stale because it has been open for 30 days with no activity. Remove the stale label or comment or this will be closed in 7 days. |
Ping |
Still searching for a solution. |
We stumbled upon https://github.com/cevheri/keycloak-custom-event-listener as a potential (and still somewhat hacky) workaround for this. Really we just need a way to get back the old ownCloud Desktop and ownCloud Mobile behaviors that didn't spawn a new Client every time someone attempts to authenticate. We're dead in the water on being able to use any of the ownCloud clients until we figure out a way to stop this new behavior. |
I do it like #11940 (comment) |
Thanks @micbar. Can you share details on how you did this? We have a saml-avoid-redirect executor type but it seems to have no effect on the flow and there's no obvious way for us to assign it to particular clients. |
Can you please tell where in KC this is done? I searched when you first suggested it but could't find how to implement it. |
@micbar can you advise on the details of your solution to this? |
Solution for Keycloak 25
EffectThis prevents clients from registering them with their random client ID and forces them to use the preconfigured clients from https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_keycloak/config/keycloak/clients |
Works! Seriously amazing, @micbar - thanks for breaking this down! |
@micbar @walt-jones How does your KC log look like? Every 5 minutes Keycloak logs these errors not being able to register client, it's the same as blocking number of clients allowed:
Resulting in our WAF blocking our IPs
|
@micbar What I'm trying to say is that we already had the same temporary solution by blocking number allowed clients but it gives other problems and is not a solution of this problem. Why is owncloud clients not using the correct clients by default? Will this be fixed in a future update? |
@Schmagz The reasoning behind that is, many people do not want to use the public client id and secret. So client registration is considered more secure. This is the reason why the clients try that first and then fall back to the public clients. I must admit that the error log is ugly but to be honest, keycloak should solve this better. When the server announces a registration feature, the clients will use it. Blocked by policy is IMHO not an error log, because that is expected to happen during normal operations. |
Thank you for that detail answer. I don't mind the big log file the problem is that our WAF easily block our IPs but I will look into how that can be solved instead. |
Pre-submission Checks
Describe the bug
We're currently blocked by an issue where every time ownCloud Desktop/iOS/Android attempts to authenticate with KeyCloak a new generic Client is created without any of the settings we've put into the one that Desktop/iOS/Android are supposed to be using. This results in access being blocked and a OCHTTPStatusErrorDomain error in ownCloud Desktop/iOS/Android.
Additional detail: We have a custom token mapper on our clients that’s required for proper assignment of roles in oCIS. Works great in ocis-web and we have this on the clients for ownCloud Desktop and ownCloud iOS/Android… but when someone goes through auth for these clients they always get a new Client spawned in KeyCloak that has none of our configurations. It’s already super messy having thousands of extra Clients being automatically generated, but not having them inherit our setup from the base Clients means they’re unusable.
We found a rather painful workaround where if you know the ID of the automatically spawned Client you can quickly jump in as a KeyCloak admin, manually add the right configs and then quickly go through auth again. Not viable in production, of course, but it proves the issue is with these autogen’d Clients.
See https://central.owncloud.org/t/a-new-client-is-being-created-for-each-login-with-keycloak/50789 for more detail and history on this.
Expected behavior
There should be only one Client in KeyCloak for ownCloud Desktop, iOS and Android that we have control over to configure as needed. There should not be a OCHTTPStatusErrorDomain error when connecting.
Steps to reproduce the issue
No response
Screenshots
Logs
No response
Client version number
ownCloud Desktop 5.3.1.14018
ownCloud iOS 12.3.1
ownCloud Android 4.4.0
Desktop environment (Linux only)
No response
Client package version and origin (Linux only)
No response
Installation path (Windows only)
No response
Server information
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: