[FR] Support for Google OpenID.

[PaulaFernandez]

I am unable to set up Google auth via OpenID.

My configuration is:

'http.cookie.samesite' => 'None',
'openid-connect' =>
    array (
      'auto-provision' =>
        array (
          'enabled' => false,
        ),
      'provider-url' => 'https://accounts.google.com',
      'client-id' => 'secret-id',
      'client-secret' => 'secret',
      'loginButtonName' => 'Google',
      'mode' => 'email'
    ),

And the error I am getting originates in line 122 in SessionVerifier.php

if (!$client->verifyJWTsignature($accessToken)) {
    $this->logger->error('Token cannot be verified: ' . $accessToken);
    $this->logout();
    throw new OpenIDConnectClientException('Token cannot be verified.');
}

I believe the problem in my case is that Google accessToken is not a JWT and hence it cannot be decoded. It has no headers and verifyJWTsignature throws an error.

I saw it the documentation that if the access token is not a JWT token we could use:

use-token-introspection-endpoint - if set to true the token introspection endpoint is used to verify a given access token - only needed if the access token is not a JWT

token-introspection-endpoint-client-id & token-introspection-endpoint-client-secret - client id and secret to be used with the token introspection endpoint.

However, Google doesn't have an introspection endpoint.

I could "bypass" the error by changing line 122 in SessionVerifier.php, using $idToken instead of $accessToken. However, that probably isn't the right thing to do?

if (!$client->verifyJWTsignature($idToken)) {
    $this->logger->error('Token cannot be verified: ' . $idToken);
    $this->logout();
    throw new OpenIDConnectClientException('Token cannot be verified.');
}

And I still have a problem with Owncloud desktop app. I've followed the instructions in https://doc.owncloud.com/server/admin_manual/configuration/user/oidc/#owncloud-desktop-and-mobile-clients to no avail.

I can see that service discovery is correctly set up but when I try to add the owncloud account to Owncloud Desktop, the browser opens immediately and shows the error:

Authorization Error
Error 401: invalid_client
The OAuth client was not found.

I'm running owncloud in Docker (version 10.7) and Owncloud Desktop version 2.8.1 (build 4157) for Mac.

Any help would be greatly appreciated.

Originally posted by @PaulaFernandez in #165 (comment)

[DeepDiver1975]

I could "bypass" the error by changing line 122 in SessionVerifier.php, using $idToken instead of $accessToken. However, that probably isn't the right thing to do?

the owncloud server acts as rely party in the scenario where the clients are connecting to the server.
in this scenario no id token is available.

please note that google is not supported as idp at the moment.

this requires deeper analysis to see how this can be accomplished

[PaulaFernandez]

Thanks for your reply, knowing that Google is not supported, I'll stop struggling and settle for standard user/password login.

[NopeNix]

luckily i just found this here, i'm trying since two hours, will also stop it now.

Suggestion: maybe it is worth mentioning somewhere in the readme that google oidc is not compatible right now, i think that many other are also just trying to get azure or google oidc to work so they could save there time?

[DeepDiver1975]

Suggestion: maybe it is worth mentioning somewhere in the readme that google oidc is not compatible right now, i think that many other are also just trying to get azure or google oidc to work so they could save there time?

all in the docs: https://doc.owncloud.com/server/10.8/admin_manual/configuration/user/oidc/oidc.html#supported-identity-providers