Opencloud fails to refresh OIDC token #909
Description
Describe the bug
When using Opencloud with Authelia as OIDC provider, Opencloud has sometimes problems with refreshing the token from Authelia.
I have already performed initial troubleshooting, which resulted in #587 (reply in thread) but still I am getting occasional log outs from Opencloud WebUI, or during file uploads I am getting HTTP 401 from OpenCloud WebUI see #786 (reply in thread)
Today I came cross issue fosrl/pangolin#762 which lead me to mealie-recipes/mealie#5228 thinking if Opencloud is not having same issue.
Expected behavior
Opencloud should renew OIDC token without breaking workflow of user
Actual behavior
- Navigation in WebUI can sometimes results in "You have been logged out"
- Uploads sometimes return HTTP 401, asking for Basic Auth in Browser - Firefox Ignores them, and Chromium will show Basic auth popup
Setup
Please describe how you started the server and provide a list of relevant environment variables or configuration files.
Details
Authelia configuration
identity_providers:
oidc:
claims_policies:
default:
id_token: ['groups', 'email', 'email_verified', 'alt_emails', 'preferred_username', 'name']
lifespans:
access_token: '1 hour'
authorize_code: '1 minute'
id_token: '1 hour'
refresh_token: '90 minutes'
cors:
## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
endpoints:
- 'authorization'
- 'token'
- 'revocation'
- 'introspection'
- 'userinfo'
## List of allowed origins.
## Any origin with https is permitted unless this option is configured or the
## allowed_origins_from_client_redirect_uris option is enabled.
allowed_origins:
- 'https://opencloud.example.com'
allowed_origins_from_client_redirect_uris: false
clients:
- client_id: opencloud-web
client_name: OpenCloud
public: true
authorization_policy: two_factor
consent_mode: auto
pre_configured_consent_duration: 1w
audience: []
scopes:
- openid
- email
- profile
- groups
- offline_access
redirect_uris:
- https://opencloud.example.com/
- https://opencloud.example.com/oidc-callback.html
- https://opencloud.example.com/oidc-silent-redirect.html
grant_types:
- refresh_token
- authorization_code
response_types:
- code
response_modes:
- form_post
- query
- fragment
userinfo_signed_response_alg: noneOpencloud env variables
# Authelia - OIDC
OC_OIDC_ISSUER: https://authelia.example.com
WEB_OIDC_CLIENT_ID: opencloud-web
## Proxy
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: none
PROXY_AUTOPROVISION_ACCOUNTS: true
PROXY_ROLE_ASSIGNMENT_DRIVER: oidc
PROXY_USER_OIDC_CLAIM: "preferred_username"
PROXY_USER_CS3_CLAIM: "username"
## role assignment
PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: 'groups'
WEB_OIDC_SCOPE: openid profile email groups
GRAPH_ASSIGN_DEFAULT_USER_ROLE: true
GRAPH_USERNAME_MATCH: none
OC_EXCLUDE_RUN_SERVICES: idp
PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml
My csp.yml
directives:
child-src:
- '''self'''
- 'https://authelia.example.com/'
connect-src:
- '''self'''
- 'blob:'
- 'https://${COMPANION_DOMAIN|companion.opencloud.test}/'
- 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/'
- 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
- 'https://${KEYCLOAK_DOMAIN|keycloak.opencloud.test}/'
- 'https://authelia.example.com/'
default-src:
- '''none'''
font-src:
- '''self'''
- 'https://authelia.example.com/'
frame-ancestors:
- '''self'''
- 'https://authelia.example.com/'
frame-src:
- '''self'''
- 'blob:'
- 'https://embed.diagrams.net/'
# In contrary to bash and docker the default is given after the | character
- 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
# This is needed for the external-sites web extension when embedding sites
- 'https://docs.opencloud.eu'
- 'https://authelia.example.com/'
img-src:
- '''self'''
- 'data:'
- 'blob:'
- 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
# In contrary to bash and docker the default is given after the | character
- 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
- 'https://authelia.example.com/'
manifest-src:
- '''self'''
- 'https://authelia.example.com/'
media-src:
- '''self'''
- 'https://authelia.example.com/'
object-src:
- '''self'''
- 'blob:'
- 'https://authelia.example.com/'
script-src:
- '''self'''
- '''unsafe-inline'''
- 'https://authelia.example.com/'
style-src:
- '''self'''
- '''unsafe-inline'''
- 'https://authelia.example.com/'
Additional context
Traefik logs:
traefik-1 | {"ClientAddr":"172.18.0.1:34672","ClientHost":"172.18.0.1","ClientPort":"34672","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":401,"Duration":12609498,"OriginContentSize":0,"OriginDuration":12490991,"OriginStatus":401,"Overhead":118507,"RequestAddr":"opencloud.example.com","RequestContentSize":1042534,"RequestCount":4344,"RequestHost":"opencloud.example.com","RequestMethod":"POST","RequestPath":"/remote.php/dav/spaces/e42e9465-7a4d-41ac-888b-0f0f8236c0f4$76103868/SomeFolder","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"opencloud@docker","ServiceAddr":"172.18.0.7:9200","ServiceName":"opencloud@docker","ServiceURL":"http://172.18.0.7:9200","StartLocal":"2025-05-22T05:56:59.06516696Z","StartUTC":"2025-05-22T05:56:59.06516696Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","downstream_X-Request-Id":"bb987e93-a00a-4fd1-a79e-44e02861b7bb","entryPointName":"https","level":"info","msg":"","origin_X-Request-Id":"bb987e93-a00a-4fd1-a79e-44e02861b7bb","request_X-Request-Id":"bb987e93-a00a-4fd1-a79e-44e02861b7bb","time":"2025-05-22T05:56:59Z"}
traefik-1 | {"ClientAddr":"172.18.0.1:34672","ClientHost":"172.18.0.1","ClientPort":"34672","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":401,"Duration":299503133,"OriginContentSize":0,"OriginDuration":299352540,"OriginStatus":401,"Overhead":150593,"RequestAddr":"opencloud.example.com","RequestContentSize":1743035,"RequestCount":4374,"RequestHost":"opencloud.example.com","RequestMethod":"POST","RequestPath":"/remote.php/dav/spaces/e42e9465-7a4d-41ac-888b-0f0f8236c0f4$76103868/SomeFolder","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"opencloud@docker","ServiceAddr":"172.18.0.7:9200","ServiceName":"opencloud@docker","ServiceURL":"http://172.18.0.7:9200","StartLocal":"2025-05-22T05:57:10.025218145Z","StartUTC":"2025-05-22T05:57:10.025218145Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","downstream_X-Request-Id":"ab25d5d9-62ae-4430-ab9c-d7458409dc90","entryPointName":"https","level":"info","msg":"","origin_X-Request-Id":"ab25d5d9-62ae-4430-ab9c-d7458409dc90","request_X-Request-Id":"ab25d5d9-62ae-4430-ab9c-d7458409dc90","time":"2025-05-22T05:57:10Z"}
Opencloud logs
opencloud-1 | {"level":"error","service":"proxy","error":"token is expired","authenticator":"oidc","path":"/remote.php/dav/spaces/e42e9465-7a4d-41ac-888b-0f0f8236c0f4$76103868/SomeFolder","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36","client.address":"172.18.0.1","network.peer.address":"","network.peer.port":"","time":"2025-05-22T05:56:59Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/oidc_auth.go:198","message":"failed to authenticate the request"}
opencloud-1 | {"level":"error","service":"proxy","error":"token is expired","authenticator":"oidc","path":"/remote.php/dav/spaces/e42e9465-7a4d-41ac-888b-0f0f8236c0f4$76103868/SomeFolder","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36","client.address":"172.18.0.1","network.peer.address":"","network.peer.port":"","time":"2025-05-22T05:57:10Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/oidc_auth.go:198","message":"failed to authenticate the request"}
No logs in Authelia