Native Clients JWS signing key is not known to kanidm

[ByteSquire]

Describe the bug

When logging in to my kanidm oidc, the browser window says success but the app says invalid credentials.
In the kanidm logs I just see this error message:
[error]: JWS is signed by a key that is not present in this KeyObject
[error]: Unable to verify access token | err: KP0022KeyObjectJwsNotAssociated

And in the opencloud logs I see:
ERR failed to authenticate the request error="failed to verify access token: token is unverifiable: error while executing keyfunc: the given key ID was not found in the JWKS" authenticator=oidc client.address=10.89.0.9 line=github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/oidc_auth.go:198 network.peer.address= network.peer.port= path=/remote.php/dav/files// service=proxy user_agent="Mozilla/5.0 (Android) OpenCloud-android/1.0.0"

ERR failed to authenticate the request error="failed to verify access token: token is unverifiable: error while executing keyfunc: the given key ID was not found in the JWKS" authenticator=oidc client.address=10.89.0.9 line=github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/oidc_auth.go:198 network.peer.address= network.peer.port= path=/ocs/v2.php/cloud/user service=proxy user_agent="Mozilla/5.0 (Linux) mirall/3.0.0.1741 (OpenCloud Beta, fedora-6.16.11-200.fc42.x86_64 ClientArchitecture: x86_64 OsArchitecture: x86_64)"

Steps to reproduce

1. deploy opencloud with external idp
2. add client to kanidm, and create a custom claim map with aud=OpenCloudDesktop/-Android...
3. try to login using one of the native apps (I have tried with linux desktop and android app)

Expected behavior

The client logs in successfully

Actual behavior

The browser window for the oidc login says success but the app says Invalid credentials and kanidm logs invalid signing key

Setup

Please describe how you started the server and provide a list of relevant environment variables or configuration files.
I have provided the url for the web client as OIDC issuer, maybe that is an issue too? Not sure if that is used by native clients

Details

OC_OIDC_ISSUER=https://idm.***.dedyn.io/oauth2/openid/opencloud_web
IDP_DOMAIN=idm.***.dedyn.io

Additional context

Add any other context about the problem here.

[ByteSquire]

So i just checked and my assumption was correct:

the client uses the OC_OIDC_ISSUER from the server, which isn't generic enough for different oidc clients

[ByteSquire]

Another update, I have changed the OC_OIDC_ISSUER uri as follows:
OC_OIDC_ISSUER=https://idm.jasedow.dedyn.io/oauth2/openid/openclouddesktop
and now it works...for the native desktop app only, obviously this breaks the web client and the other clients are still broken

So yeah, an option for the clients to customize their OIDC_ISSUER uri would be very nice, I can deal with setting the aud manually

[ByteSquire]

based on that knowledge I guess it might be possible to connect kanidm webfinger and opencloud webfinger in some way, but that is above my head

[p-fruck]

@ByteSquire I am currently in the same situation, it seems like the opencloud team has similar considerations: https://github.com/orgs/opencloud-eu/discussions/1771

Looking forward to finally getting kanidm to work with opencloud native clients :)

[butonic]

A solution proposal to this is discussed in opencloud-eu/desktop#246 (comment)

[dragonchaser]

related #2072