Multiple Client IDs per OIDC Issuer? #7251
Comments
|
I'll add that when you set up Google as an OIDC provider, they require you to generate a client id and secret pair per platform. We have, at the moment, an iOS and Android app, which means we need to configure at least two providers. Not sure if this question is the same as above. |
|
I would also like to see this added. Owncloud requires this for the same reason. One client ID for the web app, and the android, iOS and desktop sync clients all have their own client id/secret baked in. |
|
Same issue here, I followed this tutorial to add OIDC on my OCIS instance with Authentik : https://helgeklein.com/blog/owncloud-infinite-scale-with-openid-connect-authentication-for-home-networks/
Thanks for the help |
|
Since OwnCloud follows OIDC spec, one cannot use a I was also unable to use a single issuer, like I MUST be doing something wrong here, because I cannot imagine hitting a hard limit with Authentik while trying to migrate the first of many applications away from KeyCloak. |
|
This is not currently possible, even with policies this cannot be done as the client_id check/lookup happens before any policy is run. The fact that when setting the issuer mode to be global, the discovery endpoints are not available is also on purpose, as authentik wouldn't know which provider to associate the request with (However this might be possible soon with #5440) |
|
I just ran into this myself, I used the 'use same issuer' which seemed like it was almost going to work..... except that when one specifies the If Authentik is following spec by not allowing two providers to have the same issuer, then alternatively perhaps we should file a bug with OCIS that there needs to be a way to configure multiple valid issuer's. |
|
Tbh.. i'm confused now 😅 Who is following the spec correctly now? OCIS or authentik? |
|
afaik the spec doesnt really specify anything about this, imo neither ocis nor authentik are "wrong" irregardless some of this should be easier to do with #10400 |
Both are doing the right thing AFAICT. Setting 'PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none' for oCIS does not reduce security. See owncloud/ocis#6479 (comment) for a longer explanation. |
Describe your question
Hello 👋 ,
is it possible to use different OIDC client ids that work on the same issuer?
I try to setup a software which consists of multiple different parts:
In my first run i've setup the server (and therefore also the web client). I've created an OIDC provider and an application in authentik. Everything works fine so far.
If I use the desktop client or the app then it doesn't work anymore. Both of these force specific client ids and secrets. Therefore I've created more OIDC providers and applications with the requested client id and secret because apparently there is no way to assign multiple provders to one application or multiple client ids to one issuer.
I can get through the login flow with these but then the server says that the provided JWTs are invalid because the issuer is invalid.
Have I missed anything or am I right and this kind of setup is just not possible with Authentik?
Relevant infos
Version and Deployment (please complete the following information):
The text was updated successfully, but these errors were encountered: