Mobile + Desktop Authorization Failed, Authentik IDP

[anultravioletaurora]

I successfully deployed OCIS with the Helm chart, and followed Helge Klein's blogpost for setting it up with my Authentik instance.

I'm running into some intermittent issues with the iOS apps, where I run into this "Error 6" message when I try to sign in, or when I try to upload a file (after I've successfully signed in). I've been able to force quit the app and relaunch, or disconnect and reconnect within the app and that fixes it, but I'm wondering what the root cause of the issue is?

I also get this error when trying to sign in on the Linux Desktop Sync client which I'm not sure is related:

My external user management related config is as follows:

      externalUserManagement:
        enabled: true
        oidc:
          accessTokenVerifyMethod: "none" # When I set this to jwt I can't login on the mobile apps at all
          skipUserInfo: "false"
          issuerURI: "https://authentik.company/application/o/owncloud/"
          webClientID: "web_provider_client_Id"
          userIDClaim: "preferred_username"
          userIDClaimAttributeMapping: "username"
          roleAssignment:
            enabled: true
            claim: groups
            mapping:
              - role_name: admin
                claim_value: "Admin"
              - role_name: user
                claim_value: "Cloud Users"
        ldap:
          writeable: false
          uri: ldap://ak-outpost-ldap.service
          certTrusted: true
          insecure: true
          bindDN: "cn=ldap_binding,ou=users,dc=ldap,dc=authentik,dc=company"
          useServerUUID: true
          user:
            schema:
              id: uid
              userName: cn
            baseDN: dc=ldap,dc=authentik,dc=company
            objectClass: user
          group:
            baseDN: ou=groups,dc=ldap,dc=authentik,dc=company
    services:
      web:
        config:
          oidc:
             tokenStorageLocal:
                enabled: false # I had tried this thinking it would fix the iOS clients but no luck
            webClientID: "web_provider_client_Id"

[anultravioletaurora]

I also appear to be getting 401s when I try to download files in the web ui if that's related?

[anultravioletaurora]

I managed to fix the desktop application not getting a refresh token by adding the offline_access scope in my Authentik Provider, then configuring the web application to request it by setting:

      web:
        config:
          oidc:
            webClientScope: "openid profile email offline_access"

This seems to have fixed my client apps as well? I am still experiencing 401s when I try to download files, using a public link to download works however

[wkloucek]

I managed to fix the desktop application not getting a refresh token by adding the offline_access scope in my Authentik Provider, then configuring the web application to request it by setting:

      web:
        config:
          oidc:
            webClientScope: "openid profile email offline_access"

This seems to have fixed my client apps as well? I am still experiencing 401s when I try to download files, using a public link to download works however

There must be something else going on.

.services.web.config.oidc.webClientScope is only used by the ownCloud Web (browser) client.

I managed to fix the desktop application not getting a refresh token by adding the offline_access scope in my Authentik Provider

Did you maybe add it to the default scopes? In the comments of https://helgeklein.com/blog/owncloud-infinite-scale-with-openid-connect-authentication-for-home-networks/#authentik-configure-openid-connect-idp, somebody wrote that he needed to do that and it fixed it (but it didn't fix it for another user!???). https://docs.goauthentik.io/docs/releases/2024.2#manual-action-may-be-required gives the reasoning, why you need it.

I'm running into some intermittent issues with the iOS apps, where I run into this "Error 6" message when I try to sign in, or when I try to upload a file (after I've successfully signed in). I've been able to force quit the app and relaunch, or disconnect and reconnect within the app and that fixes it, but I'm wondering what the root cause of the issue is?

This topic could be better handled in https://github.com/owncloud/ios-app/issues

I also appear to be getting 401s when I try to download files in the web ui if that's related?

Please have a look at the browser dev tools console / network tab. You might see failing token refreshes, though your settings in .services.web.config.oidc.webClientScope should make it possible.

Right now, I don't see an issue with the oCIS chart itself.