Getting oidc to work with bigbluebutton (greenlight)

[himpierre]

Hello!

First of all, thanks for you work!
I'm trying to get this running with bigbluebutton greenlight. So far to no avail. Here are the settings I'm able to configure:

### EXTERNAL AUTHENTICATION METHODS
# More information: https://docs.bigbluebutton.org/greenlight/v3/install/#openid-connect-setup
#OPENID_CONNECT_CLIENT_ID=
#OPENID_CONNECT_CLIENT_SECRET=
#OPENID_CONNECT_ISSUER=
#OPENID_CONNECT_REDIRECT=
#OPENID_CONNECT_UID_FIELD=sub

So I set up oidc in nextcloud, copied everything to greenlight .env just to see the message:

D, [2024-12-25T22:22:25.517015 #1] DEBUG -- omniauth: (openid_connect) Request phase initiated.
E, [2024-12-25T22:22:25.677586 #1] ERROR -- omniauth: (openid_connect) Authentication failure! Not Found: OpenIDConnect::Discovery::DiscoveryFailed, Not Found

Using curl to get https://my.domain/index.php/.well-known/openid-configuration works completely fine.

Anyone got that working?

cheers!

[H2CK]

There is a general problem with the service discovery of Nextcloud. See also https://docs.nextcloud.com/server/29/admin_manual/issues/general_troubleshooting.html#service-discovery
Based on this description you must configure a redirect in your web server which should redirect from https://doimanname.tld/.well-known/... to .../index.php/.well-known/....
This also applies to the openid-configuration endpoint (https://doimanname.tld/.well-known/openid-configuration). BUT: If you configure a 301 based redirect (as described in the Nextcloud documentation) some OIDC clients deny accessing the endpoint since redirects are not allowed in the OIDC specification.

There are two options to overcome this problem:

1. Configure the client manually to not use the discovery endpoint. This might not be possible with the bigbluebutton green light implementation (Therefore no solution for you).
2. Setup a reverse proxy in front of your Nextcloud installation to allow a direct proxying to the openid-configuration endpoint without a 301 redirect. (In a production environment I would anyhow expect that there is a reverse proxy for security reasons)
   How this reverse proxy is implemented depends on your selected solution. If you are using NGINX a configuration like the following might do the job.

location /.well-known/openid-configuration {
  proxy_pass http://<hostname_of_nextcloud_server>:<port>/index.php/.well-known/openid-configuration;
  proxy_set_header Host $host;
}

[himpierre]

Thanks for your efforts! But even with a proxy_pass setting the error remains. Here the curl output. Does it look like it should work in generell?

root@call:~# curl -i https://mydomain.de/.well-known/openid-configuration
HTTP/2 200 
date: Fri, 27 Dec 2024 13:50:33 GMT
server: Apache/2.4.58 (Ubuntu)
x-request-id: xSTeFBHYVfWyXNwimTzC
cache-control: no-cache, no-store, must-revalidate
content-security-policy: default-src 'none';base-uri 'none';manifest-src 'self';frame-ancestors 'none'
feature-policy: autoplay 'none';camera 'none';fullscreen 'none';geolocation 'none';microphone 'none';payment 'none'
x-robots-tag: noindex, nofollow
access-control-allow-origin: *
access-control-allow-methods: GET
referrer-policy: no-referrer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-permitted-cross-domain-policies: none
x-xss-protection: 1; mode=block
content-length: 1136
strict-transport-security: max-age=63072000; includeSubdomains; preload
content-type: application/json; charset=utf-8
set-cookie: oc_sessionPassphrase=Y%2FOfR1bqRzgnrWSJxQP%2F5csHQX6VedpK7ucSGsXuZr%2F4bTu6Q8rprfpNf6VIuRgqJn14FJbieAHu8xpKktv%2Bhw4IOVIAcmLITg2nodor2FJPq7mCh8nN9%2BmNFLqaifPA; path=/; secure; HttpOnly; SameSite=Lax
set-cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
set-cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
set-cookie: 505b4a36ee5e3=1up26anbeat86kf2dkf44kh2l2; path=/; secure; HttpOnly; SameSite=Lax
via: 2.0 mydomain.de

{"issuer":"https:\/\/mydomain.de","authorization_endpoint":"https:\/\/mydomain.de\/apps\/oidc\/authorize","token_endpoint":"https:\/\/mydomain.de\/apps\/oidc\/token","userinfo_endpoint":"https:\/\/mydomain.de\/apps\/oidc\/userinfo","jwks_uri":"https:\/\/mydomain.de\/apps\/oidc\/jwks","scopes_supported":["openid","profile","email","roles","groups"],"response_types_supported":["code","code id_token","id_token"],"response_modes_supported":["query"],"grant_types_supported":["authorization_code","implicit"],"acr_values_supported":["0"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256","HS256"],"userinfo_signing_alg_values_supported":["none"],"token_endpoint_auth_methods_supported":["client_secret_post","client_secret_basic"],"display_values_supported":["page"],"claim_types_supported":["normal"],"claims_supported":["iss","sub","aud","exp","auth_time","iat","acr","azp","preferred_username","scope","nbf","jti","roles","name","updated_at","website","email","email_verified","phone_number","address","picture"],"end_session_endpoint":"https:\/\/mydomain.de\/apps\/oidc\/logout"}

I'm out of luck for now I guess. Thanks again!

[H2CK]

The output of the curl command looks good and at least the discovery endpoint can be accessed without a 301 redirect.

Is there any error from bigbluebutton green light which could give an indication, why it does not work? Or is it still the error from above "Not found"? Based on your curl output all necessary information should be provided at https:///.well-known/openid-configuration
Can you find some details which url bigbluebutton is trying to request for the openid-configuration?

[himpierre]

Yeah, it's still the error from my first message.
Greenlight tries:
OPENID_CONNECT_ISSUER=https://mydomain.de/.well-known/openid-configuration

For reference. This is the greenlight issue which got no attention at all. bigbluebutton/greenlight#5903

cheers!

[H2CK]

Just to be sure: You configured the issuer only as OPENID_CONNECT_ISSUER=https://mydomain.de(without /.well-known/openid-configuration)? The .well-known/openid-configuration part should never be contained in the issuer configuration.

[himpierre]

Oh, dear god, okay. Fixed that. Now I get: `The received redirect URI is not accepted to connect. Please inform the administrator of your client.` on the nextcloud page after trying to login on bigbluebutton. Getting close. :) Let me see, what I can find in the logs. cheers! Am 2024-12-28 09:49, schrieb H2CK:

…

Just to be sure: You configured the issuer only as `OPENID_CONNECT_ISSUER=https://mydomain.de`(without `/.well-known/openid-configuration`)? The `.well-known/openid-configuration` part should never be contained in the issuer configuration.

[H2CK]

What have you configured at OPENID_CONNECT_REDIRECT in green light? It should be the same as configured in the Netxcloud client configuration for the redirect URL. Otherwise it will not be accepted by the OIDC app.

[himpierre]

I tripple checked the redirect URL on both ends. It's exactly the same: https://mydomain.de without trailing slash or something. Nextcloud debug log says:

{"reqId":"4HELp1IGlhqnatCDFUNa","level":1,"time":"2024-12-28T14:07:48+00:00","remoteAddr":"92.206.191.187","user":"myname","app":"oidc","method":"GET","url":"/apps/oidc/authorize?client_id=19K0Ontc0XXBnENmK336s3j9plmb7SwEoTBtgiE9WaCyotL7zeY44MF37C1di67M&nonce=5ab64d8f27669997e2ffd354d37533b7&redirect_uri=https%3A%2F%2Fmydomain.de%2Fauth%2Fopenid_connect%2Fcallback&response_type=code&scope=openid%20email%20profile&state=1eb9c5a1fc8e4afb28faf28d9a69c96b","message":"Redirect URI https://mydomain.de/auth/openid_connect/callback is not accepted for client 19K0Ontc0XXBnENmK336s3j9plmb7SwEoTBtgiE9WaCyotL7zeY44MF37C1di67M.","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","version":"30.0.4.1","data":{"app":"oidc"}}
I added https://mydomain.de/auth/openid_connect/callback to the nextcloud config but now greenlight is unhappy. I'm not giving up on this. :)

[himpierre]

Current state. Redirect to Nextcloud works. Redirect after login in Nextcloud works. Greenlight error after redirect:
your invitation token is either invalid or incorrect. please contact your adminstrator to recieve a new token

[H2CK]

🤔 If have never seen such an error message from any other client. What is an invitation token? That's nothing from the OpenID Connect specification. An invitation token does not exist in the OIDC authentication. Is this just a token to a bigbluebutton meeting session (and after the successful login the meeting session token is not valid)?

[himpierre]

Let's say the openid implementation of greenlight is broken for now. :) Have a nice weekend and thanks again.