Desktop and Mobile App Authentication Issues with OpenCloud and Authelia Integration

[Falex163]

Environment:
OpenCloud: Latest rolling release
Authelia: Latest version
Operating Systems: Windows 11 (Desktop app), iOS 18.5 (Mobile app)
Reverse Proxy: Traefik v3.3.1
Deployment: Docker Compose on Raspberry Pi 5

Issue Description:
I've successfully configured Authelia as the external identity provider for OpenCloud. The web interface authentication works perfectly through Authelia with 2FA enabled. However, I'm experiencing persistent issues with both the desktop and iOS clients:

Desktop Client:
After browser authentication through Authelia (which completes successfully), the app displays "Failed to retrieve user information from server". The browser login works but doesn't redirect back to the desktop app properly.
iOS Client: Similar issue, but with an "invalid_client" error message. Log shows: "Client with id 'OpenCloudIOS' did not match 'redirect_uri' value 'oc://ios.opencloud.eu'"

Current Configuration and Attempted Solutions:
I've configured Authelia with client IDs for all app types:
yaml# Authelia OIDC configuration includes:
clients:

• id: desktop
  public: true
  authorization_policy: two_factor
  consent_mode: explicit
  scopes: [openid, groups, profile, email, offline_access]
  redirect_uris:
  • http://127.0.0.1
  • http://localhost
  • opencloud://
  • oc://
  • desktop://oidc-callback

OpenCloud configuration:
yaml# OpenCloud OIDC settings:
PROXY_ENABLE_OIDC: "true"
OC_OIDC_ISSUER: "https://auth.example.org"
DESKTOP_OIDC_CLIENT_ID: "desktop"
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: "none"
PROXY_OIDC_SKIP_VERIFICATION: "true"
PROXY_USER_OIDC_CLAIM: "preferred_username"
When examining the logs, I found:
ERR Error mapping role names to role ids error="no roles in user claims"
DBG GetUserByClaim error="error: not found: (&(objectclass=inetOrgPerson)(uid=preferred_username:Example)(!(openclouduserenabled=FALSE)))"

What I've Tried:
Added multiple protocol handlers and redirect URIs to Authelia clients
Set PROXY_USER_OIDC_VALUE_PREFIX: ""
Enabled PROXY_OIDC_FAKE_USERINFO: "true"
Configured various bypass rules in the proxy.yaml
Added explicit OIDC endpoints in OpenCloud config
Switched authorization_policy to one_factor for testing
Changed consent_mode to auto
Extended WebDAV bypass rules in Authelia

Questions:
Is there a known issue with the desktop/iOS client OIDC redirect flow?
How should claims like 'preferred_username' be correctly mapped to avoid the "preferred_username:Example" format?
Is there a recommended configuration for this specific setup (Authelia + OpenCloud + Desktop/Mobile clients)?
Are there specific protocol handlers or redirect URIs that must be configured exactly for the app callbacks to work?
Should I consider using app-specific passwords instead? If so, how do I configure this with Authelia?

[micbar]

@kulmann you have it running. Can you share your config (again 😀)

[kulmann]

Sure, hope it helps.

• In my OpenCloud compose I needed PROXY_OIDC_REWRITE_WELLKNOWN: "true".
• These are my authelia clients for OpenCloud:

    clients:
      - id: web
        description: OpenCloud
        public: true
        authorization_policy: one_factor
        consent_mode: explicit
        pre_configured_consent_duration: 1w
        audience: []
        scopes:
          - openid
          - email
          - profile
          - groups
        redirect_uris:
          - https://family.my.secret.tld/
          - https://family.my.secret.tld/oidc-callback.html
          - https://family.my.secret.tld/oidc-silent-redirect.html
        grant_types:
          - refresh_token
          - authorization_code
        response_types:
          - code
        response_modes:
          - form_post
          - query
          - fragment
        userinfo_signing_algorithm: none
      - id: OpenCloudDesktop
        description: OpenCloud Desktop Client
        public: true
        authorization_policy: one_factor
        consent_mode: explicit
        pre_configured_consent_duration: 1w
        audience: []
        scopes:
          - openid
          - groups
          - profile
          - email
          - offline_access
        redirect_uris:
          - http://127.0.0.1
        grant_types:
          - refresh_token
          - authorization_code
        response_types:
          - code
        response_modes:
          - form_post
        userinfo_signing_algorithm: none
      - id: OpenCloudIOS
        description: OpenCloud iOS Client
        public: true
        authorization_policy: one_factor
        consent_mode: explicit
        pre_configured_consent_duration: 1w
        audience: []
        scopes:
          - openid
          - groups
          - profile
          - email
          - offline_access
        redirect_uris:
          - oc://ios.opencloud.eu
        grant_types:
          - refresh_token
          - authorization_code
        response_types:
          - code
        response_modes:
          - form_post
        userinfo_signing_algorithm: none

[michaelalbertshofer]

This Config is working for the WebClient but doesn't solve the login-errors for Desktop and iOS.
For me the desktop app on macos is failing to retreive the roles from the user claims which results in the following error log:

ERR Error mapping role names to role ids error="no roles in user claims" line=github.com/opencloud-eu/opencloud/services/proxy/pkg/userroles/oidcroles.go:84 request-id=8b7e55e8-a223-405e-b463-9ab2cd8c6df9 service=proxy userid=361a5f92-58e9-413a-a6a8-bb2c21472259
ERR Could not get user roles error="no roles in user claims" line=github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/account_resolver.go:174 service=proxy

This was mentioned in opencloud-eu/desktop#217

[micbar]

@michaelalbertshofer are you sure that you have the groups scope also in desktop and iOS?

[michaelalbertshofer]

@micbar yes, it's there:

    - client_id: 'web'
      client_name: 'OpenCloud'
      public: true
      authorization_policy: one_factor
      consent_mode: auto
      pre_configured_consent_duration: 1w
      allow_multiple_auth_methods: true
      audience: []
      scopes:
        - openid
        - email
        - profile
        - groups
        - offline_access
      redirect_uris:
        - https://opencloud.my.tld/
        - https://opencloud.my.tld/oidc-callback.html
        - https://opencloud.my.tld/oidc-silent-redirect.html
      grant_types:
        - refresh_token
        - authorization_code
      response_types:
        - code
      response_modes:
        - form_post
        - query
        - fragment
      userinfo_signed_response_alg: none
    - client_id: 'OpenCloudDesktop'
      client_name: 'OpenCloud Desktop Client'
      public: true
      authorization_policy: one_factor
      consent_mode: auto
      pre_configured_consent_duration: 1w
      allow_multiple_auth_methods: true
      audience: []
      scopes:
        - openid
        - groups
        - profile
        - email
        - offline_access
      redirect_uris:
        - http://127.0.0.1
        - http://localhost
      grant_types:
        - refresh_token
        - authorization_code
      response_types:
        - code
      response_modes:
        - form_post
      userinfo_signed_response_alg: none
    - client_id: 'OpenCloudIOS'
      client_name: 'OpenCloud iOS Client'
      public: true
      authorization_policy: one_factor
      consent_mode: auto
      pre_configured_consent_duration: 1w
      allow_multiple_auth_methods: true
      audience: []
      scopes:
        - openid
        - groups
        - profile
        - email
        - offline_access
      redirect_uris:
        - oc://ios.opencloud.eu
      grant_types:
        - refresh_token
        - authorization_code
      response_types:
        - code
      response_modes:
        - form_post
      userinfo_signed_response_alg: none

For the iOS client i get the error: (OCHTTPStatusErrorDomain-Fehler 500.)