WebFinger support for OIDC
-
Hello,
I have been looking through the docs, but haven't found a definitive answer on this. I have successfully connected an app to Cloudron's OIDC Provider, but some services want to start with looking up the WebFinger first. Is WebFinger discovery implemented and just not documented. If not, is it planned for a future release?Thanks!
-
@akammeyer said in WebFinger support:
I have successfully connected an app to Cloudron's OIDC Provider, but some services want to start with looking up the WebFinger first.
My understanding is that user provides email to website -> website queries webfinger to locate the oidc endpoint -> oidc authentication. That's what I understood from https://stackoverflow.com/questions/47113980/how-to-use-the-openid-connect-webfinger-endpoint .
This means that the webfinger only makes sense if email domain is hosted on Cloudron. Did I get this correct ? If email domain is outside Cloudron, you have to configure webfinger to point to Cloudron's OIDC.
-
Maybe we should have a checkbox in https://docs.cloudron.io/domains/#well-known-locations which says "Respond to WebFinger queries with Cloudron OIDC endpoint".
Can you tell us which app you are testing this against, so we can test this ourselves?
-
If I understand https://www.rfc-editor.org/rfc/rfc7033#section-3.1 correctly, a service can take an email and just craft the well-known URL from the domain. It doesn't matter what's hosted where. I was working on getting Tailscale to authenticate against Cloudron's OIDC (https://tailscale.com/kb/1240/sso-custom-oidc).
The email for my domain is hosted at Fastmail, but the website is on Cloudron. I was able to set up a quick LAMP app at the root domain on Cloudron and have it respond to the webfinger request. Tailscale then picked it up and allowed me to authenticate properly.
Having it in the well-known-locations dialog would certainly have been easier.
-
@akammeyer rIght, that's my understanding as well. My wording was a bit confusing. When I said "email domain" , I meant that the domain name of that email address must be hosted on cloudron (not email hosting but the bare domain hosting).
I will move this to Feature request, adding well-known input box for this in Domains UI would be the solution.
-
-
@akammeyer Can you share how you got this working?
Same issue here - setting up tailscale to use cloudron oidc.
oidc runs under my.<domain> obviously, however I would like to use <mail>@<domain> (hosted on cloudron as mail server). It is my understanding tailscale expects the oidc to run under <domain>, additionally there needs to be a webfinger endpoint there. The last part could be solved by a LAMP stack with a simple webfinger php script, but how would tailscale accept the subdomain "my." as OIDC endpoint? Is this not an issue? -
-
-
@akammeyer said in WebFinger support for OIDC:
I was able to set up a quick LAMP app at the root domain on Cloudron and have it respond to the webfinger request. Tailscale then picked it up and allowed me to authenticate properly.
Would you mind sharing your LAMP setup? I wanted to try the same thing but wasn't successful