I have been looking through the docs, but haven't found a definitive answer on this. I have successfully connected an app to Cloudron's OIDC Provider, but some services want to start with looking up the WebFinger first. Is WebFinger discovery implemented and just not documented. If not, is it planned for a future release?
I have successfully connected an app to Cloudron's OIDC Provider, but some services want to start with looking up the WebFinger first.
My understanding is that user provides email to website -> website queries webfinger to locate the oidc endpoint -> oidc authentication. That's what I understood from https://stackoverflow.com/questions/47113980/how-to-use-the-openid-connect-webfinger-endpoint .
This means that the webfinger only makes sense if email domain is hosted on Cloudron. Did I get this correct ? If email domain is outside Cloudron, you have to configure webfinger to point to Cloudron's OIDC.
Maybe we should have a checkbox in https://docs.cloudron.io/domains/#well-known-locations which says "Respond to WebFinger queries with Cloudron OIDC endpoint".
Can you tell us which app you are testing this against, so we can test this ourselves?
If I understand https://www.rfc-editor.org/rfc/rfc7033#section-3.1 correctly, a service can take an email and just craft the well-known URL from the domain. It doesn't matter what's hosted where. I was working on getting Tailscale to authenticate against Cloudron's OIDC (https://tailscale.com/kb/1240/sso-custom-oidc).
The email for my domain is hosted at Fastmail, but the website is on Cloudron. I was able to set up a quick LAMP app at the root domain on Cloudron and have it respond to the webfinger request. Tailscale then picked it up and allowed me to authenticate properly.
Having it in the well-known-locations dialog would certainly have been easier.
@akammeyer rIght, that's my understanding as well. My wording was a bit confusing. When I said "email domain" , I meant that the domain name of that email address must be hosted on cloudron (not email hosting but the bare domain hosting).
I will move this to Feature request, adding well-known input box for this in Domains UI would be the solution.