Opencloud fails to refresh OIDC token

[scetu]

Describe the bug

When using Opencloud with Authelia as OIDC provider, Opencloud has sometimes problems with refreshing the token from Authelia.

I have already performed initial troubleshooting, which resulted in #587 (reply in thread) but still I am getting occasional log outs from Opencloud WebUI, or during file uploads I am getting HTTP 401 from OpenCloud WebUI see #786 (reply in thread)

Today I came cross issue fosrl/pangolin#762 which lead me to mealie-recipes/mealie#5228 thinking if Opencloud is not having same issue.

Expected behavior

Opencloud should renew OIDC token without breaking workflow of user

Actual behavior

1. Navigation in WebUI can sometimes results in "You have been logged out"
2. Uploads sometimes return HTTP 401, asking for Basic Auth in Browser - Firefox Ignores them, and Chromium will show Basic auth popup

Setup

Please describe how you started the server and provide a list of relevant environment variables or configuration files.

Details

Authelia configuration

identity_providers:
  oidc:
    claims_policies:
      default:
          id_token: ['groups', 'email', 'email_verified', 'alt_emails', 'preferred_username', 'name']
    lifespans:
      access_token: '1 hour'
      authorize_code: '1 minute'
      id_token: '1 hour'
      refresh_token: '90 minutes'
    cors:
      ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
      endpoints:
         - 'authorization'
         - 'token'
         - 'revocation'
         - 'introspection'
         - 'userinfo'
      ## List of allowed origins.
      ## Any origin with https is permitted unless this option is configured or the
      ## allowed_origins_from_client_redirect_uris option is enabled.
      allowed_origins:
        - 'https://opencloud.example.com'
      allowed_origins_from_client_redirect_uris: false
    clients:
      - client_id: opencloud-web
        client_name: OpenCloud
        public: true
        authorization_policy: two_factor
        consent_mode: auto
        pre_configured_consent_duration: 1w
        audience: []
        scopes:
          - openid
          - email
          - profile
          - groups
          - offline_access
        redirect_uris:
          - https://opencloud.example.com/
          - https://opencloud.example.com/oidc-callback.html
          - https://opencloud.example.com/oidc-silent-redirect.html
        grant_types:
          - refresh_token
          - authorization_code
        response_types:
          - code
        response_modes:
          - form_post
          - query
          - fragment
        userinfo_signed_response_alg: none

Opencloud env variables

      # Authelia - OIDC
      OC_OIDC_ISSUER: https://authelia.example.com
      WEB_OIDC_CLIENT_ID: opencloud-web
      ## Proxy
      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: none
      PROXY_AUTOPROVISION_ACCOUNTS: true
      PROXY_ROLE_ASSIGNMENT_DRIVER: oidc
      PROXY_USER_OIDC_CLAIM: "preferred_username"
      PROXY_USER_CS3_CLAIM: "username"
      ## role assignment
      PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: 'groups'
      WEB_OIDC_SCOPE: openid profile email groups
      GRAPH_ASSIGN_DEFAULT_USER_ROLE: true
      GRAPH_USERNAME_MATCH: none
      OC_EXCLUDE_RUN_SERVICES: idp
      PROXY_CSP_CONFIG_FILE_LOCATION: /etc/opencloud/csp.yaml

My csp.yml

directives:
  child-src:
    - '''self'''
    - 'https://authelia.example.com/'
  connect-src:
    - '''self'''
    - 'blob:'
    - 'https://${COMPANION_DOMAIN|companion.opencloud.test}/'
    - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/'
    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
    - 'https://${KEYCLOAK_DOMAIN|keycloak.opencloud.test}/'
    - 'https://authelia.example.com/'
  default-src:
    - '''none'''
  font-src:
    - '''self'''
    - 'https://authelia.example.com/'
  frame-ancestors:
    - '''self'''
    - 'https://authelia.example.com/'
  frame-src:
    - '''self'''
    - 'blob:'
    - 'https://embed.diagrams.net/'
    # In contrary to bash and docker the default is given after the | character
    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
    # This is needed for the external-sites web extension when embedding sites
    - 'https://docs.opencloud.eu'
    - 'https://authelia.example.com/'
  img-src:
    - '''self'''
    - 'data:'
    - 'blob:'
    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
    # In contrary to bash and docker the default is given after the | character
    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
    - 'https://authelia.example.com/'
  manifest-src:
    - '''self'''
    - 'https://authelia.example.com/'
  media-src:
    - '''self'''
    - 'https://authelia.example.com/'
  object-src:
    - '''self'''
    - 'blob:'
    - 'https://authelia.example.com/'
  script-src:
    - '''self'''
    - '''unsafe-inline'''
    - 'https://authelia.example.com/'
  style-src:
    - '''self'''
    - '''unsafe-inline'''
    - 'https://authelia.example.com/'

Additional context

Traefik logs:

traefik-1    | {"ClientAddr":"172.18.0.1:34672","ClientHost":"172.18.0.1","ClientPort":"34672","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":401,"Duration":12609498,"OriginContentSize":0,"OriginDuration":12490991,"OriginStatus":401,"Overhead":118507,"RequestAddr":"opencloud.example.com","RequestContentSize":1042534,"RequestCount":4344,"RequestHost":"opencloud.example.com","RequestMethod":"POST","RequestPath":"/remote.php/dav/spaces/e42e9465-7a4d-41ac-888b-0f0f8236c0f4$76103868/SomeFolder","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"opencloud@docker","ServiceAddr":"172.18.0.7:9200","ServiceName":"opencloud@docker","ServiceURL":"http://172.18.0.7:9200","StartLocal":"2025-05-22T05:56:59.06516696Z","StartUTC":"2025-05-22T05:56:59.06516696Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","downstream_X-Request-Id":"bb987e93-a00a-4fd1-a79e-44e02861b7bb","entryPointName":"https","level":"info","msg":"","origin_X-Request-Id":"bb987e93-a00a-4fd1-a79e-44e02861b7bb","request_X-Request-Id":"bb987e93-a00a-4fd1-a79e-44e02861b7bb","time":"2025-05-22T05:56:59Z"}
traefik-1    | {"ClientAddr":"172.18.0.1:34672","ClientHost":"172.18.0.1","ClientPort":"34672","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":401,"Duration":299503133,"OriginContentSize":0,"OriginDuration":299352540,"OriginStatus":401,"Overhead":150593,"RequestAddr":"opencloud.example.com","RequestContentSize":1743035,"RequestCount":4374,"RequestHost":"opencloud.example.com","RequestMethod":"POST","RequestPath":"/remote.php/dav/spaces/e42e9465-7a4d-41ac-888b-0f0f8236c0f4$76103868/SomeFolder","RequestPort":"-","RequestProtocol":"HTTP/2.0","RequestScheme":"https","RetryAttempts":0,"RouterName":"opencloud@docker","ServiceAddr":"172.18.0.7:9200","ServiceName":"opencloud@docker","ServiceURL":"http://172.18.0.7:9200","StartLocal":"2025-05-22T05:57:10.025218145Z","StartUTC":"2025-05-22T05:57:10.025218145Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","downstream_X-Request-Id":"ab25d5d9-62ae-4430-ab9c-d7458409dc90","entryPointName":"https","level":"info","msg":"","origin_X-Request-Id":"ab25d5d9-62ae-4430-ab9c-d7458409dc90","request_X-Request-Id":"ab25d5d9-62ae-4430-ab9c-d7458409dc90","time":"2025-05-22T05:57:10Z"}

Opencloud logs

opencloud-1  | {"level":"error","service":"proxy","error":"token is expired","authenticator":"oidc","path":"/remote.php/dav/spaces/e42e9465-7a4d-41ac-888b-0f0f8236c0f4$76103868/SomeFolder","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36","client.address":"172.18.0.1","network.peer.address":"","network.peer.port":"","time":"2025-05-22T05:56:59Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/oidc_auth.go:198","message":"failed to authenticate the request"}
opencloud-1  | {"level":"error","service":"proxy","error":"token is expired","authenticator":"oidc","path":"/remote.php/dav/spaces/e42e9465-7a4d-41ac-888b-0f0f8236c0f4$76103868/SomeFolder","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36","client.address":"172.18.0.1","network.peer.address":"","network.peer.port":"","time":"2025-05-22T05:57:10Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/oidc_auth.go:198","message":"failed to authenticate the request"}

No logs in Authelia

[micbar]

@scetu

The two linked issues are talking about IdP limitations regarding OIDC claims. OpenCloud can read claims from the token or from the userinfo endpoint, that is working fine.

In this case, we have a different topic. This ticket is about refreshing the access token.

If i am not mistaken, the problem could be pretty simple: CSP rules prevent the WebUI from refreshing the token.

Please check your browser console or network tab for any CSP errors.

Your IdP URL must be listed in the connect-src part of the CSP rules. https://github.com/opencloud-eu/opencloud/blob/main/deployments/examples/opencloud_full/config/opencloud/csp.yaml#L10

[scetu]

Hi @micbar,

I am no longer getting CSP issues - I did previously, you are right, I have reflected them in #587 (reply in thread) and issue with HTTP 401/logouts is still occuring.

Within my troubleshooting steps, I have added almost everywhere my https://authelia.example.com/ here is my current csp.yaml as also mentioned in original post:

directives:
  child-src:
    - '''self'''
    - 'https://authelia.example.com/'
  connect-src:
    - '''self'''
    - 'blob:'
    - 'https://${COMPANION_DOMAIN|companion.opencloud.test}/'
    - 'wss://${COMPANION_DOMAIN|companion.opencloud.test}/'
    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
    - 'https://${KEYCLOAK_DOMAIN|keycloak.opencloud.test}/'
    - 'https://authelia.example.com/'
  default-src:
    - '''none'''
  font-src:
    - '''self'''
    - 'https://authelia.example.com/'
  frame-ancestors:
    - '''self'''
    - 'https://authelia.example.com/'
  frame-src:
    - '''self'''
    - 'blob:'
    - 'https://embed.diagrams.net/'
    # In contrary to bash and docker the default is given after the | character
    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
    # This is needed for the external-sites web extension when embedding sites
    - 'https://docs.opencloud.eu'
    - 'https://authelia.example.com/'
  img-src:
    - '''self'''
    - 'data:'
    - 'blob:'
    - 'https://raw.githubusercontent.com/opencloud-eu/awesome-apps/'
    # In contrary to bash and docker the default is given after the | character
    - 'https://${COLLABORA_DOMAIN|collabora.opencloud.test}/'
    - 'https://authelia.example.com/'
  manifest-src:
    - '''self'''
    - 'https://authelia.example.com/'
  media-src:
    - '''self'''
    - 'https://authelia.example.com/'
  object-src:
    - '''self'''
    - 'blob:'
    - 'https://authelia.example.com/'
  script-src:
    - '''self'''
    - '''unsafe-inline'''
    - 'https://authelia.example.com/'
  style-src:
    - '''self'''
    - '''unsafe-inline'''
    - 'https://authelia.example.com/'

[hasdf]

I have the same errors with Authentik and OpenCloud behind Nginx. If I can help in any way to troubleshoot the issue, I'd be happy to.
The best way for me to reproduce the issue is when I upload lots of images, view them, and then delete them again.
The upload worked fine, but viewing the preview images resulted in several 401 errors.

Here are the logs.

Browser log

docker logs opencloud_full-opencloud-1 --follow 2>&1 | grep Test4Github20

{"level":"info","service":"storage-users","pkg":"rgrpc","traceid":"42a5e7f7326b82506e24f5ebfbd2c924","data-server":"http://localhost:9158/data/simple/cc46ddc8-1396-46d5-826a-b46c7b232b31","fn":"./Test/Test4Github20.jpg","xs":"map[md5:100 unset:1000]","time":"2025-08-04T20:19:26Z","line":"github.com/opencloud-eu/reva/v2@v2.35.0/internal/grpc/services/storageprovider/storageprovider.go:470","message":"file upload"}
{"level":"info","service":"storage-users","pkg":"rgrpc","traceid":"42a5e7f7326b82506e24f5ebfbd2c924","data-server":"http://localhost:9158/data/tus/cc46ddc8-1396-46d5-826a-b46c7b232b31","fn":"./Test/Test4Github20.jpg","xs":"map[md5:100 unset:1000]","time":"2025-08-04T20:19:26Z","line":"github.com/opencloud-eu/reva/v2@v2.35.0/internal/grpc/services/storageprovider/storageprovider.go:470","message":"file upload"}
{"level":"info","service":"storage-users","pkg":"rgrpc","traceid":"9f7039f4b165296bc0633b3707a2bd15","data-server":"http://localhost:9158/data","ref":{"resource_id":{"storage_id":"e69a4fa8-752a-426d-a704-3713dc562a89","opaque_id":"72e097ca-ddd2-4b96-851d-12d27320648b","space_id":"72e097ca-ddd2-4b96-851d-12d27320648b"},"path":"./Test/Test4Github20.jpg"},"time":"2025-08-04T20:19:29Z","line":"github.com/opencloud-eu/reva/v2@v2.35.0/internal/grpc/services/storageprovider/storageprovider.go:296","message":"file download"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"dab87f15-c829-4520-b28c-c25f365f93c9","traceid":"9f7039f4b165296bc0633b3707a2bd15","remote-addr":"10.0.101.104","method":"GET","status":200,"path":"/dav/spaces/e69a4fa8-752a-426d-a704-3713dc562a89$72e097ca-ddd2-4b96-851d-12d27320648b/Test/Test4Github20.jpg","duration":9.726552,"bytes":140817,"time":"2025-08-04T20:19:29Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}
{"level":"info","service":"storage-users","pkg":"rgrpc","traceid":"59308f86818dbf22a9f1769d4b768440","data-server":"http://localhost:9158/data/tus/f7c6ab23-f62b-4f02-a4fd-e2a2bb1db25e","fn":"./Test/Test4Github20.jpg","xs":"map[md5:100 unset:1000]","time":"2025-08-04T20:20:23Z","line":"github.com/opencloud-eu/reva/v2@v2.35.0/internal/grpc/services/storageprovider/storageprovider.go:470","message":"file upload"}
{"level":"info","service":"storage-users","pkg":"rgrpc","traceid":"59308f86818dbf22a9f1769d4b768440","data-server":"http://localhost:9158/data/simple/f7c6ab23-f62b-4f02-a4fd-e2a2bb1db25e","fn":"./Test/Test4Github20.jpg","xs":"map[md5:100 unset:1000]","time":"2025-08-04T20:20:23Z","line":"github.com/opencloud-eu/reva/v2@v2.35.0/internal/grpc/services/storageprovider/storageprovider.go:470","message":"file upload"}
{"level":"error","service":"proxy","error":"token is expired","authenticator":"oidc","path":"/remote.php/dav/spaces/e69a4fa8-752a-426d-a704-3713dc562a89$72e097ca-ddd2-4b96-851d-12d27320648b/Test/Test4Github20.jpg","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:141.0) Gecko/20100101 Firefox/141.0","client.address":"10.0.101.104","network.peer.address":"","network.peer.port":"","time":"2025-08-04T20:20:32Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/oidc_auth.go:198","message":"failed to authenticate the request"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"75da0cb7-0599-4ec6-a9fc-984a85d1d0cb","traceid":"0b306eb17c5581c7eb1a20b02f026922","remote-addr":"10.0.101.104","method":"GET","status":401,"path":"/remote.php/dav/spaces/e69a4fa8-752a-426d-a704-3713dc562a89$72e097ca-ddd2-4b96-851d-12d27320648b/Test/Test4Github20.jpg","duration":0.0827,"bytes":0,"time":"2025-08-04T20:20:32Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"bef4f037-d6ea-4a45-92de-2e6ccd4f228e","traceid":"f325d5501a6ca5e33d0d58aee9aae8b6","remote-addr":"10.0.101.104","method":"PROPFIND","status":207,"path":"/remote.php/dav/spaces/e69a4fa8-752a-426d-a704-3713dc562a89$72e097ca-ddd2-4b96-851d-12d27320648b/Test/Test4Github20.jpg","duration":6.322062,"bytes":485,"time":"2025-08-04T20:20:41Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}
{"level":"error","service":"proxy","error":"token is expired","authenticator":"oidc","path":"/remote.php/dav/spaces/e69a4fa8-752a-426d-a704-3713dc562a89$72e097ca-ddd2-4b96-851d-12d27320648b/Test/Test4Github20.jpg","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:141.0) Gecko/20100101 Firefox/141.0","client.address":"10.0.101.104","network.peer.address":"","network.peer.port":"","time":"2025-08-04T20:20:42Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/oidc_auth.go:198","message":"failed to authenticate the request"}
{"level":"info","service":"proxy","proto":"HTTP/1.1","request-id":"45d77e69-e9f0-49d6-9b64-a0fa790953cb","traceid":"35f58c5a52761e3662ae04e68b794b76","remote-addr":"10.0.101.104","method":"GET","status":401,"path":"/remote.php/dav/spaces/e69a4fa8-752a-426d-a704-3713dc562a89$72e097ca-ddd2-4b96-851d-12d27320648b/Test/Test4Github20.jpg","duration":0.0896,"bytes":0,"time":"2025-08-04T20:20:42Z","line":"github.com/opencloud-eu/opencloud/services/proxy/pkg/middleware/accesslog.go:34","message":"access-log"}

nginx access log

[04/Aug/2025:20:20:43 +0000] - 200 200 - GET https oc.domain.de "/icons/file-damage-fill.svg" [Client 2001:470:52ec:2:80d6:9c14:xxxx:xxxx] [Length 267] [Gzip -] [Sent-to 10.0.101.119] "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:141.0) Gecko/20100101 Firefox/141.0" "https://oc.domain.de/preview/personal/martin/Test/Test4Github20.jpg?fileId=e69a4fa8-752a-426d-a704-3713dc562a89%2472e097ca-ddd2-4b96-851d-12d27320648b%21ad2e9d55-6756-4047-8720-bb006e68d1e0&contextRouteName=files-spaces-generic&contextRouteParams.driveAliasAndItem=personal%2Fmartin%2FTest&contextRouteQuery.fileId=e69a4fa8-752a-426d-a704-3713dc562a89%2472e097ca-ddd2-4b96-851d-12d27320648b%2185a01024-72bb-4643-b3d8-4a904cf13995&contextRouteQuery.sort-by=name&contextRouteQuery.sort-dir=asc"

[micbar]

Please see the solution from @scetu

I strongly suggest that opencloud has CSP issues with the external IdP.

[hasdf]

For testing purposes my csp.yaml looks the same as the one from @scetu but the issue remains. And if I read the comment correctly, the issue also remains for @scetu after fixing the CSP issues.

[scetu]

@hasdf I have not solved this, and stopped evaluating usage of Opencloud for my use case now. There seems to be more issues in Opencloud related to IdPs like Authelia, see opencloud-eu/desktop#217 where maintainers of Authelia and Opencloud are discussing some of them.

[tomorrow-nf]

Commenting to follow, as I'm experiencing the exact same issue with Authentik.

[zerodarkzone]

I have the same problem using Authentik.

[traktuner]

Just to add my perspective:
I am using Authentik as my main IdP for quite a while now, with many applications (Immich, Wordpress, Portainer, etc.) integrated via OAuth2/OIDC without issues.

With OpenCloud things are more complicated: since Authentik enforces a 1:1 relationship between applications and providers, I need to configure separate providers for Web, Desktop, iOS and Android. Each of those providers has a different issuer, while OpenCloud currently only supports a single issuer.

As a result, OpenCloud cannot validate the JWTs offline. Every API call ends up being validated against Authentik’s /userinfo endpoint, which adds latency and creates a strong dependency on the IdP’s availability. In practice this significantly impacts performance and reliability.

From a security and architectural perspective, I think the Authentik approach (one provider = one client/issuer) is valid and even preferable. It would be really helpful if OpenCloud could support multiple issuers (or a way to configure several OIDC clients under one OpenCloud instance).

That would make the integration with Authentik much smoother and reduce the need for falling back to verify_method=none with live userinfo checks.

[micbar]

As a result, OpenCloud cannot validate the JWTs offline. Every API call ends up being validated against Authentik’s /userinfo endpoint, which adds latency and creates a strong dependency on the IdP’s availability. In practice this significantly impacts performance and reliability.

Is there something special about the authentik token format? OpenCloud validates JWT tokens from other providers on its own. Why doesn't it work for Authentik?

[traktuner]

As a result, OpenCloud cannot validate the JWTs offline. Every API call ends up being validated against Authentik’s /userinfo endpoint, which adds latency and creates a strong dependency on the IdP’s availability. In practice this significantly impacts performance and reliability.

Is there something special about the authentik token format? OpenCloud validates JWT tokens from other providers on its own. Why doesn't it work for Authentik?

There is nothing special about Authentik’s tokens – they are standard JWTs.
The problem is that Authentik enforces a 1:1 mapping (one application = one provider = one client), and each provider issues tokens with a different iss claim.

OpenCloud, on the other hand, only supports a single OC_OIDC_ISSUER.
So when Web, Desktop, iOS and Android each have a different issuer, OpenCloud rejects the tokens with “invalid issuer”, even though the tokens themselves are perfectly valid.

With providers like Keycloak this doesn’t happen, because all clients share the same issuer.