# BUG - Does FileSender support native OIDC authentication without SimpleSAMLphp?

[victoritis]

Hi,

I've been using FileSender 3.5 with SimpleSAMLphp + the authoauth2 module for OpenID Connect authentication against a Keycloak IdP. However, I've been running into dependency issues with firebase/php-jwt (security advisories PKSA-y2cr-5h3j-g3ys and PKSA-2kqm-ps5x-s4f5), which Composer 2.9+ now blocks by default.

While investigating alternatives, I noticed that the FileSender 3.5 source code seems to include built-in OIDC support:

• www/oidc.php — OIDC login/logout entry point
• classes/auth/AuthSPOidc.class.php — OIDC authentication delegation class
• optional-dependencies/oidc/ — jumbojett/openid-connect-php library
• classes/utils/ConfigPrivate.class.php — reads client_id/client_secret from config_private.php
• AuthSP.class.php dynamically loads AuthSPOidc when auth_sp_type = 'oidc'

My questions:

1. Is this native OIDC client officially supported and production-ready?
2. Is there any documentation on how to configure it? The installation guide only covers SimpleSAMLphp.
3. What is the recommended setup? Specifically:
   • Which config parameters go in config.php vs config_private.php?
   • What redirect URI should be registered in the OIDC provider? (I'm assuming https://<domain>/oidc.php)
   • Are there any additional auth_sp_oidc_* parameters beyond issuer, client_id, client_secret, uid_attribute, email_attribute, and name_attribute?

I had previously assumed that SimpleSAMLphp was the only supported authentication method. If native OIDC is indeed supported, it would be great to have it documented, as it eliminates the need for the authoauth2 module and its problematic firebase/php-jwt dependency.

Thanks!

[victoritis]

I have seen this now #2424 .
May be, the doc have to be updated with this info.

[victoritis]

Fix: PHP Warning "Undefined array key 'idp'" upon file upload (Native OIDC)

Context:
When authenticating via modern OIDC (e.g., against Keycloak or a custom Python Auth Server) natively in FileSender 3.5, the idp (Identity Provider) attribute is not populated.

Problem:
Unlike the mature AuthSPSaml class (which historically communicated with SimpleSAMLphp and actively set the idp property), FileSender's native OIDC integration class (AuthSPOidc.class.php) completely omits the extraction and assignment of the idp variable from the user's attributes.

As a result, older core components like Transfer.class.php (which blindly expect this key to exist) throw an Undefined array key "idp" warning around line 658, completely breaking the file upload process. This is a structural bug within FileSender's native OIDC implementation.

Solution:
A sed patch is applied during the Docker image build to safely check if the idp key exists before attempting to assign it. If it does not exist, it securely falls back to null, allowing the upload to proceed normally without throwing the PHP warning.

Patch applied in my Dockerfile:

# FileSender Bugfix: Native OIDC implementation (AuthSPOidc) omits the 'idp' attribute.
# This strictly prevents an "Undefined array key 'idp'" PHP warning in Transfer.class.php during file uploads.
RUN sed -i "s/\$entityId = \$attrs\['idp'\];/\$entityId = array_key_exists('idp', \$attrs) ? \$attrs['idp'] : null;/g" filesender/classes/data/Transfer.class.php

[monkeyiq]

I think it makes sense for the AuthSPOidc class to set $attributes['idp'] to something. If there is nothing specific for the protocol then all auth could be logged as just the OIDC for now.

[flowdnb]

I contributed the AuthSPOidc implementation to FileSender. Interestingly, I did not experience the issue of a broken file upload process described above during my development testing, nor while running the code in production (not using Docker).

However, I can create a PR with the suggested change to set $attributes['idp'] to Config::get('auth_sp_oidc_issuer'). I can also add the docs to the v3 admin config as requested above.

[victoritis]

Closed by #2616 merge.