Client ID and Client Secret string limits are too short.

[schmudde]

My Nextcloud implementation works with OpenID Connect (OIDC) via Keycloak but not with OIDC via Google or Paypal. The two platforms create the same issue when I register the provider:

sudo -u www-data php /var/www/nextcloud/occ user_oidc:provider google --clientid="8********************************************.apps.googleusercontent.com" --clientsecret="G**********************************" --discoveryuri="https://accounts.google.com/.well-known/openid-configuration"

The command returns this error on my server:

In DbalException.php line 71:An exception occurred while executing a query: SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'client_id' at row 1

In ExceptionConverter.php line 114: An exception occurred while executing a query: SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'client_id' at row 1

In Exception.php line 26: SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'client_id' at row 1

In Statement.php line 92: SQLSTATE[22001]: String data, right truncated: 1406 Data too long for column 'client_id' at row 1

The Google client secret has this format: 8********************************************.apps.googleusercontent.com. Each star represents a unique character. I considered dropping the .apps.googleusercontent.com extension, but Google includes the suffix in their own examples: client_id=424911365001.apps.googleusercontent.com.

Paypal has the same problem with Client ID. The service also uses a longer Client Secret. So I get more errors with that service.

[uzemelteteshj]

goAuthentik uses 128 character and i get the same error

[jacksgt]

I am also running into this issue.

Here is an example client ID and client secret as created by Authentik (a self-hosted authentication provider like Keycloak, Authelia etc.):

clientID: 66a458a9fb36f69866e5d51a805e9a8eae22248a
clientSecret: 94202d61df0dd4a3feeb8e518c61842fd3f1d6b649c1dc08c291da0efc7abf12ef438c63d2377710e6c9f7f81130d531bf5c5859cf8cff142a9191a943f09b88

In Authentik it is possible to change these values manually to shorter values, but I don't see the reason why the database columns should have such low limits in the first place. Currently, both clientID and clientSecret are limited to 64 chars:

user_oidc/lib/Migration/Version00004Date20200428102743.php

Line 38 in d1bf676

$table->addColumn('client_id', 'string', [

[yscialom]

IIRC this limit is even undocumented. As if being useless wasn't enough.

[so-rose]

I've auto encountered this limit; because of it, the default client_secret from Authentik is unusable.

For anybody finding this issue from the logs, you can generate a perfectly okay client secret like so:

openssl rand -base64 48

What is needed for a fix?

[viq]

From a quick research, as @jacksgt pointed out, a migration creates a column with size of 64 characters. That would need to be changed, but also a new migration created, changing the size of column to the bigger value if not already at that, something like https://github.com/nextcloud/server/blob/master/lib/public/Migration/BigIntMigration.php#L59-L61

No, I don't know what a reasonable value would be. 255 maybe?

[jacksgt]

No, I don't know what a reasonable value would be. 255 maybe?

Ideally there should be no hard limit on the length. It's not like a typical Nextcloud installation will have thousands of OIDC registrations in its database.

The OAuth2 spec (which is the basis for OIDC) says:

The client identifier string size is left undefined by this
specification. The client should avoid making assumptions about the
identifier size. The authorization server SHOULD document the size
of any identifier it issues.

(note that in this case Nextcloud is the client)

https://www.rfc-editor.org/rfc/rfc6749#section-2.2

More precisely, the standard describes client ID and secret as "VSCHAR":

client-id = *VSCHAR
client-secret = *VSCHAR

https://www.rfc-editor.org/rfc/rfc6749#appendix-A.1

Therefore I would vote for making the column a TEXT type (or at least very big, like VARCHAR(1024)).

[viq]

Keep in mind that MySQL is not the only supported database backend, though I think all of them support VARCHAR.

VSCHAR means %x20-7E, which as per RFC 5234 means a large subset of US-ASCII, specifically "visible (printing) characters" plus space.

[viq]

Oh, apparently my initial thought of using size of 255 wouldn't work, since I saw somewhere a comment that Keycloak can issue secrets about 800 (!) characters long.

[nc-fkl]

Hi @ALL,

thank you for your contributions! We have a PR in the queue to increase the limits to 2048 characters ( #711) once its in, it should fix this issue.

Once again, thank you for your effort and for supporting Nextcloud!