Skip to content

feat: support desktop and mobile specific OIDC issuer and client_id #2072

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pat-s wants to merge 2 commits into
base: main
Choose a base branch
from
+104 −1
Open

feat: support desktop and mobile specific OIDC issuer and client_id #2072

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9089cf6
feat(webfinger): add desktop-specific OIDC issuer support
pat-s Dec 20, 2025
da084e3
feat(webfinger): support desktop and mobile specific OIDC client_id
pat-s Dec 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions services/webfinger/pkg/command/server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,16 @@ func getRelationProviders(cfg *config.Config) (map[string]service.RelationProvid
switch relationURI {
case relations.OpenIDConnectRel:
rels[relationURI] = relations.OpenIDDiscovery(cfg.IDP)
case relations.OpenIDConnectDesktopRel:
// Handled below - can also be auto-enabled via DesktopIDP config
if cfg.DesktopIDP != "" {
rels[relationURI] = relations.OpenIDDiscoveryDesktop(cfg.DesktopIDP, cfg.DesktopClientID)
}
case relations.OpenIDConnectMobileRel:
// Handled below - can also be auto-enabled via MobileIDP config
if cfg.MobileIDP != "" {
rels[relationURI] = relations.OpenIDDiscoveryMobile(cfg.MobileIDP, cfg.MobileClientID)
}
case relations.OpenCloudInstanceRel:
var err error
rels[relationURI], err = relations.OpenCloudInstance(cfg.Instances, cfg.OpenCloudURL)
Expand All @@ -131,5 +141,23 @@ func getRelationProviders(cfg *config.Config) (map[string]service.RelationProvid
return nil, fmt.Errorf("unknown relation '%s'", relationURI)
}
}

// Auto-enable desktop OIDC issuer when DesktopIDP is configured,
// even if not explicitly listed in Relations. This provides a simpler
// configuration experience - just set WEBFINGER_OIDC_ISSUER_DESKTOP.
// See: https://github.com/opencloud-eu/desktop/issues/246
if cfg.DesktopIDP != "" {
if _, exists := rels[relations.OpenIDConnectDesktopRel]; !exists {
rels[relations.OpenIDConnectDesktopRel] = relations.OpenIDDiscoveryDesktop(cfg.DesktopIDP, cfg.DesktopClientID)
}
}

// Auto-enable mobile OIDC issuer when MobileIDP is configured
if cfg.MobileIDP != "" {
if _, exists := rels[relations.OpenIDConnectMobileRel]; !exists {
rels[relations.OpenIDConnectMobileRel] = relations.OpenIDDiscoveryMobile(cfg.MobileIDP, cfg.MobileClientID)
}
}

return rels, nil
}
4 changes: 4 additions & 0 deletions services/webfinger/pkg/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,10 @@ type Config struct {
Instances []Instance `yaml:"instances"`
Relations []string `yaml:"relations" env:"WEBFINGER_RELATIONS" desc:"A list of relation URIs or registered relation types to add to webfinger responses. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
IDP string `yaml:"idp" env:"OC_URL;OC_OIDC_ISSUER;WEBFINGER_OIDC_ISSUER" desc:"The identity provider href for the openid-discovery relation." introductionVersion:"1.0.0"`
DesktopIDP string `yaml:"desktop_idp" env:"WEBFINGER_OIDC_ISSUER_DESKTOP" desc:"The identity provider href for desktop clients. When set, desktop clients will use this issuer instead of the default IDP. This allows configuring separate OIDC clients for web and desktop applications." introductionVersion:"%%NEXT%%"`
DesktopClientID string `yaml:"desktop_client_id" env:"WEBFINGER_OIDC_CLIENT_ID_DESKTOP" desc:"The OIDC client ID for desktop clients. When set along with WEBFINGER_OIDC_ISSUER_DESKTOP, this client ID will be provided to desktop clients via webfinger properties." introductionVersion:"%%NEXT%%"`
MobileIDP string `yaml:"mobile_idp" env:"WEBFINGER_OIDC_ISSUER_MOBILE" desc:"The identity provider href for mobile clients. When set, mobile clients will use this issuer instead of the default IDP. This allows configuring separate OIDC clients for web and mobile applications." introductionVersion:"%%NEXT%%"`
MobileClientID string `yaml:"mobile_client_id" env:"WEBFINGER_OIDC_CLIENT_ID_MOBILE" desc:"The OIDC client ID for mobile clients. When set along with WEBFINGER_OIDC_ISSUER_MOBILE, this client ID will be provided to mobile clients via webfinger properties." introductionVersion:"%%NEXT%%"`
Copy link
Contributor

@rhafer rhafer Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Additionally to the clientid I think we also need to be able to set a list of scopes per client. So that every client is able to figure out with exact scopes it needs to request for the access_-/id_token.

This is needed for stuff like automatic role assignment and group provisioning to work in a more generic way and not just for keycloak. (See e.g. opencloud-eu/desktop#217 (comment))

OpenCloudURL string `yaml:"opencloud_url" env:"OC_URL;WEBFINGER_OPENCLOUD_SERVER_INSTANCE_URL" desc:"The URL for the legacy OpenCloud server instance relation (not to be confused with the product OpenCloud Server). It defaults to the OC_URL but can be overridden to support some reverse proxy corner cases. To shard the deployment, multiple instances can be configured in the configuration file." introductionVersion:"1.0.0"`
Insecure bool `yaml:"insecure" env:"OC_INSECURE;WEBFINGER_INSECURE" desc:"Allow insecure connections to the WEBFINGER service." introductionVersion:"1.0.0"`

Expand Down
73 changes: 72 additions & 1 deletion services/webfinger/pkg/relations/openid_discovery.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,9 @@ import (
)

const (
OpenIDConnectRel = "http://openid.net/specs/connect/1.0/issuer"
OpenIDConnectRel = "http://openid.net/specs/connect/1.0/issuer"
OpenIDConnectDesktopRel = "http://openid.net/specs/connect/1.0/issuer/desktop"
OpenIDConnectMobileRel = "http://openid.net/specs/connect/1.0/issuer/mobile"
Copy link
Contributor

@rhafer rhafer Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should invent new relations here. (As also mentioned by @butonic in the PR discussion)

Apart from the fact that OpenCloud itself does currently only support talking a single IDP and configuring multiple different issuer URL would effectively mean we'd need to add multi-IDP support, I really think we don't need that.

As outlined here support for multiple issuers is not even needed. In the case of Authentik where one application (OpenCloud) can just have a single clientid we should just use the same client id for all clients.

If the clients fetch their client id via webfinger that is easy to be achived without adding the complexity of multiple issuer urls.

)

type openIDDiscovery struct {
Expand All @@ -31,3 +33,72 @@ func (l *openIDDiscovery) Add(_ context.Context, jrd *webfinger.JSONResourceDesc
Href: l.Href,
})
}

// ClientIDProperty is the property URI for the OIDC client ID
const ClientIDProperty = "http://openid.net/specs/connect/1.0/client_id"

type openIDDiscoveryDesktop struct {
Href string
ClientID string
}

// OpenIDDiscoveryDesktop adds the OpenID Connect issuer relation for desktop clients.
// This allows identity providers that require separate OIDC clients per application type
// (like Authentik, Kanidm, Zitadel) to provide a distinct issuer URL for desktop clients.
// If clientID is provided, it will be included as a property in the link.
// See: https://github.com/opencloud-eu/desktop/issues/246
func OpenIDDiscoveryDesktop(href string, clientID string) service.RelationProvider {
return &openIDDiscoveryDesktop{
Href: href,
ClientID: clientID,
}
}

func (l *openIDDiscoveryDesktop) Add(_ context.Context, jrd *webfinger.JSONResourceDescriptor) {
if jrd == nil {
jrd = &webfinger.JSONResourceDescriptor{}
}
link := webfinger.Link{
Rel: OpenIDConnectDesktopRel,
Href: l.Href,
}
if l.ClientID != "" {
link.Properties = map[string]string{
ClientIDProperty: l.ClientID,
}
}
jrd.Links = append(jrd.Links, link)
}

type openIDDiscoveryMobile struct {
Href string
ClientID string
}

// OpenIDDiscoveryMobile adds the OpenID Connect issuer relation for mobile clients.
// This allows identity providers that require separate OIDC clients per application type
// (like Authentik, Kanidm, Zitadel) to provide a distinct issuer URL for mobile clients.
// If clientID is provided, it will be included as a property in the link.
// See: https://github.com/opencloud-eu/desktop/issues/246
func OpenIDDiscoveryMobile(href string, clientID string) service.RelationProvider {
return &openIDDiscoveryMobile{
Href: href,
ClientID: clientID,
}
}

func (l *openIDDiscoveryMobile) Add(_ context.Context, jrd *webfinger.JSONResourceDescriptor) {
if jrd == nil {
jrd = &webfinger.JSONResourceDescriptor{}
}
link := webfinger.Link{
Rel: OpenIDConnectMobileRel,
Href: l.Href,
}
if l.ClientID != "" {
link.Properties = map[string]string{
ClientIDProperty: l.ClientID,
}
}
jrd.Links = append(jrd.Links, link)
}