feat: support desktop and mobile specific OIDC issuer and client_id

[pat-s]

Description

Enables identity providers that require separate OIDC clients per application type (like Authentik, Kanidm, Zitadel) to work with OpenCloud clients.

• Add desktop-specific OIDC issuer relation (http://openid.net/specs/connect/1.0/issuer/desktop)
• Add mobile-specific OIDC issuer relation (http://openid.net/specs/connect/1.0/issuer/mobile)
• Support optional client_id property in WebFinger link responses

Configuration

WEBFINGER_OIDC_ISSUER_DESKTOP: "https://idp.example.com"
WEBFINGER_OIDC_CLIENT_ID_DESKTOP: "desktop-client-id"
WEBFINGER_OIDC_ISSUER_MOBILE: "https://idp.example.com"
WEBFINGER_OIDC_CLIENT_ID_MOBILE: "mobile-client-id"

Motivation and Context

This problems solves opencloud-eu/desktop#246 and is a complementary PR to opencloud-eu/desktop#766.

Besides the PR for the desktop app, similar changes are needed for the iOS and Android sources.

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Technical debt
• Tests only (no source changes)

Checklist:

• Code changes
• Unit tests added
• Acceptance tests added
• Documentation added

[kaivol]

I don't think we should allow/encourage using different OIDC issuers (and client ids) for web and desktop/mobile clients.
There really is no reason to do so, and in fact it is incorrect to assume that users from different issuers represent the same entity.

---

Also, I would add the OIDC scopes to request during authentication, just like it is already possible for the web client with WEB_OIDC_SCOPE. This would also fix opencloud-eu/desktop#217.

[mavgit1]

I don't think we should allow/encourage using different OIDC issuers (and client ids) for web and desktop/mobile clients. There really is no reason to do so, and in fact it is incorrect to assume that users from different issuers represent the same entity.

Also, I would add the OIDC scopes to request during authentication, just like it is already possible for the web client with WEB_OIDC_SCOPE. This would also fix opencloud-eu/desktop#217.

You are right that using different Issuers would break user identity (tough that is necessary to register unique urls from and idp like Authentik), but having separate Client IDs for Web and Native apps is actually standard OIDC practice.

Some IDPs (like Google Identity or Zitadel) strictly enforce this separation for security reasons (handling localhost vs https redirects) and completely refuse to mix Web and Native configurations in a single Client ID. As long as the Issuer remains the same, the user identity stays consistent.

So having the option to provide 2 different Client IDs is necessary so that Owncloud can be used with standard security practices / even work at all with some IDPs.

[kaivol]

having separate Client IDs for Web and Native apps is actually standard OIDC practice.

Could you elaborate on this point? During my use of OIDC (mostly in the self-hosting area), I never encountered such applications.
I can't think of any type of attack that would be prevented by this practice.

But anyway, if there are servers that make such requirements (different Client ID per redirect URI, IIUC), we should of course support that.
Is one Client ID for all native clients sufficient, or do we need different client for different platforms?

---

using different Issuers would break user identity (tough that is necessary to register unique urls from and idp like Authentik)

Could you explain what you mean by that? As far as I know, Authentik supports defining multiple redirect URIs per client.

[mavgit1]

having separate Client IDs for Web and Native apps is actually standard OIDC practice.

Could you elaborate on this point? During my use of OIDC (mostly in the self-hosting area), I never encountered such applications. I can't think of any type of attack that would be prevented by this practice.

Eg. in Zitadel you are forced to create a seperate app both for WEB and Native.

You cannot add a local redirect uri like oc://android.opencloud.eu or even http://127.0.0.1 to a WEB app. Vice versa you cannot add a normal url like https://your-domain.example.com/oidc-callback.html to a native app.

OpenCloud even reccomends having 3 seperate clients. One for Mobile App, one for Dekstop App and one for WEB. So it would be compatible with Zitadel and many others if simply the CLIENT-ID could be set manually.

using different Issuers would break user identity (tough that is necessary to register unique urls from and idp like Authentik)

Could you explain what you mean by that? As far as I know, Authentik supports defining multiple redirect URIs per client.

Yes authentik supports different URIs per client and I think even the renaming of client ID (thus being able to name the client fixed default names from OpenCloud) but each App is a different issuer URL:

See currently open issue:

goauthentik/authentik#7251