Supporting OIDC authentication for a WebDAV server

Could rclone be updated to support authenticating with a WebDAV server that is expecting an OIDC access token?

I believe rclone already supports OIDC authentication, as it uses this to obtain the OIDC access and refresh tokens for a Google drive.

There are WebDAV servers that expect the client to place the access-token in the HTTP Authorization header.

Would it be possible to update rclone to support these WebDAV servers?

Cheers,

Paul.

I recently merged support for a bearer_token in rclone webdav. This will go in the Authorization header, so if you had a token then the webdave in the latest beta will work for you.

Are you also proposing that rclone could do the oauth roundtrip to get the token in the first place?

Thanks for the quick reply.

Yes, I noticed your recent addition for supporting bearer token authn. (I’m one of the dCache developers, so Onno pointed me towards the ticket.) Thanks for adding that feature so quickly.

You’re absolutely right, it would be possible to use the OIDC access token directly as a bearer token, just like with a macaroon. I’m planning on testing this soon.

The disadvantage is that an access tokens typically has a somewhat short lifetime. I believe it’s not defined in the standard, but a typical lifetime is around 20 minutes.

The user could (theoretically) obtain fresh access tokens and supply them, but I think it would be nicer for the users if rclone obtained the tokens and also handled the token fresh.

I think the Google Drive support already does this: registering rclone as a client, obtaining tokens, and then refreshing the access token as necessary. I was hoping that adding something similar this for webdav would be relatively easy.

What do you think?

There is a framework for oauth2 in rclone. I’m unclear how OIDC differs from oauth2 but assuming they are similar then, yes it would be relatively easy :smile:

Is there a test server I could have a play with which implements this? And could you point me at some docs?

I’m nick@craig-wood.com if you want to send secret credentials!

For oauth there are quite a few parameters that the user would need to set, eg

The Endpoint contains 2 URLs.

Would you like to help with the development of this feature in rclone?

It sounds to me like it is worth pursuing, so if you could please make a new issue on github then it won’t get forgotten and we can work out what needs to be done there.

Thanks.

I’ve created issue #2380 to capture this request and included a few links to the OpenID Connect specs (core and dynamic client registration). Just let me know if something’s missing.

I have a test dCache instance specifically for people to play with (such as testing clients) called prometheus. I’ll drop you an email for some details so I can set up your account.

Unfortunately, I’m not a GO developer, so I’m not sure how much I can contribute directly (I’d have to learn GO first :slight_smile: but I’m certainly keen to help out. I can provide diagnostic information from the test server and help test patches.