Project

General

Profile

Task #2658

Nextcloud SAML authentication doesn't survive a client restart

Added by William Gathoye 6 months ago. Updated 2 months ago.

Status:
New
Priority:
Normal
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Tags:
URL:

Description

When we are authenticated on the TDF Nextcloud instance and we have a Nextcloud client synced with our devices, after a day, we get complains the authentication method is invalid and we need to reauthenticate.

This is a cumbersome process since we must disconnect / reconnect on each device we had our account synced to and we need to initiate a new resync (hopefully, existing files are not redownloaded).

The current situation leads us in having a Nextcloud instance barely usable since the LDAP authentication has been launched.

One idea of fix would be to extend the life of the token to 30 days or choose applications passwords instead (if the feature available into Nextcloud).

Screenshot_20180920_171524.png (46.6 KB) Screenshot_20180920_171524.png William Gathoye, 2018-09-20 17:18
Screenshot_20181202_155558.png (179 KB) Screenshot_20181202_155558.png William Gathoye, 2018-12-02 15:56
Screenshot_20181202_155546.png (309 KB) Screenshot_20181202_155546.png William Gathoye, 2018-12-02 15:56
Screenshot_20181202_155622.png (305 KB) Screenshot_20181202_155622.png William Gathoye, 2018-12-02 15:56
Screenshot_20181202_155627.png (288 KB) Screenshot_20181202_155627.png William Gathoye, 2018-12-02 15:56
Screenshot_20181202_160104.png (291 KB) Screenshot_20181202_160104.png William Gathoye, 2018-12-02 16:01
netxcloud_debug_connection_issue_wget_2018-12-22.txt (8.86 KB) netxcloud_debug_connection_issue_wget_2018-12-22.txt nextcloud client logs William Gathoye, 2018-12-22 19:07
Screenshot_20181222_190914.png (332 KB) Screenshot_20181222_190914.png grant access animation loop no action William Gathoye, 2018-12-22 19:09
2332
2365
2366
2367
2368
2369
2381

History

#1 Updated by Guilhem Moulin 6 months ago

  • Assignee set to Guilhem Moulin

#2 Updated by Guilhem Moulin 6 months ago

FWIW it's irrelevant whether the credentials are stored in LDAP or in some other backend. Since late February our Nextcloud instance doesn't “use LDAP authentication” anymore (and until mid-March access wasn't granted to all TDF members by default, it was done on a per-user basis), but Single Sign On (via SAML token); session expiration is a property of the latter, not of the authentication backend.

#3 Updated by William Gathoye 4 months ago

Was: "Nextcloud token doesn't survive a day with LDAP authentication"

While we previously still could connect but with the need to redo the auth process each day, since latest Nextcloud version (14 as I write these lines), we are now unable to connect to the instance using any desktop or mobile app client.

Step 1: Screenshot_20181202_155546.png: We press login like usual

Step 2: Screenshot_20181202_155558.png: We are redirected to the SAML web ui SSO auth page from TDF

Step 3: Screenshot_20181202_155622.png: When authenticated, we are redirected to this page asking us to grant access

Step 4: Screenshot_20181202_155627.png: We press the button and the login process is stuck to "Redirecting..."

#4 Updated by William Gathoye 4 months ago

For the record, creating an application token via `https://nextcloud.documentfoundation.org/settings/user/security` doesn't help either.

Screenshot_20181202_160104.png: When we specify our username and app password we have just created and we press `Grant access`, nothing happens.

#5 Updated by Guilhem Moulin 4 months ago

For what it's worth, it works for me using the owncloud client (‘owncloud-client 2.4.1+dfsg-1.1’ package from Debian sid). So clearly the “we are now unable to connect to the instance using any desktop or mobile app client” is incorrect :-P Also, as mentioned on IRC, note that we upgraded to Nextcloud 14 on Sep 12, so before you opened this ticket. Did you upgrade your client recently? With 2.4.1 I'm not redirected to the page asking to grant access.

#6 Updated by Florian Effenberger 4 months ago

IIRC where was a bug in the Nextcloud client (with an existing bug ID),
because I heard that in the past too, that the ownCloud client works.
Didn't try myself though, so it's hearsay.

#7 Updated by William Gathoye 3 months ago

Florian Effenberger wrote:

IIRC where was a bug in the Nextcloud client (with an existing bug ID),
because I heard that in the past too, that the ownCloud client works.
Didn't try myself though, so it's hearsay.

Guilhem Moulin wrote:

For what it's worth, it works for me using the owncloud client (‘owncloud-client 2.4.1+dfsg-1.1’ package from Debian sid). So clearly the “we are now unable to connect to the instance using any desktop or mobile app client” is incorrect :-P Also, as mentioned on IRC, note that we upgraded to Nextcloud 14 on Sep 12, so before you opened this ticket. Did you upgrade your client recently? With 2.4.1 I'm not redirected to the page asking to grant access.

I'm running 2.5.1 client. I think the issue might be to the version tag being sent by my client and that version is not accepted by your server. I'll see with the Arch Linux maintainer of the NextCloud client package. In the mean time I have jointed to this comment the debug logs of my nextcloud client.

Btw, I tested with the client 2.3.3 on Windows, this worked, but this broke with 2.5.1. I definitely think there is an issue upstream.

#8 Updated by William Gathoye 3 months ago

https://github.com/nextcloud/desktop/issues/830

If someone can check on the server whether this could be related to the E2E module? This would be fine.

#9 Updated by Guilhem Moulin 3 months ago

  • Subject changed from Unable to connect to Nextcloud using sync applications to Unable to connect to Nextcloud using nextcloud 2.5 desktop client

William Gathoye wrote:

If someone can check on the server whether this could be related to the E2E module? This would be fine.

This plugin is not installed currently (and never was AFAIK).

#10 Updated by William Gathoye 3 months ago

  • Subject changed from Unable to connect to Nextcloud using nextcloud 2.5 desktop client to Nextcloud SAML authentication doesn't survive a client restart

Ok I have been able to fix the issue wrt. the inability to connect. I recompiled the very latest commit of nextcloud client and this solved the issue. The client isn't asking me to "grant access" or anything like that.

#11 Updated by William Gathoye 3 months ago

The main issue however persists. The SAML token doesn't survive a client restart. And when we create an app password from the Nextcloud webui, we cannot use the app password.
Here are the client logs when I try to do so:
https://gist.github.com/wget/1cfb8a1d13eac9f0280d42b7dae59703
Also, (worse!), it appears each time we connect usin SAML, a dedicated app password is created. The previous ones are NOT invalidated and I'm pretty sure we can still login with them! When I checked my settings page I had dozens of generated tokens!
I asked this very same question to the nextcloud packager of Arch Linux. He appears to be great at fixing bugs and upstreaming the fixes.

#12 Updated by Florian Effenberger 3 months ago

Thanks for chasing that!
Did you hear anything back from the Arch Linux maintainer?

#13 Updated by William Gathoye 2 months ago

Florian Effenberger wrote:

Thanks for chasing that!
Did you hear anything back from the Arch Linux maintainer?

Yes, he is fixing bug related to the webview (the regression), but the community in the desktop app is pretty slow. Owncloud is much better in this regard.

Rrgarding SAML auth, he canot help us narrowing down the issue, because he has no SAML server account to test. Could we maybe give him an account on the TDF instance and ask him if he can help us?

Otherwise I'm afraid we will have to wait for FOSDEM in order to debug this issue. We will have Nextcloud devs at hand ;D We will just have to launch a broadcast message to reach some of them :D

#14 Updated by Florian Effenberger 2 months ago

Thanks for chasing this!
IIRC the ownCloud app can be used as well, but not entirely sure
Talking at FOSDEM sounds great indeed, looking forward to :-)

Can you check with Guilhem if we can give him a test account without
access to private data? Should be possible, and if so, happy to help him
narrow down the problem, of course!

Also available in: Atom PDF