Project

General

Profile

Actions

Task #2658

closed

Nextcloud SAML authentication doesn't survive a client restart

Added by William Gathoye about 6 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Category:
-
Target version:
Team - Q3/2019
Start date:
Due date:
% Done:

0%

Tags:

Description

When we are authenticated on the TDF Nextcloud instance and we have a Nextcloud client synced with our devices, after a day, we get complains the authentication method is invalid and we need to reauthenticate.

This is a cumbersome process since we must disconnect / reconnect on each device we had our account synced to and we need to initiate a new resync (hopefully, existing files are not redownloaded).

The current situation leads us in having a Nextcloud instance barely usable since the LDAP authentication has been launched.

One idea of fix would be to extend the life of the token to 30 days or choose applications passwords instead (if the feature available into Nextcloud).


Files

Screenshot_20180920_171524.png (46.6 KB) Screenshot_20180920_171524.png William Gathoye, 2018-09-20 17:18
Screenshot_20181202_155558.png (179 KB) Screenshot_20181202_155558.png William Gathoye, 2018-12-02 15:56
Screenshot_20181202_155546.png (309 KB) Screenshot_20181202_155546.png William Gathoye, 2018-12-02 15:56
Screenshot_20181202_155622.png (305 KB) Screenshot_20181202_155622.png William Gathoye, 2018-12-02 15:56
Screenshot_20181202_155627.png (288 KB) Screenshot_20181202_155627.png William Gathoye, 2018-12-02 15:56
Screenshot_20181202_160104.png (291 KB) Screenshot_20181202_160104.png William Gathoye, 2018-12-02 16:01
netxcloud_debug_connection_issue_wget_2018-12-22.txt (8.86 KB) netxcloud_debug_connection_issue_wget_2018-12-22.txt nextcloud client logs William Gathoye, 2018-12-22 19:07
Screenshot_20181222_190914.png (332 KB) Screenshot_20181222_190914.png grant access animation loop no action William Gathoye, 2018-12-22 19:09
Actions #1

Updated by Guilhem Moulin about 6 years ago

  • Assignee set to Guilhem Moulin
Actions #2

Updated by Guilhem Moulin about 6 years ago

FWIW it's irrelevant whether the credentials are stored in LDAP or in some other backend. Since late February our Nextcloud instance doesn't “use LDAP authentication” anymore (and until mid-March access wasn't granted to all TDF members by default, it was done on a per-user basis), but Single Sign On (via SAML token); session expiration is a property of the latter, not of the authentication backend.

Actions #3

Updated by William Gathoye almost 6 years ago

Was: "Nextcloud token doesn't survive a day with LDAP authentication"

While we previously still could connect but with the need to redo the auth process each day, since latest Nextcloud version (14 as I write these lines), we are now unable to connect to the instance using any desktop or mobile app client.

Step 1: Screenshot_20181202_155546.png: We press login like usual

Step 2: Screenshot_20181202_155558.png: We are redirected to the SAML web ui SSO auth page from TDF

Step 3: Screenshot_20181202_155622.png: When authenticated, we are redirected to this page asking us to grant access

Step 4: Screenshot_20181202_155627.png: We press the button and the login process is stuck to "Redirecting..."

Actions #4

Updated by William Gathoye almost 6 years ago

For the record, creating an application token via `https://nextcloud.documentfoundation.org/settings/user/security` doesn't help either.

Screenshot_20181202_160104.png: When we specify our username and app password we have just created and we press `Grant access`, nothing happens.

Actions #5

Updated by Guilhem Moulin almost 6 years ago

For what it's worth, it works for me using the owncloud client (‘owncloud-client 2.4.1+dfsg-1.1’ package from Debian sid). So clearly the “we are now unable to connect to the instance using any desktop or mobile app client” is incorrect :-P Also, as mentioned on IRC, note that we upgraded to Nextcloud 14 on Sep 12, so before you opened this ticket. Did you upgrade your client recently? With 2.4.1 I'm not redirected to the page asking to grant access.

Actions #6

Updated by Florian Effenberger almost 6 years ago

IIRC where was a bug in the Nextcloud client (with an existing bug ID),
because I heard that in the past too, that the ownCloud client works.
Didn't try myself though, so it's hearsay.

Actions #7

Updated by William Gathoye almost 6 years ago

Florian Effenberger wrote:

IIRC where was a bug in the Nextcloud client (with an existing bug ID),
because I heard that in the past too, that the ownCloud client works.
Didn't try myself though, so it's hearsay.

Guilhem Moulin wrote:

For what it's worth, it works for me using the owncloud client (‘owncloud-client 2.4.1+dfsg-1.1’ package from Debian sid). So clearly the “we are now unable to connect to the instance using any desktop or mobile app client” is incorrect :-P Also, as mentioned on IRC, note that we upgraded to Nextcloud 14 on Sep 12, so before you opened this ticket. Did you upgrade your client recently? With 2.4.1 I'm not redirected to the page asking to grant access.

I'm running 2.5.1 client. I think the issue might be to the version tag being sent by my client and that version is not accepted by your server. I'll see with the Arch Linux maintainer of the NextCloud client package. In the mean time I have jointed to this comment the debug logs of my nextcloud client.

Btw, I tested with the client 2.3.3 on Windows, this worked, but this broke with 2.5.1. I definitely think there is an issue upstream.

Actions #8

Updated by William Gathoye almost 6 years ago

https://github.com/nextcloud/desktop/issues/830

If someone can check on the server whether this could be related to the E2E module? This would be fine.

Actions #9

Updated by Guilhem Moulin almost 6 years ago

  • Subject changed from Unable to connect to Nextcloud using sync applications to Unable to connect to Nextcloud using nextcloud 2.5 desktop client

William Gathoye wrote:

If someone can check on the server whether this could be related to the E2E module? This would be fine.

This plugin is not installed currently (and never was AFAIK).

Actions #10

Updated by William Gathoye almost 6 years ago

  • Subject changed from Unable to connect to Nextcloud using nextcloud 2.5 desktop client to Nextcloud SAML authentication doesn't survive a client restart

Ok I have been able to fix the issue wrt. the inability to connect. I recompiled the very latest commit of nextcloud client and this solved the issue. The client isn't asking me to "grant access" or anything like that.

Actions #11

Updated by William Gathoye almost 6 years ago

The main issue however persists. The SAML token doesn't survive a client restart. And when we create an app password from the Nextcloud webui, we cannot use the app password.
Here are the client logs when I try to do so:
https://gist.github.com/wget/1cfb8a1d13eac9f0280d42b7dae59703
Also, (worse!), it appears each time we connect usin SAML, a dedicated app password is created. The previous ones are NOT invalidated and I'm pretty sure we can still login with them! When I checked my settings page I had dozens of generated tokens!
I asked this very same question to the nextcloud packager of Arch Linux. He appears to be great at fixing bugs and upstreaming the fixes.

Actions #12

Updated by Florian Effenberger almost 6 years ago

Thanks for chasing that!
Did you hear anything back from the Arch Linux maintainer?

Actions #13

Updated by William Gathoye almost 6 years ago

Florian Effenberger wrote:

Thanks for chasing that!
Did you hear anything back from the Arch Linux maintainer?

Yes, he is fixing bug related to the webview (the regression), but the community in the desktop app is pretty slow. Owncloud is much better in this regard.

Rrgarding SAML auth, he canot help us narrowing down the issue, because he has no SAML server account to test. Could we maybe give him an account on the TDF instance and ask him if he can help us?

Otherwise I'm afraid we will have to wait for FOSDEM in order to debug this issue. We will have Nextcloud devs at hand ;D We will just have to launch a broadcast message to reach some of them :D

Actions #14

Updated by Florian Effenberger almost 6 years ago

Thanks for chasing this!
IIRC the ownCloud app can be used as well, but not entirely sure
Talking at FOSDEM sounds great indeed, looking forward to :-)

Can you check with Guilhem if we can give him a test account without
access to private data? Should be possible, and if so, happy to help him
narrow down the problem, of course!

Actions #15

Updated by Florian Effenberger over 5 years ago

  • Target version set to Q3/2019

Any updates on this one, is the upstream bug maybe fixed?

Actions #16

Updated by William Gathoye over 5 years ago

Florian Effenberger wrote:

Any updates on this one, is the upstream bug maybe fixed?

Hello Florian,

The problem is still being discussed upstream but seems to be on hold for now. Upstream seems to be looking for testing instances where this bug is reproducible. This is why I asked Guilhem about the ability to clone our Nextcloud instance to a dedicated VM (without the files obviously) where we could nuke and try to test things out from OUR side (and ask maybe the Nextcloud broader community if they have any clue in the case we cannot achieve anything from our end).

See this thread for more details: https://listarchives.libreoffice.org/global/website/msg15317.html
  • Guilhem discussed the PHP code handling the SAML authentication on Nextcloud
  • And I mentioned the ability to disable the option "Use SAML auth for the Nextcloud desktop clients (requires user re-authentication)" that has been discussed upstream where people were saying this was fixing the issue. But we want to test this out first to see if this isn't breaking any thing. This is why a test instance based on our configuration (a clone of our instance) would come in handy.
Actions #17

Updated by Guilhem Moulin over 5 years ago

William Gathoye wrote:

This is why I asked Guilhem about the ability to clone our Nextcloud instance to a dedicated VM (without the files obviously) where we could nuke and try to test things out from OUR side (and ask maybe the Nextcloud broader community if they have any clue in the case we cannot achieve anything from our end).

Just cloning our Nextcloud deployment won't do, Nextcloud, the LDAP DIT, and the SAML (LemonLDAP::NG) instances are tightly coupled and there are severe privacy concerns if we don't want testers to browse the DIT freely, or worse impersonate users. The DIT needs to be populated with dummy data, key material re-generated, X.509 chains re-requested and re-deployed, and password reset and re-deployed. Probably worth having a low-risk test harness for that at some point, but since none of this it's done it's a way bigger work than merely cloning Nextcloud with an empty database :-/

Actions #18

Updated by Florian Effenberger over 5 years ago

Would it be an option to grant some trusted Nextcloud contact a regular
temporary user access to our instance, like we do for community members
too, or do they need much more access permissions to chase the bug?

Actions #19

Updated by William Gathoye over 5 years ago

Florian Effenberger wrote:

Would it be an option to grant some trusted Nextcloud contact a regular
temporary user access to our instance, like we do for community members
too, or do they need much more access permissions to chase the bug?

Playing with the production instance is a bit tricky, because we don't know whether the options we want to test could introduce regressions. (This is the purpose of the test).

Actually, I know from a privacy perspective cloning the prod to dev could be not in balance with GDPR privacy laws etc, but I think this is the only viable solution. In order to limit the risk, instead of having all the users, we can clone the prod, only keep a small subset of its users (like Arnaud Versini and me) and restrict that instance to TDF only without giving access to the wider Nextcloud community.

I know you're busy and cloning the prod to a dev environment might involve some work and spend some of guilhem's precious time, but this is for the sake of open source software :)

Actions #20

Updated by Florian Effenberger over 5 years ago

Actually, I know from a privacy perspective cloning the prod to dev
could be not in balance with GDPR privacy laws etc, but I think this is
the only viable solution. In order to limit the risk, instead of having

That sounds like a huge time investment, tbh, but Guilhem correct me if
I'm wrong and it's a trivial task.

If not, maybe it helps already to let them know our configuration and
setup so they can have a closer look? I don't mind giving them a regular
test account on our instance, but investing large amount of time right
now is rather not possible from my POV.

Actions #21

Updated by William Gathoye about 5 years ago

Hello everyone,

I'm pleased to announce latest commits of the Nextcloud Desktop app (for v 2.6.0) are fixing the issue.
- https://github.com/nextcloud/desktop/issues/1084#issuecomment-536203455
- https://github.com/nextcloud/desktop/issues/830#issuecomment-536203420

I'm pretty sure we can finally close this issue now :)

Regards,

Actions #22

Updated by Guilhem Moulin about 5 years ago

  • Status changed from New to Closed

William Gathoye wrote:

I'm pleased to announce latest commits of the Nextcloud Desktop app (for v 2.6.0) are fixing the issue.

Woo \o/

Actions #23

Updated by Florian Effenberger about 5 years ago

Thanks for chasing this! ;)

Actions

Also available in: Atom PDF