# Problem
I successfully integrated Nextcloud with Zitadel IdP using user_oidc âŠbut I hit an issue with **allow_multiple_user_backends=0** config.
# Setup
The idea was to reduce Nextcloud session lifetime so NC session ends quickly and the user must re-login using IdP to ensure user session is still valid in IdP. To ensure I configure following settings in NC:
| setting | value |
|---|---|
|auto_logout|false|
|session_keepalive|true|
|session_lifetime|120|
|session_relaxed_expiry|false|
|remember_login_cookie_lifetime|0|
- session lifetime could be longer I started with 15min, such extremely short value is used to hit the issue fast.
with **allow_multiple_user_backends=1** the settings work fine and the user returns to login screen where hitting the button "login with IdP" allows to start another session.
![image](https://github.com/nextcloud/user_oidc/assets/18125597/2c1acfb0-cc7f-47da-b189-e220999c0b98)
the problem starts when I forced IdP login **allow_multiple_user_backends=0** using `occ config:app:set --value=0 user_oidc allow_multiple_user_backends` which worked as expected immediately redirecting unauthorized user to IdP and allowing access upon successful authorization. But after Nextcloud session ends the user is unable to return to Nextcloud. The browser keeps bouncing between Nextcloud and IdP with requests
- Nextcloud/logout?requesttoken=123
- IdP/authorize
- Nextcloud/login?redirect_url=/logout?requesttoken=123..
keeping requesttoken constant and at some point hitting 412 "CSRF check failed"
![image](https://github.com/nextcloud/user_oidc/assets/18125597/29ddc374-3954-4b66-89a6-04faabd853cc)
# How to reproduce
- setup Nextcloud user_oidc and some IdP
- configure short NC session timeout
- login using a browser (in my case Firefox on Windows)
- default view in my instance is files app
- do nothing and let the session open
- using F12 tools permanent exchange of push/sync messages is visible
- after Nextcloud session ends the browser starts looping between NC and IdP
# Logs
I'm adding anonymized HAR file from browser dev tools showing the issue. In this log *https://dev-nc.mydomain.tld* is my Nextcloud and *https://sso.mydomain.tld* is the IdP. In my case I'm using Zitadel but the same issue happens with authentik and Keycloak as well.
[dev-nc.mydomain.tld_Archive [23-12-28 20-22-20].har.zip](https://github.com/nextcloud/user_oidc/files/13789235/dev-nc.mydomain.tld_Archive.23-12-28.20-22-20.har.zip)
# Nextcloud config report:
```
## Server configuration detail
**Operating system:** Linux 6.1.0-16-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.67-1 (2023-12-12) x86_64
**Webserver:** Apache/2.4.57 (Debian) (apache2handler)
**Database:** mysql 10.5.23
**PHP version:** 8.2.13
Modules loaded: Core, date, libxml, openssl, pcre, sqlite3, zlib, ctype, curl, dom, fileinfo, filter, ftp, hash, iconv, json, mbstring, SPL, session, PDO, pdo_sqlite, standard, posix, random, Reflection, Phar, SimpleXML, tokenizer, xml, xmlreader, xmlwriter, mysqlnd, apache2handler, apcu, bcmath, exif, gd, gmp, imagick, intl, ldap, memcached, pcntl, pdo_mysql, pdo_pgsql, redis, sodium, sysvsem, zip, Zend OPcache
**Nextcloud version:** 28.0.1 - 28.0.1.1
**Updated from an older Nextcloud/ownCloud or fresh install:**
**Where did you install Nextcloud from:** unknown
<details><summary>Signing status</summary>
[]
</details>
<details><summary>List of activated apps</summary>
```
Enabled:
- activity: 2.20.0
- admin_audit: 1.18.0
- bruteforcesettings: 2.8.0
- calendar: 4.6.1
- circles: 28.0.0-dev
- cloud_federation_api: 1.11.0
- comments: 1.18.0
- contacts: 5.5.0
- contactsinteraction: 1.9.0
- dav: 1.29.1
- federatedfilesharing: 1.18.0
- federation: 1.18.0
- files: 2.0.0
- files_external: 1.20.0
- files_pdfviewer: 2.9.0
- files_reminders: 1.1.0
- files_sharing: 1.20.0
- files_trashbin: 1.18.0
- files_versions: 1.21.0
- firstrunwizard: 2.17.0
- forms: 4.0.0
- groupfolders: 16.0.1
- logreader: 2.13.0
- lookup_server_connector: 1.16.0
- mail: 3.5.0
- nextcloud_announcements: 1.17.0
- notifications: 2.16.0
- notify_push: 0.6.6
- oauth2: 1.16.3
- password_policy: 1.18.0
- photos: 2.4.0
- privacy: 1.12.0
- provisioning_api: 1.18.0
- recommendations: 2.0.0
- related_resources: 1.3.0
- richdocuments: 8.3.0
- serverinfo: 1.18.0
- settings: 1.10.1
- sharebymail: 1.18.0
- spreed: 18.0.1
- support: 1.11.0
- survey_client: 1.16.0
- systemtags: 1.18.0
- text: 3.9.1
- theming: 2.3.0
- twofactor_backupcodes: 1.17.0
- twofactor_nextcloud_notification: 3.8.0
- twofactor_totp: 10.0.0-beta.2
- twofactor_webauthn: 1.3.2
- unroundedcorners: 1.1.2
- updatenotification: 1.18.0
- user_oidc: 1.3.5
- user_status: 1.8.1
- viewer: 2.2.0
- workflowengine: 2.10.0
Disabled:
- dashboard: 7.3.0
- encryption
- end_to_end_encryption: 1.12.5
- files_rightclick: 1.6.0
- suspicious_login: 4.2.0
- user_ldap
- weather_status: 1.3.0
```
</details>
<details><summary>Configuration (config/config.php)</summary>
```
{
"htaccess.RewriteBase": "\/",
"memcache.local": "\\OC\\Memcache\\APCu",
"apps_paths": [
{
"path": "\/var\/www\/html\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/var\/www\/html\/custom_apps",
"url": "\/custom_apps",
"writable": true
}
],
"overwritehost": "dev-nc.mydomain.tld",
"overwriteprotocol": "https",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"trusted_domains": [
"localhost"
],
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "28.0.1.1",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"installed": true,
"instanceid": "***REMOVED SENSITIVE VALUE***",
"loglevel": "1",
"maintenance": false,
"memcache.distributed": "\\OC\\Memcache\\Redis",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"password": "***REMOVED SENSITIVE VALUE***",
"port": 6379
},
"default_phone_region": "CH",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_smtpmode": "smtp",
"mail_sendmailmode": "smtp",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"mail_smtpsecure": "ssl",
"mail_smtpauthtype": "LOGIN",
"mail_smtpauth": 1,
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "465",
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"allow_local_remote_servers": true,
"trashbin_retention_obligation": "15, 180",
"app_install_overwrite": [
"suspicious_login"
],
"serverinfo": {
"token": "lmFaJ6JXR5e8wxCuyfSn"
},
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"remember_login_cookie_lifetime": 0,
"session_keepalive": "true",
"session_lifetime": "120",
"auto_logout": "false",
"overwrite.cli.url": "https:\/\/dev-nc.mydomain.tld",
"theme": "",
"session_relaxed_expiry": "false",
"updater.release.channel": "stable",
"enabledPreviewProviders": [
"OC\\Preview\\MP3",
"OC\\Preview\\TXT",
"OC\\Preview\\MarkDown",
"OC\\Preview\\OpenDocument",
"OC\\Preview\\Krita",
"OC\\Preview\\Imaginary"
],
"preview_imaginary_url": "http:\/\/dev-nextcloud-imaginary:9000",
"preview_concurrency_all": "12",
"preview_concurrency_new": "8",
"log_rotate_size": 1048576
}
```
</details>
**Cron Configuration:** Array
(
[backgroundjobs_mode] => cron
[lastcron] => 1703793901
)
**External storages:** yes
<details><summary>External storage configuration</summary>
```
No mounts configured
```
</details>
**Encryption:** no
**User-backends:**
* OCA\UserOIDC\User\Backend
* OCA\UserOIDC\User\Backend
* OC\User\Database
**Talk configuration:**
STUN servers
* no custom server configured
TURN servers
* turn:nc.mydomain.tld:3478 - udp,tcp
Signaling servers (mode: default):
* SIP dialin is disabled
* SIP dialout is disabled
* no custom server configured
Recording servers:
* Recording is enabled
* Recording consent is set to "default"
* no recording server configured
**Browser:** Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
```