Everything works with the ‘app password’ that was created by Bearer 'id_token' from OIDC, but only for 10 minutes.

ℹ️ Support
, , , , ,
1

Everything works with the ‘app password’ that was created by Bearer ‘id_token’ from OIDC, but only for 10 minutes.

Why?
Surely the ‘app password’ should be permanent for the user?
Or is the ‘app password’ tied to the life of the id_token?

The Basics

  • Nextcloud Server version (e.g., 29.x.x):
    • 30.0.2.2
  • Operating system and version (e.g., Ubuntu 24.04):
    • FreeBSD 14.1
  • Web server and version (e.g, Apache 2.4.25):
    • `nginx
  • Reverse proxy and version _(e.g. nginx 1.27.2)
    • nginx
  • PHP version (e.g, 8.3):
    • 8.3.12
  • Is this the first time you’ve seen this error? (Yes / No):
    • Yes
  • When did this problem seem to first start?
    • ``
  • Installation method (e.g. AIO, NCP, Bare Metal/Archive, etc.)
    • pkg
  • Are you using Cloudflare, mod_security, or similar? (Yes / No)
    • No

Summary of the issue you are facing:

For long-term operations to upload files to the user’s folder, I use the WebDAV API from my Python application.
For authorization to work with the OCS API, I use the OIDC ‘id_token’ Bearer, using the ‘user_oidc’ app (OpenID Connect user backend Version 6.1.2) in NC 30.0.2.
But each connection, upload session with OIDC, creates a new record in the NC GUI: Security-Devices & sessions. And then it is difficult to clean them up.
In order to reduce the number of records and switch to the faster ‘Basic Auth’, I create an ‘app password’ for the user by authorizing the user through the Bearer ‘id_token’ from OIDC - OCS API - ‘ocs/v2.php/core/getapppassword’.
Everything works with the ‘app password’, but only for 10 minutes.
Why?
Surely the ‘app password’ should be permanent for the user?
Or is the ‘app password’ tied to the life of the id_token?

Steps to replicate it (hint: details matter!):

  1. user by authorizing the user through the Bearer ‘id_token’ from OIDC - OCS API - ‘ocs/v2.php/core/getapppassword’.
  2. use ‘Basic Auth’ with username:app_password for OCS API
  3. after 10 mins, Basic Auth with username:app_password for OCS API - error.

Log entries

Nextcloud

Please provide the log entries from your Nextcloud log that are generated during the time of problem (via the Copy raw option from Administration settings->Logging screen or from your nextcloud.log located in your data directory). Feel free to use a pastebin/gist service if necessary.

Can't detect

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

Apps

The output of occ app:list (if possible).

'user_oidc' -  (OpenID Connect user backend Version 6.1.2)
2

Hi @lexxai welcome to the community :handshake:

10 minutes sounds like your app password is limited to the lifetime of the access token.

I would first start creating the app password in the UI and test if this app password survive for a longer period.

I can’t follow but here is a statement you don’t need to call ‘/getapppassword’ at all :person_shrugging: as long I understand the Converting to app passwords right /getapppassword would return an app password but maybe it doesn’t work well if you login using user_oidc?

your nextcloud.log usually live in your data directory - please collect (maybe increasing log level is required)