Internal Server Error after upgrade to 26.0.0 when using SAML SSO

peacepenguin · March 22, 2023, 3:13pm

After upgrading “successfully” to 26.0.0 when using SAML login for SSO to Nextcloud, you may be unable to access nextcloud at all. After a successful SAML IDP login, nextcloud will show in the browser:

Internal Server Error
The server was unable to complete your request.

If this happens again, please send the technical details below to the server administrator.

More details can be found in the server log.

The server log will show:

TypeError: OCA\Password_Policy\ComplianceService::entryControl(): Argument #2 ($password) must be of type string, null given, called in /var/www/nextcloud/apps/password_policy/lib/Listener/BeforeUserLoggedInEventListener.php on line 45

To fix it quickly, just disable the “Password Policy” app, either via the direct login to the web ui as an administrator (bypassing saml), or via OCC command line.

Bypass saml login url for those unfamiliar:
https://nextcloud.yourdomain.xyz/index.php/login?direct=1

Seems to be a bug in the password policy app expecting a variable that is not set, as it is a SAML login, so the variable will not be set.

a3linux · March 23, 2023, 9:39am

Exactly same error here in my development after I upgrade to Nextcloud 26.
The login?direct=1 one works fine.

a3linux · March 23, 2023, 9:46am

Disable the Password Policy app,
It works.
But is this a right way to do that, is there any security concern after disable the Password Policy app?

crobarcro · March 27, 2023, 9:39am

Same issue here, has it been reported on Github? Thanks very much for explaining the fix here, I would have never found the solution, or even the problem on my own.

MrTomek · March 27, 2023, 2:43pm

github.com/nextcloud/password_policy

Login with enabled password_policy and external provider SSO & SAML authentication fails for NC 26

opened 10:16AM - 23 Mar 23 UTC

Blackclaws

### Steps to reproduce 1. Setup SSO & SAML authentication 2. Try to login with… external account that doesn't have a local password ### Expected behaviour Login works ### Actual behaviour Internal server error: ``` :"index","method":"GET","url":"/","message":"OCA\\Password_Policy\\ComplianceService::entryControl(): Argument #2 ($password) must be of type string, null given, called in /var/www/html/apps/password_policy/lib/Listener/BeforeUserLoggedInEventListener.php on line 45","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36","version":"26.0.0.11","exception":{"Exception":"TypeError","Message":"OCA\\Password_Policy\\ComplianceService::entryControl(): Argument #2 ($password) must be of type string, null given, called in /var/www/html/apps/password_policy/lib/Listener/BeforeUserLoggedInEventListener.php on line 45","Code":0,"Trace":[{"file":"/var/www/html/apps/password_policy/lib/Listener/BeforeUserLoggedInEventListener.php","line":45,"function":"entryControl","class":"OCA\\Password_Policy\\ComplianceService","type":"->","args":["sfey",null]},{"file":"/var/www/html/lib/private/EventDispatcher/ServiceEventListener.php","line":86,"function":"handle","class":"OCA\\Password_Policy\\Listener\\BeforeUserLoggedInEventListener","type":"->","args":[["OCP\\User\\Events\\BeforeUserLoggedInEvent"]]},{"file":"/var/www/html/3rdparty/symfony/event-dispatcher/EventDispatcher.php","line":251,"function":"__invoke","class":"OC\\EventDispatcher\\ServiceEventListener","type":"->","args":[["OCP\\User\\Events\\BeforeUserLoggedInEvent"],"OCP\\User\\Events\\BeforeUserLoggedInEvent",["Symfony\\Component\\EventDispatcher\\EventDispatcher"]]},{"file":"/var/www/html/3rdparty/symfony/event-dispatcher/EventDispatcher.php","line":73,"function":"callListeners","class":"Symfony\\Component\\EventDispatcher\\EventDispatcher","type":"->","args":[[["Closure"]],"OCP\\User\\Events\\BeforeUserLoggedInEvent",["OCP\\User\\Events\\BeforeUserLoggedInEvent"]]},{"file":"/var/www/html/lib/private/EventDispatcher/EventDispatcher.php","line":87,"function":"dispatch","class":"Symfony\\Component\\EventDispatcher\\EventDispatcher","type":"->","args":[["OCP\\User\\Events\\BeforeUserLoggedInEvent"],"OCP\\User\\Events\\BeforeUserLoggedInEvent"]},{"file":"/var/www/html/lib/private/EventDispatcher/EventDispatcher.php","line":99,"function":"dispatch","class":"OC\\EventDispatcher\\EventDispatcher","type":"->","args":["OCP\\User\\Events\\BeforeUserLoggedInEvent",["OCP\\User\\Events\\BeforeUserLoggedInEvent"]]},{"file":"/var/www/html/lib/private/legacy/OC_User.php","line":192,"function":"dispatchTyped","class":"OC\\EventDispatcher\\EventDispatcher","type":"->","args":[["OCP\\User\\Events\\BeforeUserLoggedInEvent"]]},{"file":"/var/www/html/lib/private/legacy/OC_User.php","line":243,"function":"loginWithApache","class":"OC_User","type":"::","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/html/lib/base.php","line":1122,"function":"handleApacheAuth","class":"OC_User","type":"::","args":[]},{"file":"/var/www/html/lib/base.php","line":1044,"function":"handleLogin","class":"OC","type":"::","args":[["OC\\AppFramework\\Http\\Request"]]},{"file":"/var/www/html/index.php","line":36,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/apps/password_policy/lib/ComplianceService.php","Line":90,"CustomMessage":"--"}} ``` ### Server configuration **List of activated apps:** ``` If you have access to your command line run e.g.: sudo -u www-data php occ app:list from within your Nextcloud installation folder ``` **Nextcloud configuration:** ``` If you have access to your command line run e.g.: sudo -u www-data php occ config:list system from within your Nextcloud installation folder or Insert your config.php content here Make sure to remove all sensitive content such as passwords. (e.g. database password, passwordsalt, secret, smtp password, …) ``` Enabled: - activity: 2.18.0 - admin_audit: 1.16.0 - appointments: 1.14.11 - calendar: 4.3.1 - circles: 26.0.0 - cloud_federation_api: 1.9.0 - comments: 1.16.0 - contacts: 5.2.0 - contactsinteraction: 1.7.0 - dashboard: 7.6.0 - dav: 1.25.0 - deck: 1.9.0 - federatedfilesharing: 1.16.0 - federation: 1.16.0 - files: 1.21.1 - files_automatedtagging: 1.16.0 - files_pdfviewer: 2.7.0 - files_rightclick: 1.5.0 - files_sharing: 1.18.0 - files_trashbin: 1.16.0 - files_versions: 1.19.1 - firstrunwizard: 2.15.0 - flow_notifications: 1.6.0 - groupfolders: 14.0.0 - integration_mattermost: 1.0.3 - logreader: 2.11.0 - lookup_server_connector: 1.14.0 - maps: 1.0.0 - nextcloud_announcements: 1.15.0 - notifications: 2.14.0 - notify_push: 0.6.0 - oauth2: 1.14.0 - onlyoffice: 7.8.0 - password_policy: 1.16.0 (installed 1.16.0) - photos: 2.2.0 - privacy: 1.10.0 - provisioning_api: 1.16.0 - recommendations: 1.5.0 - related_resources: 1.1.0-alpha1 - serverinfo: 1.16.0 - settings: 1.8.0 - sharebymail: 1.16.0 - side_menu: 3.7.1 - spreed: 16.0.0 - support: 1.9.0 - survey_client: 1.14.0 - systemtags: 1.16.0 - text: 3.7.2 - theming: 2.1.1 - twofactor_backupcodes: 1.15.0 - updatenotification: 1.16.0 - user_ldap: 1.16.0 - user_saml: 5.1.2 - user_status: 1.6.0 - viewer: 1.10.0 - weather_status: 1.6.0 - workflowengine: 2.8.0 Disabled: - approval: 1.0.12 (installed 1.0.12) - breezedark: 25.0.1 (installed 25.0.1) - bruteforcesettings: 2.6.0 - cookbook: 0.10.1 (installed 0.10.1) - drawio: 2.1.0 (installed 2.1.0) - electronicsignatures: 2.0.3 (installed 2.0.3) - encryption: 2.14.0 (installed 2.9.0) - files_external: 1.18.0 - keeweb: 0.6.10 (installed 0.6.10) - suspicious_login: 4.4.0 - twofactor_totp: 8.0.0-alpha.0 - unsplash: 2.2.0 (installed 2.2.0) - workflow_ocr: 1.25.4 (installed 1.25.4) - workflow_pdf_converter: 1.11.0 (installed 1.11.0) - workflow_script: 1.11.1 (installed 1.11.1)

jpkerloch · March 28, 2023, 7:11am

Same Issue, for us…do you know when the update will be available for the application?
Best regards

crobarcro · March 29, 2023, 9:30am

I’m not sure Password Policy app is the right place to report this, there is also an issue for the user_saml app here:

github.com/nextcloud/user_saml

Authentication fails with server error on NC26 if password policy app is enabled

opened 08:26PM - 22 Mar 23 UTC

Ma27

### Steps to reproduce 1. Install Nextcloud v26 (password policy app v1.16 is a…lso active because of that), user_saml v5.1.2, configure saml auth 2. Log in via SAML ### Expected behaviour Authentication should work. ### Actual behaviour I get an error 500. And the following error in the phpfpm log: ``` { "Exception": "TypeError", "Message": "OCA\\Password_Policy\\ComplianceService::entryControl(): Argument #2 ($password) must be of type string, null given, called in /nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/apps/password_policy/lib/Listener/BeforeUserLoggedInEventListener.php on line 45", "Code": 0, "Trace": [ { "file": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/apps/password_policy/lib/Listener/BeforeUserLoggedInEventListener.php", "line": 45, "function": "entryControl", "class": "OCA\\Password_Policy\\ComplianceService", "type": "->" }, { "file": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/lib/private/EventDispatcher/ServiceEventListener.php", "line": 86, "function": "handle", "class": "OCA\\Password_Policy\\Listener\\BeforeUserLoggedInEventListener", "type": "->" }, { "file": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/3rdparty/symfony/event-dispatcher/EventDispatcher.php", "line": 251, "function": "__invoke", "class": "OC\\EventDispatcher\\ServiceEventListener", "type": "->" }, { "file": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/3rdparty/symfony/event-dispatcher/EventDispatcher.php", "line": 73, "function": "callListeners", "class": "Symfony\\Component\\EventDispatcher\\EventDispatcher", "type": "->" }, { "file": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/lib/private/EventDispatcher/EventDispatcher.php", "line": 87, "function": "dispatch", "class": "Symfony\\Component\\EventDispatcher\\EventDispatcher", "type": "->" }, { "file": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/lib/private/EventDispatcher/EventDispatcher.php", "line": 99, "function": "dispatch", "class": "OC\\EventDispatcher\\EventDispatcher", "type": "->" }, { "file": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/lib/private/legacy/OC_User.php", "line": 192, "function": "dispatchTyped", "class": "OC\\EventDispatcher\\EventDispatcher", "type": "->" }, { "file": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/lib/private/legacy/OC_User.php", "line": 243, "function": "loginWithApache", "class": "OC_User", "type": "::", "args": [ "*** sensitive parameters replaced ***" ] }, { "file": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/lib/base.php", "line": 1122, "function": "handleApacheAuth", "class": "OC_User", "type": "::" }, { "file": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/lib/base.php", "line": 1044, "function": "handleLogin", "class": "OC", "type": "::" }, { "file": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/index.php", "line": 36, "function": "handleRequest", "class": "OC", "type": "::" } ], "File": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/apps/password_policy/lib/ComplianceService.php", "Line": 90, "CustomMessage": "--" } ``` The issue can be solved by deactivating the password policy app. Given Nextcloud doesn't have to deal with passwords here because of SAML it should probably made sure that the app is not touched at all by this. ### Server configuration **Operating system**: NixOS 22.11 **Web server:** nginx 1.22 **Database:** postgresql 15 **PHP version:** 8.1.16 **Nextcloud version:** 26.0.0 **Where did you install Nextcloud from:** NixOS **List of activated apps:** ``` If you have access to your command line run e.g.: sudo -u www-data php occ app:list Enabled: - activity: 2.18.0 - calendar: 3.4.3 - circles: 26.0.0 - cloud_federation_api: 1.9.0 - comments: 1.16.0 - contacts: 4.2.0 - contactsinteraction: 1.7.0 - cospend: 1.5.8 - dashboard: 7.6.0 - dav: 1.25.0 - federatedfilesharing: 1.16.0 - federation: 1.16.0 - files: 1.21.1 - files_external: 1.18.0 - files_pdfviewer: 2.7.0 - files_rightclick: 1.5.0 - files_sharing: 1.18.0 - files_trashbin: 1.16.0 - files_versions: 1.19.1 - firstrunwizard: 2.15.0 - logreader: 2.11.0 - lookup_server_connector: 1.14.0 - maps: 1.0.0 - nextcloud_announcements: 1.15.0 - notifications: 2.14.0 - oauth2: 1.14.0 - photos: 2.2.0 - privacy: 1.10.0 - provisioning_api: 1.16.0 - recommendations: 1.5.0 - related_resources: 1.1.0-alpha1 - serverinfo: 1.16.0 - settings: 1.8.0 - sharebymail: 1.16.0 - support: 1.9.0 - survey_client: 1.14.0 - systemtags: 1.16.0 - text: 3.7.2 - theming: 2.1.1 - twofactor_backupcodes: 1.15.0 - updatenotification: 1.16.0 - user_ldap: 1.16.0 - user_saml: 5.1.2 - user_status: 1.6.0 - viewer: 1.10.0 - weather_status: 1.6.0 - workflowengine: 2.8.0 Disabled: - admin_audit: 1.16.0 - bruteforcesettings: 2.6.0 - encryption: 2.14.0 - password_policy: 1.16.0 (installed 1.16.0) - suspicious_login: 4.4.0 - twofactor_totp: 8.0.0-alpha.0 ``` **Nextcloud configuration:** ```{ "system": { "apps_paths": [ { "path": "\/var\/lib\/nextcloud\/nix-apps", "url": "\/nix-apps", "writable": false }, { "path": "\/var\/lib\/nextcloud\/apps", "url": "\/apps", "writable": false }, { "path": "\/var\/lib\/nextcloud\/store-apps", "url": "\/store-apps", "writable": true } ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "skeletondirectory": "", "log_type": "syslog", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "dbtype": "pgsql", "version": "26.0.0.11", "overwrite.cli.url": "http:\/\/localhost", "overwriteprotocol": "https", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "instanceid": "***REMOVED SENSITIVE VALUE***", "loglevel": "1", "maintenance": false, "logfile": "\/var\/log\/nextcloud.log", "log_level": "2", "theme": "", "app_install_overwrite": [ "calendar", "user_saml", "contacts" ], "trusted_proxies": "***REMOVED SENSITIVE VALUE***", "ldapIgnoreNamingRules": false, "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory", "default_phone_region": "DE", "memcache.local": "\\OC\\Memcache\\Redis", "memcache.locking": "\\OC\\Memcache\\Redis", "memcache.distributed": "\\OC\\Memcache\\Redis", "session_lifetime": 2419200, "profile.enabled": false, "appstoreenabled": false, "memcache": { "distributed": "\\OC\\Memcache\\Redis", "local": "\\OC\\Memcache\\Redis", "locking": "\\OC\\Memcache\\Redis" }, "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 6379 }, "trusted_domains": [ "<redacted>" ] } } ``` ### Client configuration irrelevant, server issue ### Logs #### Nextcloud log (data/owncloud.log) see above #### Browser log n/a

I don’t think another app should be able to break SAML login like this.

OmeLuuk · April 11, 2023, 12:55pm

Will there be a re-pre-release of RC2 of NC26 that resolves this issue? Should I pick it up manually from Github? Although I disabled the app, several other connections (client on phone) fails to connect due to this bug.

William_Salazar · April 12, 2023, 3:53pm

The same issue happened when the Nextcloud server was upgraded to 26.0.0, and the SAML SSO stopped working; after disabling the password policy app, SSO started to work.

OmeLuuk · April 15, 2023, 4:59pm

Indeed, after installing 26.0.1 RC1 still same issue.
docc status

installed: true
version: 26.0.1.0
versionstring: 26.0.1 RC1
edition:
maintenance: false
needsDbUpgrade: false
productname: Nextcloud
extendedSupport: false

OmeLuuk · April 15, 2023, 6:02pm

Where in the previous installation I did not use SAML it was flipped on in the 26 version. After switching it off again, I think business as usual.

belowtoxic · April 18, 2023, 2:41pm

That error might (also) have something to do with WebDAV - or at least with something that “touches” WebDAV.
I did the dance with Password Policy app but that didn’t do the trick. Found following:

Removing the tokens made it work for me. Drawback: connections via WebDAV seem to corrupt tokens, so for now I have to recreate them over and over again…

a3linux · April 23, 2023, 7:30am

Does this issue happen on NC 25.0.6 as I hit the same error when upgrade NC25 to the latest docker image?

Clement_SimpleRezo · April 26, 2023, 11:21am

Yes, this issue is also present on NC 25.0.6.

a3linux · April 26, 2023, 1:49pm

Is there any working or patch we can test or try for this?