Nextcloud not logging me out when OpenID session expires

hbubli · November 12, 2023, 1:15pm

Support intro

Sorry to hear you’re facing problems

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can

Nextcloud version (eg, 20.0.5): 27.1.3
Operating system and version (eg, Ubuntu 20.04): Ubuntu 22.04.3 LTS
Apache or nginx version (eg, Apache 2.4.25): nginx/1.24.0 and Apache/2.4.52
PHP version (eg, 7.4): 8.1.2-1ubuntu2.14

The issue you are facing: When the SSO Session Max in Keycloak is reached Nextcloud does not log me out. Im using OpenID Connect.

Is this the first time you’ve seen this error? (Y/N): yes

Steps to replicate it:

Log in to Nextcloud using Keycloak SSO.
Wait for the SSO Session Max to get reached.
Watch yourself stay logged in.

The output of your Nextcloud log in Admin > Logging:

there is absolutely nothing in the logs for this.

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

https://bin.hbubli.cc/?433e321514fa599a#7W8zu8A3VNWGrX3WSc9t8nq5LZRRXdissvqp3QS9xaEB

The output of your Apache/nginx/system log in /var/log/____:

https://bin.hbubli.cc/?fff38a98b6c5ffe8#CzQpz9aPad3N2ngzrvgiWqa99pbzNfz7JjmQffr768mX

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

https://bin.hbubli.cc/?d2cfac7b72ceed94#Ei3LYpNE8EJJYTmcNLb3ZtfTPrgmk2NADgPasJ3fmCHv

wwe · November 13, 2023, 4:39pm

I was testing Keycloak and user_oidc. It was possible to end Nextcloud session when user was actively logging out from KC. There is an option backchannel logout - I`m not sure it is required for this functionality.

Regarding session timeout there are multiple settings related to session length in NC itself - I think you need to adjust them to make the session timeout fast enough after KC session times out…

# review values
docker exec --user www-data dev-nextcloud-app php occ config:system:get auto_logout
docker exec --user www-data dev-nextcloud-app php occ config:system:get session_keepalive
docker exec --user www-data dev-nextcloud-app php occ config:system:get session_lifetime
docker exec --user www-data dev-nextcloud-app php occ config:system:get session_relaxed_expiry
docker exec --user www-data dev-nextcloud-app php occ config:system:get remember_login_cookie_lifetime

At the moment I’m not following they Keycloak path anymore as there is major issue with this product - stopping/restarting KC (which is common scenario in small/home setup) results loosing in all SSO sessions because they expect “production” systems to run as a cluster on distributed hardware and was unable to overcome this limitation. for this reason the product is unusable for me.

hbubli · November 13, 2023, 5:50pm

So when the Keycloak session expires, the nc session timer basically starts or how does it work?

wwe · November 13, 2023, 8:07pm

NC session starts when you enter the system. but it is continuously refreshed by default and for this reason never end as long you keep using the device. I recommend to review the documentation

https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html?highlight=session#user-session

hbubli · November 13, 2023, 9:29pm

Ive seem to got it working so far and ive set the session lenght to 5 mins, but now theres a new problem. When i let the tab idle for a few mins and then come back it seems to reload the page and display the error “CSRF Check failed”. In the network tab it shows it accessed a /logout url and then contacted kc again which then responded with a token and then nc tries to contact this url “https://cloud.mydomain.tld/logout?requesttoken=[somelongasscode]” which then results in the error. And btw, thank you for helping so far, i really appreciate it!

wwe · November 14, 2023, 9:12pm

I remember the csrf error as well but unfortunately no solution so far. my guess is the logout procedure starts when the session is going to expire and at the time process finishes cookie has expired already, which results in the error. Would be great if you find the motivation to track this down and report a bug.

hbubli · November 15, 2023, 2:30pm

Its probably caused by auto logout, i have disabled it again and doesnt result in an error anymore, but now im not sure if it will even log me out when it has to. Probably gonna report the bug tho after i gather some more info from the logs etc.

wwe · December 7, 2023, 5:46pm

hi hbubli did you find a solution for the CSRF problem?

in a working OIDC setup I set my NC session to short time with the intention the system will re-authenticate the user once Nextcloud session ends. But I’m running into CSRF error after some time. Interesting enough this doesn’t happen once the session should end… I have session_lifetime=300 but issue started after 17 min according to browser log. I have to double check what happens after 15 min maybe something IdP related…

the problem starts with a request to

https://cloud.mydomain.tld/logout?requesttoken=WxNbOh8zU5hxAQ9v9WbbxqYls1fEqIKG8wvk9kFUP6A%3D%3APGB0QFpWYc48T0xbsV7thIl24zWCzs3olj3VnRgjSMQ%3D

followed by request to

https://cloud.mydomain.tld/login?clear=1
https://cloud.mydomain.tld/apps/user_oidc/login/7
https://idp.mydomain.tld/oauth/v2/authorize?client_id=242435973244321807%40cloud.mydomain.tld&response_type=code&scope=openid+email+profile+address&redirect_uri=https%3A%2F%2Fcloud.mydomain.tld%2Fapps%2Fuser_oidc%2Fcode&claims=%7B%22id_token%22%3A%7B%22email%22%3Anull%2C%22name%22%3Anull%2C%22quota%22%3Anull%2C%22x-grants%22%3Anull%2C%22preferred_username%22%3Anull%7D%2C%22userinfo%22%3A%7B%22email%22%3Anull%2C%22name%22%3Anull%2C%22quota%22%3Anull%2C%22x-grants%22%3Anull%2C%22preferred_username%22%3Anull%7D%7D&state=40DL2R9KTLDSTN5XF7601KTYVRU3II3V&nonce=90XQJGA7B7DDOIC3YT1Y9L1KQEQRSRS8&code_challenge=v4-aUnluQ1vhRdtANBU_y0MhCgk14UZ3JimyhbxLNfU&code_challenge_method=S256
https://idp.mydomain.tld/ui/login/login?authRequestID=244063638376153103
https://cloud.mydomain.tld/logout?requesttoken=WxNbOh8zU5hxAQ9v9WbbxqYls1fEqIKG8wvk9kFUP6
%3D%3APGB0QFpWYc48T0xbsV7thIl24zWCzs3olj3VnRgjSMQ%3D

and ends with

https://cloud.mydomain.tld/login?redirect_url=/logout?requesttoken%3DWxNbOh8zU5hxAQ9v9WbbxqYls1fEqIKG8wvk9kFUP6A%253D%253APGB0QFpWYc48T0xbsV7thIl24zWCzs3olj3VnRgjSMQ%253D

from this point the browser bounces back and forth between cloud and IdP using the same request token and showing “CSRF check failed”. especially https://cloud.mydomain.tld/login?redirect_url=/logout sounds somehow nonsense for me…

hbubli · December 7, 2023, 8:57pm

What I’ve did was setting the session timeout to about 10 minutes and disabling auto logout. So now as long as I keep the nextcloud tab open the session stays alive and the csrf error doesn’t appear. And when I close the tab and wait the 10 mins, nextcloud will contact keycloak on the next visit and log me in as normal if it’s still valid, and if not it will send me to the login screen.

wwe · December 28, 2023, 8:22pm

For me the issue is reproducible with different IdPs. After NC session ends the client keeps looping between Nextcloud and IdP. I created a BR

github.com/nextcloud/user_oidc

"csrf check failed" after Nextcloud session ends

opened 08:19PM - 28 Dec 23 UTC

isdnfan

# Problem I successfully integrated Nextcloud with Zitadel IdP using user_oidc …but I hit an issue with **allow_multiple_user_backends=0** config. # Setup The idea was to reduce Nextcloud session lifetime so NC session ends quickly and the user must re-login using IdP to ensure user session is still valid in IdP. To ensure I configure following settings in NC: | setting | value | |---|---| |auto_logout|false| |session_keepalive|true| |session_lifetime|120| |session_relaxed_expiry|false| |remember_login_cookie_lifetime|0| - session lifetime could be longer I started with 15min, such extremely short value is used to hit the issue fast. with **allow_multiple_user_backends=1** the settings work fine and the user returns to login screen where hitting the button "login with IdP" allows to start another session. ![image](https://github.com/nextcloud/user_oidc/assets/18125597/2c1acfb0-cc7f-47da-b189-e220999c0b98) the problem starts when I forced IdP login **allow_multiple_user_backends=0** using `occ config:app:set --value=0 user_oidc allow_multiple_user_backends` which worked as expected immediately redirecting unauthorized user to IdP and allowing access upon successful authorization. But after Nextcloud session ends the user is unable to return to Nextcloud. The browser keeps bouncing between Nextcloud and IdP with requests - Nextcloud/logout?requesttoken=123 - IdP/authorize - Nextcloud/login?redirect_url=/logout?requesttoken=123.. keeping requesttoken constant and at some point hitting 412 "CSRF check failed" ![image](https://github.com/nextcloud/user_oidc/assets/18125597/29ddc374-3954-4b66-89a6-04faabd853cc) # How to reproduce - setup Nextcloud user_oidc and some IdP - reduce very short NC session timeout - login using a browser (in my case Firefox on Windows) - default view in my instance is files app - do nothing and let the session open - using F12 tools permanent exchange of push/sync messages is visible - after Nextcloud session ends the browser starts looping between NC and IdP # Logs I'm adding anonymized HAR file from browser dev tools showing the issue. In this log *https://dev-nc.mydomain.tld* is my Nextcloud and *https://sso.mydomain.tld* is the IdP. In my case I'm using Zitadel but the same issue happens with authentik and Keycloak as well. [dev-nc.mydomain.tld_Archive [23-12-28 20-22-20].har.zip](https://github.com/nextcloud/user_oidc/files/13789235/dev-nc.mydomain.tld_Archive.23-12-28.20-22-20.har.zip) # Nextcloud config report: ``` ## Server configuration detail **Operating system:** Linux 6.1.0-16-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.67-1 (2023-12-12) x86_64 **Webserver:** Apache/2.4.57 (Debian) (apache2handler) **Database:** mysql 10.5.23 **PHP version:** 8.2.13 Modules loaded: Core, date, libxml, openssl, pcre, sqlite3, zlib, ctype, curl, dom, fileinfo, filter, ftp, hash, iconv, json, mbstring, SPL, session, PDO, pdo_sqlite, standard, posix, random, Reflection, Phar, SimpleXML, tokenizer, xml, xmlreader, xmlwriter, mysqlnd, apache2handler, apcu, bcmath, exif, gd, gmp, imagick, intl, ldap, memcached, pcntl, pdo_mysql, pdo_pgsql, redis, sodium, sysvsem, zip, Zend OPcache **Nextcloud version:** 28.0.1 - 28.0.1.1 **Updated from an older Nextcloud/ownCloud or fresh install:** **Where did you install Nextcloud from:** unknown <details><summary>Signing status</summary> [] </details> <details><summary>List of activated apps</summary> ``` Enabled: - activity: 2.20.0 - admin_audit: 1.18.0 - bruteforcesettings: 2.8.0 - calendar: 4.6.1 - circles: 28.0.0-dev - cloud_federation_api: 1.11.0 - comments: 1.18.0 - contacts: 5.5.0 - contactsinteraction: 1.9.0 - dav: 1.29.1 - federatedfilesharing: 1.18.0 - federation: 1.18.0 - files: 2.0.0 - files_external: 1.20.0 - files_pdfviewer: 2.9.0 - files_reminders: 1.1.0 - files_sharing: 1.20.0 - files_trashbin: 1.18.0 - files_versions: 1.21.0 - firstrunwizard: 2.17.0 - forms: 4.0.0 - groupfolders: 16.0.1 - logreader: 2.13.0 - lookup_server_connector: 1.16.0 - mail: 3.5.0 - nextcloud_announcements: 1.17.0 - notifications: 2.16.0 - notify_push: 0.6.6 - oauth2: 1.16.3 - password_policy: 1.18.0 - photos: 2.4.0 - privacy: 1.12.0 - provisioning_api: 1.18.0 - recommendations: 2.0.0 - related_resources: 1.3.0 - richdocuments: 8.3.0 - serverinfo: 1.18.0 - settings: 1.10.1 - sharebymail: 1.18.0 - spreed: 18.0.1 - support: 1.11.0 - survey_client: 1.16.0 - systemtags: 1.18.0 - text: 3.9.1 - theming: 2.3.0 - twofactor_backupcodes: 1.17.0 - twofactor_nextcloud_notification: 3.8.0 - twofactor_totp: 10.0.0-beta.2 - twofactor_webauthn: 1.3.2 - unroundedcorners: 1.1.2 - updatenotification: 1.18.0 - user_oidc: 1.3.5 - user_status: 1.8.1 - viewer: 2.2.0 - workflowengine: 2.10.0 Disabled: - dashboard: 7.3.0 - encryption - end_to_end_encryption: 1.12.5 - files_rightclick: 1.6.0 - suspicious_login: 4.2.0 - user_ldap - weather_status: 1.3.0 ``` </details> <details><summary>Configuration (config/config.php)</summary> ``` { "htaccess.RewriteBase": "\/", "memcache.local": "\\OC\\Memcache\\APCu", "apps_paths": [ { "path": "\/var\/www\/html\/apps", "url": "\/apps", "writable": false }, { "path": "\/var\/www\/html\/custom_apps", "url": "\/custom_apps", "writable": true } ], "overwritehost": "dev-nc.mydomain.tld", "overwriteprotocol": "https", "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "localhost" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "dbtype": "mysql", "version": "28.0.1.1", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "instanceid": "***REMOVED SENSITIVE VALUE***", "loglevel": "1", "maintenance": false, "memcache.distributed": "\\OC\\Memcache\\Redis", "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "password": "***REMOVED SENSITIVE VALUE***", "port": 6379 }, "default_phone_region": "CH", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_smtpmode": "smtp", "mail_sendmailmode": "smtp", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtpsecure": "ssl", "mail_smtpauthtype": "LOGIN", "mail_smtpauth": 1, "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpport": "465", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "allow_local_remote_servers": true, "trashbin_retention_obligation": "15, 180", "app_install_overwrite": [ "suspicious_login" ], "serverinfo": { "token": "lmFaJ6JXR5e8wxCuyfSn" }, "trusted_proxies": "***REMOVED SENSITIVE VALUE***", "remember_login_cookie_lifetime": 0, "session_keepalive": "true", "session_lifetime": "120", "auto_logout": "false", "overwrite.cli.url": "https:\/\/dev-nc.mydomain.tld", "theme": "", "session_relaxed_expiry": "false", "updater.release.channel": "stable", "enabledPreviewProviders": [ "OC\\Preview\\MP3", "OC\\Preview\\TXT", "OC\\Preview\\MarkDown", "OC\\Preview\\OpenDocument", "OC\\Preview\\Krita", "OC\\Preview\\Imaginary" ], "preview_imaginary_url": "http:\/\/dev-nextcloud-imaginary:9000", "preview_concurrency_all": "12", "preview_concurrency_new": "8", "log_rotate_size": 1048576 } ``` </details> **Cron Configuration:** Array ( [backgroundjobs_mode] => cron [lastcron] => 1703793901 ) **External storages:** yes <details><summary>External storage configuration</summary> ``` No mounts configured ``` </details> **Encryption:** no **User-backends:** * OCA\UserOIDC\User\Backend * OCA\UserOIDC\User\Backend * OC\User\Database **Talk configuration:** STUN servers * no custom server configured TURN servers * turn:nc.mydomain.tld:3478 - udp,tcp Signaling servers (mode: default): * SIP dialin is disabled * SIP dialout is disabled * no custom server configured Recording servers: * Recording is enabled * Recording consent is set to "default" * no recording server configured **Browser:** Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 ```