NextCloud Sessions and OpenID with Keycloak

Jirvil · January 23, 2023, 9:24am

Hello!

I have successfully installed Nextcloud, LDAP Backend and user_oidc app and linked them together and with Keycloak as a backend for oidc. But there is a very big problem with revoking user sessions.
When I block a user (using AD) - his nextcloud session remains active. Neither ldap backend nor oidc app react in any way to this event and the user continues to use NextCloud while locked out.
I don’t know if this is a problem on the Nextcloud side or plugins - maybe I need to change the PHP session settings?

Thanks a lot!

Nextcloud version: 25.0.3
Operating system and version: Ubuntu 22.04.1 LTS
Apache or nginx version: Apache/2.4.52
PHP version: PHP 8.1.2

The issue you are facing: User stay logged in after blocking.

Is this the first time you’ve seen this error? N:

Steps to replicate it:

Set up the NextCloud with Active Directory as a backend
Login to NC as regular user from AD
Block (disable) this user in Active Directory
The user still has access to NC and the ability to navigate through folders until he logged out.

The output of your Nextcloud log in Admin > Logging:

No relative logs

The output of your config.php file:

<?php
$CONFIG = array (
  'instanceid' => 'oc*********',
  'passwordsalt' => '***********',
  'secret' => '**********',
  'trusted_domains' =>
  array (
    0 => 'server_internal_ip',
    1 => 'server.domain.name',
  ),
  'allow_local_remote_servers' => true,
  'datadirectory' => '/mnt/DISK',
  'dbtype' => 'mysql',
  'version' => '25.0.3.2',
  'overwrite.cli.url' => 'https://server.domain.name',
  'dbname' => 'nextcloud',
  'dbhost' => 'database_internal_ip',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => '*********',
  'installed' => true,
  'trusted_proxies' =>
  array (
    0 => 'proxy_internal_ip',
  ),
  'default_phone_region' => '**',
  'default_language' => '**',
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '/run/redis/redis-server.sock',
    'port' => 0,
    'timeout' => 1.5,
  ),
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'enable_previews' => true,
  'enabledPreviewProviders' =>
  array (
    0 => 'OC\\Preview\\Movie',
    1 => 'OC\\Preview\\Image',
    2 => 'OC\\Preview\\Imaginary',
  ),
  'preview_imaginary_url' => 'http://127.0.0.1:9000',
  'auth.webauthn.enabled' => false,
  'user_oidc' =>
  array (
    'auto_provision' => false,
    'userinfo_bearer_validation' => true,
    'single_logout' => false,
  ),
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 1,
  'log.condition' => ['apps' => ['admin_audit'],],
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'mail_from_address' => 'noreply',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => 'mail.domain.name',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'smtp.mail.domain',
  'mail_smtpport' => '465',
  'mail_smtpname' => 'noreply@domain.name',
  'mail_smtppassword' => '*********',
  'mail_smtpsecure' => 'ssl',
  'twofactor_enforced' => 'false',
);

The output of your Apache/nginx/system log in /var/log/____:

No related logs

Output errors in nextcloud.log in /var/www/ or as admin user in top right menu, filtering for errors. Use a pastebin service if necessary.

No related logs

wwe · January 23, 2023, 9:14pm

hello @Jirvil welcome to the forum

you are missing the required support template. Please fill this form out and edit into your post.

This will give us the technical info and logs needed to help you in case the machine in question in spitting out errors! Since you’ve provided zero technical details it is impossible to help you as-is. Thanks.

Please use the search - lot of issue have been discussed already.

Although your problem is pretty specific I’m going to to ask some questions which may point you into right direction.

AFAIK this is expected - active session is not connected to the user state in back-end (I think even locking the user in the NC DB will not invalidate active sessions). User DB is only relevant when new login happens.

There is a way in Keycloak to logout the user from all sessions in Keycloak - and the application needs to react on it… depending on what app you use for KC integration it might be different step - search for “back-channel logout” for details… but KC doesn’t do this only because you lock the user in LDAP…

…you still need to inform KC the user is locked now… which is the key - you need to perform administrative steps to inform every application to stop active sessions if you want to immediately lock out the user from the system.

I wish you good luck and happy learning!

Jirvil · January 24, 2023, 11:41am

Hello @wwe!

Thanks for you comment!
I have corrected my post according to the template.

Perhaps we can exclude the keyclock from the discussion. Its function is more or less clear and “back-channel logout” do the job.

… active session is not connected to the user state in back-end (I think even locking the user in the NC DB will not invalidate active sessions). User DB is only relevant when new login happens.

I guess it shouldn’t be like that. If the NC knows that the user is locked out (and he knows it), then the NC session should be expired immediately. If this does not happen, then how can you immediately block a user in NC at all?
It is clear that there may not be an “immediate logout” function, but it seems logical that the NC session is checked when refreshing the page or navigating through folders.

steps to inform every application to stop active sessions if you want to immediately lock out the user from the system

Manual blocking (using scripts) looks like an adequate alternative, but is there any convenient way to reset the active user session in NC?

Jirvil · January 24, 2023, 1:41pm

even locking the user in the NC DB will not invalidate active sessions

I checked the user block (disabling) directly from NC. It’s working as expected - there is no access after page refresh.
So, the question is how to force this function to work with ldap backend or how to automate this by script.
Alternatively, we can create a php-script runs something like this
sudo -u www-data php occ user:disable [username]
But who will call it? As i understand, there is no ldap-user-blocked callback in NC. External automation? Cron log analyzer?

wwe · January 24, 2023, 7:17pm

there must be some smart internal mechanism which invalidates active sessions when user is disabled (). But there no way for Nextcloud to know the user becomes disabled in external DB (yes one could pull regularly but this is far from efficient and doesn’t scale well)… This exactly the reason to have sessions - to avoid authentication for each request…

The process of disabling the user starts somehow - add the script to disable Nextcloud (and all other relevant applications) users to this process…