Nextcloud version : 29.0.4.1
Operating system and version : Docker/Debian
Apache or nginx version: stable-apache
Disclaimer
This issue is also posted on the app’s github. If issue is solved at either place, the corresponding issue will be udpated/closed as applicable.
Issue
OIDC Login with
- OpenID Connect user backend for Nextcloud app as OIDC client
- Synology SSO Server as OIDC provider
- User that exists on OIDC provider but not on OIDC client → Creation of new user required on OIDC client
returns
- Upon redirect from OIDC provider (Synology SSO Server) to OIDC client (Nextcloud):
504 Gateway timeout - Upon refresh of page:
Access denied
The received state does not match the expected value.
- When checking in Nextcloud → admin → users: New user has been created just fine with all scope details
Steps to replicate it
- Install OIDC user backend app in Nextcloud
- Configure Synology SSO Server with OpenID as service and Nextloud as client
- Migrate users that already exist in Nextcloud and OIDC provider → works fine with mapping of sud (client) to id (provider), e-mail gets updated on every login
- Log In with user that doesn’t exist in Nextcloud → Error described above appears.
Info exchanged between OIDC client and provider
The state parameters in both the redirect URI from client to provider and backwards are identical. The only difference is that the OIDC provider adds a code parameter which I’m pretty sure is hashed by S256 method.
Client call:
https://<redacted SSO Server URL>/
?client_id=<redacted>
&response_type=code
&scope=openid+email+profile
&redirect_uri=https%3A%2F%2F<redacted Nextcloud URL>%2Fapps%2Fuser_oidc%2Fcode
&claims=%7B%22id_token%22%3A%7B%22email%22%3Anull%2C%22name%22%3Anull%2C%22quota%22%3Anull%2C%22groups%22%3Anull%7D%2C%22userinfo%22%3A%7B%22email%22%3Anull%2C%22name%22%3Anull%2C%22quota%22%3Anull%2C%22groups%22%3Anull%7D%7D
&state=FB37D0DW5COM05LVQA96PDND69NBDBRG
&nonce=1NPDVOO8KMT6U1S7XVYWRLTPWBR38KBD
&synossoJSSDK=true
&force_login=#/signin
Provider call:
https://<redacted Nextcloud URL>/apps/user_oidc/code
?code=PsCX1tw0Gn1NwKd5OlZqLwN8ej9ToU9Z
&state=FB37D0DW5COM05LVQA96PDND69NBDBRG
The output of your Nextcloud log in Admin > Logging
No log entries pertaining to OIDC
The output of your config.php file in /path/to/nextcloud
The interesting part is in the last lines commented out with OpenID Connect user backend for Nextcloud
<?php
$CONFIG = array (
'htaccess.RewriteBase' => '/',
//Cache
'memcache.local' => '\\OC\\Memcache\\APCu',
'memcache.distributed' => '\\OC\\Memcache\\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' =>
array (
'host' => 'cloud-nextcloud-apache-redis',
'password' => '',
'port' => 6379,
),
//Apps
'apps_paths' =>
array (
0 =>
array (
'path' => '/var/www/html/apps',
'url' => '/apps',
'writable' => false,
),
1 =>
array (
'path' => '/var/www/html/custom_apps',
'url' => '/custom_apps',
'writable' => true,
),
),
'app_install_overwrite' =>
array (
0 => 'documentserver_community',
1 => 'gpxmotion',
2 => 'gpxedit',
3 => 'apporder',
4 => 'breezedark',
5 => 'printer',
),
'defaultapp' => 'files,dashboard',
//Instance
'upgrade.disable-web' => true,
'instanceid' => '<redacted>',
'passwordsalt' => '<redacted>',
'secret' => '<redacted>',
'datadirectory' => '/var/www/html/data',
'dbtype' => 'mysql',
'version' => '29.0.4.1',
'dbname' => 'nextcloud',
'dbhost' => 'cloud-nextcloud-apache-db',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => '<redacted>',
'dbpassword' => '<redacted>',
'installed' => true,
'trusted_domains' =>
array (
0 => 'cloud.<redacted>',
1 => '192.168.1.11:10311',
),
// intial value: 'overwrite.cli.url' => 'http://192.168.1.11:10311',
'overwrite.cli.url' => 'https://cloud.<redacted>',
'overwriteprotocol' => 'https',
'updater.secret' => '<redacted>',
'loglevel' => 2,
'default_phone_region' => '<redacted>',
'default_timezone' => '<redacted>',
'maintenance' => false,
'maintenance_window_start' => 3,
'data-fingerprint' => '<redacted>',
//Proxy
'trusted_proxies' =>
array (
0 => '172.16.238.0/24',
),
'forwarded_for_headers' =>
array (
0 => 'HTTP_X_FORWARDED',
1 => 'HTTP_FORWARDED_FOR',
2 => 'X-Forwarded-For',
),
//Mail
'mail_smtpmode' => 'smtp',
'mail_smtpsecure' => 'tls',
'mail_sendmailmode' => 'smtp',
'mail_from_address' => '<redacted>',
'mail_domain' => 'gmail.com',
'mail_smtpauthtype' => 'LOGIN',
'mail_smtpauth' => 1,
'mail_smtphost' => 'smtp.gmail.com',
'mail_smtpport' => '587',
'mail_smtpname' => '<redacted>',
'mail_smtppassword' => '<redacted>',
//App: Memories
'memories.exiftool' => '/var/www/html/custom_apps/memories/bin-ext/exiftool-amd64-glibc',
'memories.vod.path' => '/var/www/html/custom_apps/memories/bin-ext/go-vod-amd64',
'memories.db.triggers.fcu' => true,
'memories.index.path.blacklist' => '\\/(#[Rr]ecycle|@eaDir|#snapshot|[Ll]ocked)\\/',
'memories.vod.ffmpeg' => '/usr/bin/ffmpeg',
'memories.vod.ffprobe' => '/usr/bin/ffprobe',
'memories.gis_type' => 1,
'preview_max_x' => 512,
'preview_max_y' => 512,
'enabledPreviewProviders' =>
array (
0 => 'OC\\Preview\\Image',
1 => 'OC\\Preview\\HEIC',
2 => 'OC\\Preview\\TIFF',
3 => 'OC\\Preview\\Movie',
),
//App: ONLYOFFICE
'onlyoffice' =>
array (
'verify_peer_off' => true,
),
//App: OpenID Connect user backend for Nextcloud https://github.com/nextcloud/user_oidc
'user_oidc' =>
array (
'auto_provision' => true,
'soft_auto_provision' => true,
'use_pkce' => true,
),
);
Output errors in nextcloud.log in /var/www/ or as admin user in top right menu (filtered for errors; use a pastebin service if necessary)
No log entries pertaining to OIDC