SSO Users Cannot Bypass “Authentication Required” Pop-Up

felix.englisch · July 16, 2025, 7:43am

Hi everyone,

we’re running a Nextcloud instance where all users log in via Single Sign-On (SSO). Generally, this works well. However, we’ve run into a major issue with the “Authentication required” popup that appears in certain situations.

Examples include:

Creating app passwords (e.g. for CalDAV sync)
Performing some admin-level actions like increasing group folder storage quotas

In these cases, Nextcloud prompts users with a modal asking them to re-enter their password. The problem: our users don’t have a Nextcloud-specific password. The password they used to log into our platform (which redirects through the SSO flow) doesn’t work here.

The only workaround we’ve found is logging out and logging in again, but even that doesn’t reliably help – for some users, the popup reappears even in a brand new session. It seems to depend on session state, but we can’t identify a clear pattern.

What we’d really like to do is disable this “Authentication required” popup altogether.

Has anyone else dealt with this or found a reliable solution?

Any advice or ideas would be much appreciated!

Thanks in advance,
Felix

jtr · July 16, 2025, 2:33pm

What version of Nextcloud Server?
What SSO setup?

smarinier · July 17, 2025, 7:13am

Hi, maybe something is wrong with your SSO implementation. There are protection about that use case in the code, in the backend at least. PasswordConfirmationRequired checks that the user backend may enter its password in Nextcloud.

sascha.sommer · July 23, 2025, 9:58am

Hi, I’m a colleague of Felix, here to chime in:

We’re currently running version Nextcloud Hub 9 (30.0.10), but the described problem has been persisting at least since Nextcloud 27.x.

We’re using the app Social Login (Version 6.0.2), using a custom OAuth2 configuration (screenshot attached), with our own Django webserver as the provider (screenshot of the OAuth userinfo endpoint output attached).

Hope this helps. Thank you for your assistance!

felix.englisch · July 24, 2025, 11:06am

Thank you, Sascha!
@smarinier @jtr do you see anything that we could change in our setup to avoid the popups?

smarinier · July 29, 2025, 8:32am

The Social Login is missing a backend telling it can’t handle PasswordConfirmation

See by example user_oidc

github.com/nextcloud/user_oidc

lib/User/Backend.php

main

<?php

declare(strict_types=1);
/**
 * SPDX-FileCopyrightText: 2020 Nextcloud GmbH and Nextcloud contributors
 * SPDX-License-Identifier: AGPL-3.0-or-later
 */

namespace OCA\UserOIDC\User;

use OCA\UserOIDC\AppInfo\Application;
use OCA\UserOIDC\Controller\LoginController;
use OCA\UserOIDC\Db\Provider;
use OCA\UserOIDC\Db\ProviderMapper;
use OCA\UserOIDC\Db\UserMapper;
use OCA\UserOIDC\Event\TokenValidatedEvent;
use OCA\UserOIDC\Service\DiscoveryService;
use OCA\UserOIDC\Service\LdapService;
use OCA\UserOIDC\Service\ProviderService;
use OCA\UserOIDC\Service\ProvisioningService;

Ce fichier a été tronqué. afficher l'original

=>
public function canConfirmPassword(string $uid): bool {
return false;
}