Redirect not working - Problem loading page

[jaschrock]

I am able to get out to cas, put in my username/password, but when it comes back from CAS to the nextcloud server, it gives in firefox the page isn't redirecting properly. The URL has the ticket ID in it, so it is ready to be processed, but it seems too not be hitting a correct value on the server. I have tried with and without a service URL. I have several other apps working fine against my CAS server. Any thoughts?

My configuration: NextCloud 15.0.4, CAS user_app 1.6.1 Jasig CAS version 4.1.7 Ubuntu 1604.2 LTS php 7.0.33

returned URL (generalized for security reasons) that gives the page not functioning error: https://mycas.domain.edu:8443/cas/login?service=https%3A%2F%2Fmynextcloud.domain.edu%2Fapps%2Fuser_cas%2Flogin'

This is with a service return value specified of https://mynextcloud.domain.edu/apps/user_cas/login but it does the same with nothing in that parameter.

Thoughts?

Alan

[jaschrock]

I have tried a few other things to no benefit:

1. CAS 1.0/2.0/3.0
2. return URLS
3. Proxy on/off
4. ssl cert defined
5. rolled back to NC14
6. disabled theme app and got rid of modified backend.php changes (adding string inside the checkpassword function) that are indicated in another ticket.

I see my ticket issued in the CAS logs It goes out fine to the CAS server, asks for username/password, but with the redirect it hangs - it eventually gives a can't reach this page. If I go back and issue another mynextcloud.domain.edu/apps/user_cas/login it comes back with the ticket in the URL as normal:

https://mynetcloud.domain.edu/apps/user_cas/login?ticket=ST-11632-0y9YBSaMjUeqL41sBuE4-mycas.domain.edu

but also with a can't reach the page. If I drop the /apps/user_cas/login?ticket=ST-11632-0y9YBSaMjUeqL41sBuE4-mycas.domain.edu part, it goes to the normal login page. So, it seems like the app isn't processing the ticket parameter correctly for some reason.

I have run out of things to try...

Alan

[felixrupp]

Hi @jaschrock,

please provide the phpCAS log file (anonymized), so I can see where your request hangs!

Thanks and Regards, Felix

[jaschrock]

Hi Felix, Where would I find that log? I am using the included phpCAS with the app, not the Ubuntu one (at least I think so). :-) I don't see a separate log for this in /var/log or within nextcloud.

Thanks Alan

[felixrupp]

HI @jaschrock, you have to set a custom log-path in the admin settings panel on the last tab. Please put the log in your ownCloud’s/Nextcloud’s data folder, so you won’t have problems with read/write permissions.

Regards, Felix

[jaschrock]

Hi Felix, Thanks for the info and your help. Below is the log file. In this instance this is what I did:

1. Cleared the log file and started a new browser session
2. went to my /apps/user_cas/login page
3. it redircted to my cas server for login
4. it ends with a this page isn't redirecting properly message in firefox with the url: https://mycas.myschool.edu:8443/cas/login?service=https%3A%2F%2Fnextcloud.myschool.edu%2Fapps%2Fuser_cas%2Flogin Not sure also what the "You have configured no validation of the legitimacy of the cas server" message is about, but it looks like a warning not an error. casdebug.log

[jaschrock]

Also, if I go to the site having a valid authenticated system to CAS already, it gives the same error with this url: https://nextcloud.myschool.edu/apps/user_cas/login?ticket=ST-16740-DSbdU4QRqz7oCUQeINoh-mycas.myschool.edu And, if I had already logged in and then goto the CAS login url it does just send me to the "home" page.

[felixrupp]

Hi @jaschrock,

sounds like you have a problem with your cookies. user_cas uses custom cookies to set the redirect url after a CAS-authentication attempt. If the redirect does not work, I would guess you have an issue with your browser’s cookies.

Regards, Felix

[jaschrock]

Hi Felix, If it was a cookie issue, then it shouldn't happen across multiple browsers and only for this application, I would think. My Moodle integration is fine with CAS as well as Google Apps and some other integrations.

When I am already logged in, it goes to this url: https://mynextcloud.myschool.edu/apps/user_cas/login?ticket=ST-18476-DXpOpQa36b1nrJpeSREi-mycas.myschool.edu So, it has redirected from CAS, but the CAS app on nextcloud seems to not be processing that final login step for some reason. Thanks Alan

[felixrupp]

Hi @jaschrock,

yes that’s true. Can you please provide an anonymized phpCAS log file of a not-working redirect request?

Thanks, Felix

[jaschrock]

Hi Felix,

Here are three files:

casloggedinnextcloudlogged in is the scenario where I was already logged into both (so it doesn't have much) casdebug.log.casloggedinnextcloudloggedin.txt

loggedinredirect is where I was logged in already to CAS and it just went to the error page with the ticket defined in the URL. casdebug.log.loggedinredirect.txt

notcasloggedinredirect - is a full login - it redirected me to CAS, I entered my credentials, and then got the error. casdebug.log.notcasloggedinredirect.txt

Thanks

Alan

[felixrupp]

Hi @jaschrock,

so you’re opening /apps/user_cas/login directly (via external link or by typing it in the address bar)? That seems to be the problem, because that route is actually the authentication routine only. To get working redirects, you have to use the ownCloud’s/Nextcloud’s login page. Only then will you have a correct setup of the referrers, so your redirects work correctly.

Regards, Felix

[jaschrock]

Yes, that is what I am doing. I don't have "force CAS login defined" - how does it know to use CAS for the login - there isn't another link and CAS should redirect me to our directory server not login with the standard NextCloud login form. Generally, we would have a URL to use in order to SSO from our other site into nextcloud. How do I do that? Thhat is the main thing I am wanting to do - a seamless login from our Moodle site. Thanks

Alan

[felixrupp]

Hi @jaschrock,

for a usecase like yours, you should use "force CAS login", because you do not need the regular Nextcloud login-form, do you? Your link (in Moodle) must direct to the front page of your Nextcloud instance, user_cas will then redirect to the CAS server, validating your existing ticket (if you have one from Moodle) and redirecting you back correctly to your Nextcloud instance, routing you then to the "Files" view.

Regards, Felix

[jaschrock]

Hi Felix,

OK, I understand. It isn't ideal, but can work.

When I did that, though, I got a 403 forbidden error (after coming back from the CAS login). Attached is my log. It looks like it authenticated OK. casdebug.log

Thanks

[felixrupp]

Hi @jaschrock,

this error only occurs, if you’re authenticated in CAS, but then Nextcloud sessions could not be authenticated when redirected from CAS to Nextcloud.

I’ll test this tomorrow and give you some feedback!

Regards, Felix

[felixrupp]

Hi @jaschrock

I could not reproduce this behaviour. Can you give me a list of your enabled apps in your Nextcloud installation?

Regards, Felix

[jaschrock]

Hi Felix. Here you go:

Extract 1.0.0 Accessibility 1.1.0 Official Activity 2.8.2 Official CAS user and group backend 1.6.2 Collabora Online 3.2.4 Official Collaborative tags 1.5.0 Official Comments 1.5.0 Official Deleted files 1.5.0 Official External storage support 1.6.0 Official Federation 1.5.0 Official File sharing 1.7.0 Official First run wizard 2.4.0 Official Gallery 18.2.0 Official Group folders 2.0.4 Official LDAP user and group backend 1.5.0 Official Log Reader 2.0.0 Official Monitoring 1.5.0 Official Nextcloud announcements 1.4.0 Official Notifications 2.3.0 Official Password policy 1.5.0 Official PDF viewer 1.4.0 Official Polls 0.10.2 Right click 0.13.0 Share by mail 1.5.0 Official Support 1.0.0 Official Text editor 2.7.0 Official Theming 1.6.0 Official Update notification 1.5.0 Official Usage survey 1.3.0 Official User usage report 1.1.1 Versions 1.8.0 Official Video player 1.4.0 Official ONLYOFFICE 2.1.6 Auditing / Logging 1.5.0 Official Default encryption module 2.3.0 Official External sites 3.2.0 Official File access control 1.5.0 Official

[conanedogawa2]

Hi,

Exact same thing happens here. Glad it was already reported. Nextcloud V : 16.0.4.1 user_cas V : 1.7.2 php: 7.3.9 More or less the exact same plugin list.

I'm in a clustered docker environnement.

Thanks for help !

[felixrupp]

@jaschrock @conanedogawa2

Are you still using user_ldap for any purposes? Like providing both LDAP and CAS based auth parallelly?

As I mentioned early user_cas is not really compatible with user_ldap, so if u have an account in your ownCloud/Nextcloud instance, which was setup by user_ldap, in most cases you can not authenticate this account against a CAS instance. Thats because how user_ldap stores the accounts (using a uuid for the owncloud/Nextcloud username) vs. how the CAS instance delivers account credentials (username as username).

Can you lookup your database tables and tell my how the corresponding accounts are setup?

P.S: If it’s possible, please do not use user_cas and user_ldap together!

Regards, Felix

[jaschrock]

Hi Felix, I am just using LDAP and not using CAS. That is a better solution for me after I realized they can't really coexist the way I was hoping. Thanks Alan

[conanedogawa2]

Actually, yes i'm using user_ldap plugin.

I just created a fresh new Nextcloud instance. Using v16.0.5 or 17 i have the same problem. No user_ldap plugin activated. (I'm now using user_cas v 1.7.3)

[conanedogawa2]

Nevermind i was using my old cas configuration not anymore pertinant with fresh nextcloud installation. Thanks for your amazing work btw.